Introduction
In today’s digital age, where the sharing and transmission of information has become ubiquitous, protecting personal data from misuse and unauthorized access is more critical than ever. Zambia’s Data Protection Act No. 3 of 2021 (the “DPA”) represents a significant milestone in the country’s legislative landscape, providing a comprehensive framework for the collection, processing, storage, and sharing of personal data.
The DPA was enacted to align Zambia with international standards on data privacy and sets out clear obligations for both public and private entities handling personal information. In a major step toward full implementation, the Office of the Data Protection Commissioner has recently commenced the registration of data controllers and data processors to strengthen enforcement of the Act.
Registration and Licensing of Data Controllers and Data Processors
Entities or individuals that process personal data must ensure compliance with the DPA, beginning with mandatory registration as either data controllers or data processors.
Data Controller: A data controller is a person or entity who, alone or jointly with others, determines the purposes and means of processing personal data. This includes anyone responsible for collecting, storing, or using personal data, whether electronically or in structured manual files.
Data Processor: A data processor refers to a person or body (public or private) that processes personal data on behalf of, and under the instructions of, a data controller.
Exemptions and Penalties
Registration requirements do not apply to individuals who process personal data solely for personal or household purposes.
Failure to register as required constitutes an offence, punishable upon conviction by:
• A fine of up to ZMW 200,000 (approximately USD 7,143);
• Imprisonment for up to five (5) years; or
• Both a fine and imprisonment.
The Office of the Data Protection Commissioner has provided a self-assessment questionnaire to guide the registration process, accessible via: https://inventory.dataprotection.gov.zm
Key Provisions of the Data Protection Act
Lawful Processing of Data
The DPA governs the processing of personal data, whether automated or manual. Organizations must process data transparently, fairly, and for lawful purposes. Informed consent from data subjects is required, except in certain exempted cases. Failure to obtain consent constitutes an offence, punishable, in the case of a corporate entity, by a fine not exceeding ZMW 40,000,000 (approx. USD 1,428,571) or 2% of the entity’s annual turnover whichever is higher.
Record of Processing Activities
Data controllers are required to maintain written records of:
• Processing activities and related metadata;
• All categories of processing activities.
These records must be made available to the Data Protection Commissioner upon request.
Security of Processing
Data controllers and processors must implement appropriate technical and organizational measures to protect personal data. Where data processing is outsourced, controllers must ensure that processors provide sufficient guarantees regarding data protection compliance.
Appointment of a Data Protection Officer
Data processors are required to appoint a Data Protection Officer in accordance with guidelines issued by the Data Protection Commissioner.
Notification of Security Breaches
Data controllers must notify the Data Protection Commissioner within twenty-four hours of any security breach affecting personal data processed.
Data processors must promptly notify the data controller of any personal data security breach.
Data controllers or data processors must promptly notify the data subject of any security breach affecting personal data processed.
Data Retention
Personal data must be retained only for as long as necessary for the purposes for which it was collected, and for at least one year thereafter, unless otherwise prescribed. Records of processing purposes and third-party disclosures must also be maintained.
Duties of Data Processors
A data processor may not appoint a sub-processor without prior written authorization from the data controller. The relationship between a data controller and processor must be governed by a written contract outlining the scope and terms of processing activities.
Joint Controllers
Where multiple data controllers jointly determine the purpose and means of processing, they must enter into a written agreement outlining their respective responsibilities. This agreement must be made available to the data subjects. Notably, joint controllers are jointly and severally liable to data subjects.
Third-Party Disclosure
Personal data held by a processor may not be disclosed to third parties without prior consent from the data subject. The data controller must obtain this consent and provide the data subject with:
• The identity of the recipient;
• The purpose of disclosure;
• Applicable data protection safeguards; and
• Available grievance mechanisms.
Rights of Data Subjects
Data subjects have the right to:
• Access their personal data;
• Request corrections or deletion;
• Restrict processing in certain circumstances; and
• Lodge complaints with the Data Protection Commissioner.
Storage and Transfer of Personal Data
Personal data must be stored within Zambia, unless the Minister of Technology and Science (the “Minister”) prescribes otherwise. Cross-border transfers are permitted only where:
• The data subject has consented and the transfer is governed by a Commissioner-approved contract or intragroup scheme;
• The Minister has prescribed the category of data as exportable; or
• The Commissioner approves the transfer on grounds of necessity.
Conclusion
As data increasingly becomes a critical asset in business operations, compliance with the Data Protection Act is essential. Organizations handling personal data must urgently ensure that they are registered with the Data Protection Commissioner and adhere to all requirements under the law. Beyond avoiding penalties, compliance promotes trust, transparency, and long-term business sustainability in Zambia’s evolving digital economy.
