Introduction

In terms of the Cyber and Data Protection Regulations, S.I 155 of 2024 (the Regulations), any person that processes personal information with the intent to determine the means, purpose, outcome of the processing, the specific personal data to be collected, or the individuals from whom data will be collected, must be registered as a data controller with the Data Protection Authority. The Data Protection Authority is the Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz).

In terms of the Cyber and Data Protection Act [Chapter 12:07], personal information includes a variety of data such as a person’s name, address, contact information, race, sex, age, identity number, fingerprints as well as information relating to their healthcare, educational, financial, criminal, or employment history.

Given the wide range of data that qualifies as personal information, there is a need for several entities to be licenced as data controllers before collecting any of the identified details.

In terms of a step by step plan for registration, the procedure is as follows;

Step 1:          Appointment of a Data Protection Officer

  • The company (data controller) must appoint one of its employees to be a Data Protection Officer (DPO).
  • The Regulations stipulate that the appointed DPO must possess skills, qualifications, or experience in data science, data analytics, information security, audit, or any other relevant qualification. However, practically, the essential qualification is that the appointed DPO must have a recognizable degree.
  • The DPO must enrol for a two-week course with the Data Protection Authority. The course is currently being conducted at the Harare Institute for Technology.
  • The enrolment process involves downloading an application form from the Harare Institute for Technology (HIT) website for a course in data protection. After completing the said form and fulfilling the necessary requirements, a US$30.00 application fee will be payable to HIT or to Potraz for the application to be considered.
  • Should the application be approved, a US$1 250.00 tuition fee will be payable for the DPO to commence the course.
  • At the end of the course, the DPO will be obliged to sit for a four (4) hour examination.
  • If the DPO passes, a Data Protection Certificate will be issued to him or her.
  • The course will be available until 12th December 2024 when all DPOs are expected to be certified in terms of the Regulations.

Step 2:          Notification to the Data Protection Authority

  • The company (data controller) has to issue a notification to Potraz with the following details;
  • Details of the appointed and certified DPO.
    • The nature and extent of the data that it collects.

Step 3:          Data Controller Licence

  • An Application for a Data Protection Licence is made in terms of Form DP1 that is provided on the Potraz Website. The form provided in the Regulations has since been varied.
  • The application fee is US$30.00.
  • The Data Protection Authority must respond within 14 days.
  • If the application succeeds, the company will be required to pay a licence fee in the sum of US$50.00 – US$2 000.00, depending on the tier that the company seeks a licence for.
  • Thereafter,  a licence will be issued which will be valid of 12 months.
  • The licence must be renewed at least 3 months before its expiry.
  • The deadline for all companies (data controllers) to obtain a license is 12th March 2025.

We so advise.

MawereSibanda Commercial Lawyers

Post Tags :

Leave a Reply

Your email address will not be published. Required fields are marked *