Data protection & privacy laws in Zambia (2026)

The Data Protection Act, No. 3 of 2021 was passed by the National Assembly of Zambia on 23 March 2021 and entered into force on 1 April 2021 via Commencement Orders published in the Government Gazette. It is the country's first comprehensive personal-data protection statute.

The Office of the Data Protection Commissioner (ODPC) is the statutory supervisory authority, situated within the Ministry responsible for communications. It registers data controllers and processors, licenses data auditors, investigates complaints, and enforces the Act. Full enforcement operations commenced March 2025.

All data controllers and data processors operating in Zambia were required to register with the ODPC by 30 April 2025. Failure to register is an offence carrying a maximum fine of 500,000 penalty units and/or up to five years' imprisonment.

Data subjects are granted rights to access, rectify, erase, and restrict processing of their personal data. They are also entitled to be informed of the purpose and period of processing, the source of data, any third-party disclosures, and the logic behind automated processing decisions.

Section 70(1) of the Act mandates that sensitive personal data (including data on health, sex/marital status, biometrics, and criminal records) be stored and processed on servers physically located within Zambia. Cross-border transfer of sensitive data requires data-subject consent or ODPC approval under specified conditions.

Data controllers must notify the ODPC within 24 hours of a personal-data security breach. Financial penalties for unlawful collection without consent can reach ZMW 40 million or 2% of annual turnover (whichever is higher). Unauthorised disclosure of sensitive personal data carries up to two years' imprisonment.