New Data Privacy Legislation for Zimbabwean Citizens

Zimbabwe’s Cybersecurity and Data Protection Bill of 2019 is a data protection law that was recently passed in 2019. The passing of the Cybersecurity and Data Protection Bill of 2019 was largely due to the Constitution of Zimbabwe Amendment 20 of 2013, which afforded all citizens the right to personal privacy. As such, the Cybersecurity and Data Protection Bill of 2019 was passed to reinforce the provisions stipulated in the Constitution of Zimbabwe Amendment 20 of 2013 as it relates to data protection. To this point, the Cybersecurity and Data Protection Bill of 2019 sets forth the legal framework that data controllers within Zimbabwe must abide by when engaging in data processing activities in the country.

How are data controllers and processors defined under the Cybersecurity and Data Protection Bill of 2019?

Under the Cybersecurity and Data Protection Bill of 2019, data controllers are defined as “any natural person or legal person who is licensable by the data protection authority”. Conversely, the law defines a data processor as “a natural person or legal person, who processes data for and on behalf of the controller and under the controller’s instruction, except for the persons who, under the direct employment or similar authority of the controller, are authorized to process the data”. Alternatively, as it relates to the personal scope of the law, the Cybersecurity and Data Protection Bill of 2019 regulates “the collection, storage, and processing of data by natural or legal persons licensable by the data protection authority”.

Moreover, the territorial scope of the law applies to all data processing activities that occur within Zimbabwe, as well as instances in which personal data is transferred to third parties in foreign countries. Additionally, the material scope of the Cybersecurity and Data Protection Bill of 2019 defines data processing to mean “any operation or set of operations which are performed upon data, whether or not by automated means, such as obtaining, recording, or holding the data, or carrying out any operation or set of operations on data, including”:

• The organization, alteration, or adaptation of personal data.
• The use, consultation, or retrieval of personal data.
• The combination, alignment, blocking, erasure, or destruction of personal data.

What are the requirements of data controllers and processors under the Cybersecurity and Data Protection Bill of 2019?

The Cybersecurity and Data Protection Bill of 2019 established various data protection principles that data controllers and processors within Zimbabwe must adhere to at all times when collecting, processing, and disseminating personal data. These data protection principles include:

• Data controllers are required to process personal data in a manner consistent with lawfulness and fairness, when necessary.
• Data controllers are responsible for establishing a balance between competing interests.
• Personal data can only be processed for specified, explicit, and legitimate purposes, and data controllers are responsible for taking into account all relevant factors pertaining to data processing, such as the applicable legal and regulatory provisions of the law.
• Personal data that is processed must be relevant, adequate, and non-excessive with respect to the purpose for which it is collected and further processed.
• All personal data that is processed must be kept in a form that allows for the identification of applicable data subjects, for a period no longer that is needed in regards to the purpose for which the data in question was collected and further processed.
• All personal data must be kept in a manner that is accessible, regardless of the technology used, and the evolution of technology cannot be an obstacle to the accessing or processing of personal data.

In addition to these data protection principles, the Cybersecurity and Data Protection Bill of 2019 also mandates that data controllers and processors provide data subjects with data processing notifications. These notifications must detail the steps and measures that data controllers and processors will follow when processing personal data, such as the specific purposes for processing and any planned transfers of personal data to third-party countries. Furthermore, the law also required data controllers and processors to ensure that personal data is only transferred to countries that have an adequate level of data protection, as well as to provide affected data subjects with data breach notifications in the event of a data leak.

What are the rights of data subjects under the Cybersecurity and Data Protection Bill of 2019?

As it relates to the rights that are afforded to Zimbabwean citizens under the Cybersecurity and Data Protection Bill of 2019, the law provides data subjects with the right to be informed, the right to access, the right to object to or opt-out of consent, and the right not to be subject to data processing decisions made solely on the basis of automated processing. On the contrary, the law does not provide data subjects with the right to rectification, the right to erasure, or the right to data portability. As it relates to punishments that can be levied against individuals and organizations who violate these various rights, people who are found to be in violation of the law are subject to a term of imprisonment of up to two years, as well as civil liability.

Through the passing of the Cybersecurity and Data Protection Bill of 2019, Zimbabwean citizens were guaranteed the right to data protection and personal privacy, in accordance with the Constitution of Zimbabwe Amendment 20 of 2013. As such, Zimbabwe joined the multitude of African countries to pass data protection laws in recent years, including the South African POPIA law and Ghana’s Data Protection Act. To this end, Zimbabwean citizens now have an avenue of recourse in the event that their data protection rights are infringed upon, whether it be domestically or internationally.