';

About Us

At our firm, we strive to be the preferred choice for businesses and commercial transactions. Our mission is to provide comprehensive commercial law solutions by leveraging our expertise in legal, business, and finance disciplines. We uphold values such as effectiveness, efficiency, integrity, diligence, teamwork, confidentiality, and adaptability.

Contact Us

  • admin@hofisilaw.com
  • +263-(242)- 369-976
  • www.hofisilaw.com

© 2024. Hofisi & Partners

Business Advisory

Obligations of Data Controllers in Data Protection

April 10, 2025 by 42 Views
Data Protection and Appointment of Data Protection Officers
03 April 2025
Private Voluntary Organisations Amendment Act, in Brief
17 April 2025
Business Advisory
Obligations of Data Controllers in Data Protection
April 10, 2025 by in Business Advisory

Introduction

On Thursday, 3 October 2025 I wrote an article on the appointment of data protection officers. This was after the one I wrote on 27 March 2025 titled “Data protection regulations of 2024 and compliance”. Both articles were based on the Cyber and Data Protection Act (Chapter 12:07) (No.5 of 2021) (hereinafter referred to as “the Act”) and Statutory Instrument 155 of 2024 – Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (hereinafter referred to as “the SI” or “the Regulations”) promulgated on 13th September 2024.

In this article I cover the legal obligations of data controllers. I have been asked by many readers to cover this area. I hereby do.

Key definitions

The following key definitions are important to understand:

Data controller

According to the Act “data controller” or “controller”—

  • refers to any natural person or legal person who is licensable by the Authority (POTRAZ);
  • includes public bodies and any other person who determines the purpose and means of processing data”.

Data

In terms of the same Act “data” means any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data”.

Data subject

In terms of section 3 of the Act “data subject” refers to an individual who is an identifiable person and the subject of data.

Obligations of data controllers

The obligations of data controllers are covered in section 10 of the Regulations, as explained below.

Section 10(1)

A data controller shall provide continuous professional development training to the data protection officer for purposes of maintaining the Data Protection Officer certification.

Section 10(2)

A data controller shall notify POTRAZ of the following:

  • all processing activities performed on personal information.
  • any modification of personal information collected indirectly from data subjects.
  • any intention to transfer or share information of data subject outside Zimbabwe
  •  any processing which involves biometric and genetic data of data subjects.

Section 10(3)

A data controller shall not subject a data subject to a decision based solely on automated processing which produces legal effects concerning him or her without the consent of that data subject or based on a provision established by law.

Section 10(4)

A data controller shall—

  • be accountable for his or her representative, agent or assignee, data processor, recipient, data protection officer who contravenes the provisions of these regulations and the Act.
  • take all the appropriate technical and organisational measures to safeguard the security, integrity and confidentiality of personal information which must ensure an appropriate level of security.
  • be responsible for taking all the necessary measures and controls to comply with the principles and obligations set out in these regulations and the Act.
  • put measures in place to facilitate the exercise of rights of data subjects under the Act.
  •  process personal information of physically, mentally or legally incapacitated data subjects through a parent or guardian or as provided for by the law or as directed by a court of competent jurisdiction.
  • enter into a written data processing agreement or contract or legal instrument with a data processor which ensures that a data processor maintains all necessary security measures to safeguard personal information of data subjects.

Section 10(5)

The purpose of this part is to protect the interests and rights of children. It is a requirement in terms of the regulations that a data controller shall take into consideration the following when processing children’s information:

  • children’s personal information shall not be processed without the consent of the parent or legal guardian of the child involved.
  • any data controller processing personal information of children shall make reasonable efforts to verify that consent is given or authorised by the parent or legal guardian of the child, taking into consideration available technology.
  • any controller processing children’s data shall pay attention to all the data processing principles.
  • any data controller processing children’s data shall conduct regular data protection impact assessments to identify and mitigate privacy risks to children
  • any data controller must ensure data protection by design and data protection by default when processing children’s data.
  • no data controller shall subject children’s data to automated decision making that has the effect of affecting the children’s rights.

Section 10(6)

As regards offence and penalty, any data controller who contravenes section 10 of the Regulations shall be guilty of an offence and liable to a fine not exceeding level 11 or to imprisonment for a period not exceeding seven years or to both such fine and such imprisonment.

Further articles

Space permitting, I promise to write more articles on data protection compliance.

Conclusion

The Act and Regulations are new. There is need for those charged with compliance to invest considerable time to understand the data protection laws.

Disclaimer

This simplified article is for general information purposes only and does not constitute the writer’s professional advice.

Godknows (GK) Hofisi, LLB(UNISA), B.Acc(UZ), Hons B.Compt (UNISA), CA(Z), ACCA (Business Valuations) MBA(EBS, Heriot- Watt, UK) is the Managing Partner of Hofisi & Partners Commercial Attorneys, chartered accountant, insolvency practitioner, commercial arbitrator, registered tax accountant and advises on deals and transactions. He has extensive experience from industry and commerce and is a former World Bank staffer in the Resource Management Unit.  He sits on the Council of Estate Administrators in Zimbabwe and was recently appointed to the Board of an Engineering company. He writes in his personal capacity. He can be contacted on +263 772 246 900 or ghofisi@hofisilaw.com or gohofisi@gmail.com.  Visit www//:hofisilaw.com for more articles.

Comments
Share
Godknows Hofisi

logo