The Zimbabwe Cyber and Data Protection Act (Chapter 12:07), enacted in 2021, is Zimbabwe's first comprehensive legislation addressing both data protection and cybersecurity. Unlike many other African data protection laws that focus solely on personal data, the Zimbabwe Act combines data protection provisions with cybercrime and cybersecurity requirements in a single statute. The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) serves as the supervisory authority for data protection matters, while a dedicated Cyber Security Centre oversees cybersecurity incidents. This guide provides a structured compliance framework for organisations operating in Zimbabwe or processing data of Zimbabwean data subjects.

What Is the Cyber and Data Protection Act?

The Cyber and Data Protection Act [Chapter 12:07] was gazetted in December 2021 after being signed by the President. It is a comprehensive statute that addresses two distinct but related areas: data protection (Part III and IV) and cybercrime and cybersecurity (Part V, VI, and VII). This dual focus makes it unique among African data protection laws.

The data protection provisions are modelled on international standards, drawing from GDPR principles and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention). The Act establishes POTRAZ as the authority responsible for registration of data controllers and enforcement of data protection obligations.

Key definitions under the Act:

  • Personal data: Any information relating to an identified or identifiable natural person, including name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person
  • Sensitive personal data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation (Section 2)
  • Data controller: A person who, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Data processor: A person who processes personal data on behalf of a data controller
  • Data subject: An identified or identifiable natural person to whom personal data relates
i

Dual Nature of the Act

The Zimbabwe Cyber and Data Protection Act is unique in combining data protection and cybercrime provisions in a single statute. This means organisations must comply with both data protection obligations (Part III-IV) and cybersecurity requirements (Part V-VII). The cybercrime provisions create criminal offences for activities such as unauthorised access to computer systems, data interference, identity theft, and cyber fraud — carrying penalties of up to 10 years imprisonment. Compliance programmes must address both dimensions.

Who Must Comply?

The Cyber and Data Protection Act applies to every person or entity that processes personal data within Zimbabwe, as well as to data controllers and processors outside Zimbabwe that process personal data of data subjects who are in Zimbabwe (Section 3). This extraterritorial application captures foreign organisations offering goods or services to Zimbabwean data subjects.

The Act applies to:

  • Private sector organisations of all sizes — including companies, partnerships, and sole traders
  • Public sector bodies — government ministries, departments, parastatals, and local authorities
  • Non-profit organisations — NGOs, religious organisations, and community groups
  • Telecommunications operators — already regulated by POTRAZ, now subject to enhanced data protection obligations
  • Foreign organisations — entities outside Zimbabwe that process personal data of Zimbabwean data subjects

Exemptions are limited to processing for purely personal or household activities, processing by state security services for national security purposes (subject to oversight), and processing by the media for journalistic purposes (subject to conditions).

Key Provisions

The data protection provisions of the Act establish comprehensive obligations for data controllers and processors.

Registration of Data Controllers (Section 17)

All data controllers must register with POTRAZ before commencing the processing of personal data. The registration application must include details of the data controller's identity, the categories of data processed, the purposes of processing, the categories of data subjects, the recipients of data, details of cross-border transfers, and the security measures in place. POTRAZ maintains a public register of data controllers.

Lawful Basis for Processing (Section 18)

Processing of personal data is lawful only if at least one of the following applies:

  • Consent — The data subject has given informed and express consent
  • Contract — Processing is necessary for the performance of a contract with the data subject
  • Legal obligation — Processing is necessary for compliance with a legal obligation
  • Vital interests — Processing is necessary to protect the vital interests of the data subject
  • Public interest — Processing is necessary for the performance of a task in the public interest
  • Legitimate interest — Processing is necessary for the legitimate interests of the controller, unless overridden by the data subject's rights

Data Subject Rights (Section 20-24)

The Act grants data subjects the following rights:

  • Right to be informed — Data subjects must be notified of the collection and processing of their personal data (Section 20)
  • Right of access — Data subjects may request access to their personal data and information about how it is processed (Section 21)
  • Right to rectification — Data subjects may request correction of inaccurate personal data (Section 22)
  • Right to erasure — Data subjects may request deletion of their personal data where there is no legitimate reason for continued processing (Section 23)
  • Right to object — Data subjects may object to the processing of their personal data, including for direct marketing purposes (Section 24)

Security Safeguards (Section 19)

Data controllers and processors must implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures must be proportionate to the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of data subjects.

Cross-Border Transfers (Section 25)

Personal data may only be transferred outside Zimbabwe if the receiving country ensures an adequate level of protection, or if appropriate safeguards are in place. POTRAZ has the authority to determine which countries provide adequate protection. Where adequacy has not been determined, transfers may proceed with the data subject's explicit consent, where necessary for the performance of a contract, or subject to other safeguards specified by POTRAZ.

Cybercrime Provisions (Part V)

In addition to data protection, the Act creates several cybercrime offences:

  • Unauthorised access to a computer system — accessing a computer system without permission or exceeding authorised access
  • Data interference — intentionally damaging, deleting, deteriorating, altering, or suppressing computer data
  • System interference — intentionally hindering the functioning of a computer system
  • Identity theft and fraud — using another person's identifying information for unlawful purposes
  • Cyber extortion — using threats to demand property or advantages through computer systems
!

Registration Is a Prerequisite to Processing

Under Section 17, data controllers must register with POTRAZ before they commence processing of personal data. Processing without registration is an offence under the Act. The registration requirement applies to all data controllers — domestic and foreign — that process personal data of data subjects in Zimbabwe. Organisations should prioritise registration as the first step in their compliance programme.

Compliance Checklist

Use this structured checklist to assess and track your organisation's compliance with the Zimbabwe Cyber and Data Protection Act.

Registration & Governance

  • Register as a data controller with POTRAZ (Section 17)
  • Provide all required details in the registration application — including processing purposes, data categories, security measures, and cross-border transfers
  • Designate a responsible person for data protection compliance within the organisation
  • Develop and publish a data protection policy aligned with the Act
  • Establish a data governance structure with clear roles and reporting lines
  • Maintain a record of all processing activities

Lawful Processing & Consent

  • Identify and document the lawful basis for every processing activity (Section 18)
  • Where consent is relied upon, ensure it is informed and express
  • Implement a mechanism for data subjects to withdraw consent
  • Maintain consent records with timestamps and details
  • Ensure sensitive personal data is processed only on permitted grounds

Transparency & Data Subject Notification

  • Draft and publish a privacy notice that complies with Section 20 requirements
  • Provide the privacy notice at or before the point of data collection
  • Include identity of the controller, purpose of processing, categories of data, data subject rights, retention periods, and cross-border transfer details
  • Review all data collection points for compliance

Security Safeguards

  • Implement appropriate technical and organisational measures (Section 19)
  • Conduct risk assessments to identify threats to personal data security
  • Deploy encryption, access controls, firewalls, and intrusion detection as appropriate
  • Regularly test and verify the effectiveness of security measures
  • Ensure data processors have adequate security through binding agreements

Data Subject Rights

  • Establish processes to receive and respond to access requests (Section 21)
  • Establish processes for rectification requests (Section 22)
  • Establish processes for erasure requests (Section 23)
  • Establish processes for objection requests, including direct marketing opt-out (Section 24)
  • Define response timelines and train staff on procedures

Cybersecurity Compliance

  • Implement security measures to prevent unauthorised access to computer systems
  • Establish an incident response plan for cybersecurity incidents
  • Train staff on recognising and reporting cyber threats
  • Report cybersecurity incidents to the Cyber Security Centre as required
  • Conduct regular cybersecurity assessments and penetration testing

Cross-Border Transfers

  • Identify all cross-border transfers of personal data
  • Verify that the receiving country has adequate protection as determined by POTRAZ
  • Where adequacy is not established, obtain explicit consent or implement approved safeguards
  • Document the lawful basis for each transfer
  • Include transfer provisions in data processing agreements

POTRAZ Role

The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is the designated authority for data protection under the Act. POTRAZ's data protection functions include:

  • Registration — Maintaining the register of data controllers and processing registration applications
  • Complaint handling — Receiving and investigating data protection complaints from data subjects
  • Enforcement — Issuing enforcement notices, imposing penalties, and ordering remedial actions
  • Guidance — Issuing guidelines, codes of practice, and advisory opinions on data protection matters
  • Adequacy assessments — Determining which countries provide adequate data protection for cross-border transfers
  • Auditing — Conducting compliance audits of registered data controllers

POTRAZ is an established regulator with existing infrastructure and expertise in telecommunications regulation. Its designation as the data protection authority means it can leverage its existing relationships with telecommunications operators and its enforcement capabilities to drive compliance across all sectors.

Penalties

The Cyber and Data Protection Act provides for both administrative and criminal penalties:

Offence Penalty
Processing personal data without registration Fine and/or imprisonment up to 1 year
Processing without lawful basis Administrative fine determined by POTRAZ
Failure to implement adequate security safeguards Administrative fine and enforcement notice
Unlawful cross-border transfer Administrative fine and order to cease transfers
Unauthorised access to computer system Fine and/or imprisonment up to 5 years
Data interference Fine and/or imprisonment up to 5 years
Identity theft or cyber fraud Fine and/or imprisonment up to 10 years
Obstruction of POTRAZ Fine and/or imprisonment

POTRAZ can also:

  • Issue enforcement notices requiring specific remedial actions
  • Order the suspension or restriction of data processing activities
  • Deregister data controllers that fail to comply
  • Refer matters for criminal prosecution
  • Order compensation to affected data subjects
!

Criminal Penalties for Cybercrime Are Severe

The cybercrime provisions of the Act carry penalties of up to 10 years imprisonment for serious offences such as identity theft and cyber fraud. Organisations must ensure their cybersecurity measures are robust — not only to protect personal data but also to prevent their systems from being used as vehicles for cybercrime. A comprehensive information security programme that addresses both data protection and cybersecurity is essential.

Ongoing Compliance

Compliance with the Cyber and Data Protection Act is an ongoing obligation that spans both data protection and cybersecurity.

1. Maintain POTRAZ Registration

Ensure your registration with POTRAZ remains current. Update registration details when processing activities, purposes, data categories, or security measures change.

2. Integrate Obligations into Your Risk Register

Treat every obligation under the Act — both data protection and cybersecurity — as a compliance risk with a named owner, deadline, mapped controls, and attached evidence.

3. Conduct Regular Security Assessments

The dual nature of the Act means security assessments must cover both personal data protection and broader cybersecurity threats. Conduct penetration testing, vulnerability assessments, and security audits on a regular schedule.

4. Train Staff on Both Data Protection and Cybersecurity

Staff training should cover data protection principles, data subject rights, and data handling procedures, as well as cybersecurity awareness — recognising phishing, social engineering, and other threats.

5. Use Technology to Automate Compliance

A compliance management platform like Dimeri can centralise both data protection and cybersecurity obligations in a single register, linking each obligation to its controls, evidence, and owner. This provides a unified view of compliance status and eliminates the risk of managing data protection and cybersecurity in separate silos.

Key Takeaways

  • The Zimbabwe Cyber and Data Protection Act is unique in combining data protection and cybercrime provisions in a single statute
  • POTRAZ is the supervisory authority for data protection, leveraging its existing regulatory infrastructure
  • Registration with POTRAZ is mandatory for all data controllers before processing commences — processing without registration is a criminal offence
  • Six lawful bases for processing are established, aligned with international standards
  • The cybercrime provisions carry severe penalties — up to 10 years imprisonment for offences such as identity theft and cyber fraud
  • Cross-border transfers require adequacy assessment by POTRAZ or approved safeguards
  • Compliance programmes must address both data protection and cybersecurity — the dual nature of the Act requires a unified approach
  • Continuous compliance — supported by risk registers, security assessments, staff training, and automated tracking — is essential

Frequently Asked Questions

Why is POTRAZ the data protection authority in Zimbabwe?

The Cyber and Data Protection Act designates POTRAZ as the supervisory authority for data protection because it is an established regulator with existing infrastructure, technical expertise, and enforcement capabilities in the telecommunications and ICT sector. Since data protection is closely linked to electronic communications and digital services, POTRAZ was considered well-positioned to oversee compliance. However, some commentators have noted that a dedicated data protection authority would provide greater independence — this is an area to monitor as the regulatory landscape evolves.

Does the Act apply to non-digital (paper) records?

The data protection provisions of the Act apply to the processing of personal data, which includes both automated (digital) and structured manual (paper) filing systems. If your organisation maintains physical files containing personal data in a structured format — such as employee records, customer files, or patient records — these are subject to the Act's data protection requirements. Organisations should ensure their compliance programmes cover both digital and paper-based processing of personal data.

How do the cybercrime provisions affect ordinary businesses?

The cybercrime provisions affect ordinary businesses in two main ways. First, businesses must ensure they do not inadvertently commit cybercrime offences — for example, accessing systems without proper authorisation or failing to secure access credentials. Second, businesses must implement adequate cybersecurity measures to protect their systems from being compromised, as failure to do so could lead to liability if their systems are used to facilitate cybercrime. A comprehensive information security programme that addresses both protective and detective controls is essential.

Can personal data be transferred outside Zimbabwe?

Yes, but only under specific conditions. Section 25 permits cross-border transfers of personal data where the receiving country ensures an adequate level of protection as determined by POTRAZ, or where appropriate safeguards are in place. Where adequacy has not been determined, transfers may proceed with the data subject's explicit consent or where necessary for the performance of a contract. Organisations using cloud services or outsourcing data processing to providers outside Zimbabwe must ensure these transfers are documented and covered by one of the permitted mechanisms.

What is the relationship between the Cyber Security Centre and POTRAZ?

The Act establishes two distinct oversight bodies: POTRAZ handles data protection matters — including registration of data controllers, enforcement of data protection obligations, and complaint handling. The Cyber Security Centre handles cybersecurity matters — including monitoring cyber threats, coordinating incident response, and advising on cybersecurity policy. Organisations may need to interact with both bodies depending on the nature of an incident. A data breach that involves unauthorised access to a computer system, for example, could engage both POTRAZ (data protection) and the Cyber Security Centre (cybersecurity).