A general overview of Zimbabwe’s Cyber and Data Protection Act

By Gamuchirai Dzitiro

In the rapidly evolving digital landscape, safeguarding your personal information is more crucial than ever. In Zimbabwe, your rights relating to personal data are protected by the Cyber and Data Protection Act [Chapter 12:07] (CDPA) and its associated Cyber and Data Protection Regulations, 2021(CDPR). A clear understanding of these rights enables you to control how your data is collected, used, and shared by data controllers and data processors.

The CDPA outlines fundamental rights for data subjects, ensuring that every data controller and data processor operating in Zimbabwe complies with stringent data protection standards. At the core of this law is the requirement for organisations to obtain your informed consent before processing your personal data, as well as providing a clear privacy policy that explains their data handling practices.

In cases where you believe your rights have been violated, the CDPA allows you to lodge a complaint with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), the Zimbabwean data protection authority responsible for enforcing compliance with the CDPA and the CDPR.

Your Key Data Protection Rights Under the CDPA & Common Law

1.  You have the right to be informed. 
   You have the right to be informed clearly and concisely about the personal data being collected from you, the purposes for which it is being collected, if there are potential disclosures to third parties, and the consequences of not providing the data. This information must be given before or at the time of data collection.
2. You have the right of access. 
   You are entitled to request confirmation from an organisation regarding whether they are processing your personal data. If so, you have the right to access that data and receive an explanation of how it is being handled.
3. You have the right to rectification.
   Should you identify inaccuracies or outdated information in the personal data held by a data controller or data processor, you are entitled to request corrections or updates without undue delay.
4. You have the right to erasure (The “Right to be Forgotten”).  
   Under certain conditions, you are entitled to request the deletion or destruction of your personal data. This right applies if the data is no longer needed for its original purpose, if you withdraw your consent, or if the data was processed unlawfully. It is advisable that you consult an attorney to establish whether the facts and circumstances of your grievance fit within the scope of this right.
5. You are entitled to object to Processing.
   You have the right to formally object to the processing of your personal data on reasonable grounds. This right is particularly pertinent in instances such as direct marketing.
6. You have the right to Data Portability. 
   You have the right to obtain your personal data from a data controller in a structured, commonly used, and machine-readable format. You may also request the direct transfer of this data to another controller when possible.
7. You are at liberty to lodge a complaint & to claim Damages. 
   You have the right to obtain your personal data from a data controller in a structured, commonly used, and machine-readable format. You may also request the direct transfer of this data to another controller when possible.

 How to Effectively Exercise Your Rights in Zimbabwe

1. Review Privacy Policies
   You must diligently examine the privacy policies on websites and application forms offered by prospective data controllers or data processors, as applicable. The CDPA requires that data controllers and processors make this information readily accessible to you.
2. Feel free to submit a formal request to enforce your rights.
   You have the right to contact the data protection officer or the designated contact person within the data controller’s organisation directly. Prepare and send a written request to access, correct, or delete your data.
3. Lodge a Complaint with the Data controller’s organisation.
   If you are still dissatisfied with the organisation’s response to your request, you have the right to initiate a formal complaint directly with the data controller, allowing for an opportunity for resolution.
4. File a Complaint with POTRAZ
   If the data controller fails to address your complaint adequately, you are entitled to escalate the matter by filing a formal complaint with the Data Protection Authority, POTRAZ, which possesses the authority, in certain instances, to investigate and enforce compliance.
5. Institute legal proceedings
   You are entitled to institute legal proceedings to enforce your rights in any court of appropriate jurisdiction in Zimbabwe. Consult an attorney at the outset to avoid filing your claim in the wrong court or prosecuting an incompetent claim.

Core Principles that data controllers must comply with

The CDPA imposes fundamental principles that data controllers must adhere to when processing personal data. These include.

1. Only lawful processing is permitted.
   Personal data can only be processed with your consent or when processing is necessary for a specified legal purpose.
2. The duty to ensure purpose specification.
   Data must be collected for explicit and lawful purposes, and it must not be processed in a manner incompatible with those purposes.
3. Data Minimisation.
   Data controllers are required and confined to collect only the data necessary for the intended purpose, ensuring both relevance and adequacy.
4. Accuracy
   A data controller or processor must ensure the accuracy of collected personal data and keep it current when necessary, taking all reasonable measures to delete or correct any inaccurate information promptly.
5. There should be security safeguards in place.
   Data controllers are required to implement robust technical and organisational measures to secure your personal data against loss, destruction, and unlawful access.

Data subject rights extend beyond those listed in the CDPA and CDPR. However, understanding your primary data subject rights is essential for enforcing these rights under the CDPA, CDPR, and common law. This legislation provides you with a robust legal framework to hold data controllers and data processors accountable, ensuring that your personal information is managed with utmost care and the security it warrants. At G. Dzitiro Attorneys, we are committed to assisting you in navigating the complexities of data protection and information technology law, ensuring that your rights are safeguarded and enforced in this data-sensitive and rapidly evolving digital landscape.