Data Protection Act, 2021 of Zambia

March 2021

View the original document

National Regulations

The Data Protection Act, 2021 of Zambia provides a legal framework for the management and protection of personal data, including its collection, processing, storage, and transfer. The Act aims to protect the privacy rights of individuals while ensuring that data controllers and processors adhere to established data protection standards. It establishes the Office of the Data Protection Commissioner to oversee compliance and enforcement. The Act outlines specific obligations for entities handling personal data and provides rights for data subjects, emphasising transparency, accountability, and security in data processing.

Key provisions:

  1. Principles of data processing (Section 12):
    • Personal data must be processed in a lawful, fair, and transparent manner.
    • Data should be collected for specific, legitimate purposes and not processed further in a manner incompatible with those purposes.
    • It should be kept accurate, secure, and retained only as long as necessary for its purpose.
  2. Consent for data processing (Section 15):
    • The processing of personal data requires the data subject’s explicit consent.
    • Consent must be informed, freely given, and specific.
    • Data subjects have the right to withdraw their consent at any time, with the withdrawal not affecting the lawfulness of prior processing.
  3. Rights of data subjects (Sections 58-65):
    • Data subjects have the right to access their data, rectify inaccuracies, request deletion (right to erasure), and restrict or object to certain processing activities.
    • The right to data portability allows individuals to obtain their personal data in a structured, commonly used format and transfer it to another controller.
  4. Cross-border data transfers (Sections 70-71):
    • Transfers of personal data outside Zambia are restricted unless conditions are met, such as obtaining the data subject’s consent or ensuring adequate protections are in place.
    • Sensitive personal data is generally required to be stored within the Republic unless exemptions apply.
  5. Duties of data controllers and processors (Sections 45-54):
    • Data controllers must maintain records of processing activities and conduct data protection impact assessments where necessary.
    • Data controllers must notify the Data Protection Commissioner of any data breaches within 24 hours.
    • Data processors must ensure confidentiality and implement appropriate security measures when handling data on behalf of controllers.
  6. Penalties and offences (Section 73):
    • Violations of data protection obligations, including unauthorised disclosure of sensitive data, can result in fines and imprisonment.
    • Offenders may face penalties of up to two years in prison or a fine, emphasising the importance of compliance.