Data protection & privacy laws in Zimbabwe (2026)

The Cyber and Data Protection Act, 2021 (Chapter 12:07) was gazetted on 3 December 2021 and came into full force on 11 March 2022. It applies to all entities in Zimbabwe and to foreign entities processing data about Zimbabwean residents.

Section 5 of the Act designates POTRAZ (Postal and Telecommunications Regulatory Authority of Zimbabwe) as the Data Protection Authority, vested with powers to investigate complaints, issue licences, and impose penalties.

Statutory Instrument 155 of 2024 (promulgated 13 September 2024) requires all data controllers processing data of 50 or more individuals to obtain an annual POTRAZ licence (fee US$50–US$2,000) by 12 March 2025, and to appoint a qualified DPO by 12 December 2024.

The Act grants data subjects rights including access, correction, and erasure of personal data. Processing of sensitive personal data requires explicit written consent (Section 11), which may be withdrawn at any time without explanation.

Transfers of personal data outside Zimbabwe to countries lacking adequate protection are restricted. Permitted grounds include unambiguous data-subject consent, contractual necessity, vital interests, important public interest, or transfer from a publicly accessible register. POTRAZ must be notified before transfers.

Operating as a data controller without a licence after 12 March 2025 constitutes a criminal offence, punishable by a fine up to Level 11 (approximately USD 1,000) or imprisonment for up to seven years, or both.