Zimbabwe's Data Protection Regime

Context and Background

Zimbabwe has an estimated population of 16,951,171, with an annual growth rate of approximately 1.89%, accounting for about 0.205% of the global population. Zimbabwe's digital ecosystem has expanded rapidly in recent years. As reported to Parliament in 2024 by the Portfolio Committee on ICT, Postal and Courier Services, mobile penetration reached 97.5%, internet penetration stood at 73.3%, smartphone penetration at 55%, while active mobile and internet data subscriptions were 14.7% and 10.6% respectively.

The 2024 analysis highlighted Zimbabwe's accelerating digital transformation, supported by mobile money platforms, fibre expansion, and e-government services. That trajectory continues into 2025. However, as noted in 2024, rapid digitisation has intensified the collection and processing of sensitive personal data, increasing privacy and cybersecurity risks. The constitutional right to privacy and the operationalisation of the Data Protection Act therefore remain central to Zimbabwe's digital governance agenda.

Positive Developments and Emerging Issues

The enactment of the Cyber and Data Protection Act, 2021 marked a significant milestone, providing Zimbabwe with its first comprehensive data protection regime. As retained from the 2024 assessment, the Act:

  • Grants enforceable rights to data subjects (access, correction, deletion, objection)
  • Differentiates between sensitive and non-sensitive data
  • Mandates breach notification within 24 hours
  • Establishes cross-border transfer safeguards
  • Creates whistleblowing provisions
  • Integrates cybercrime amendments into the Criminal Law (Codification and Reform) Act

The 2022 Cyber and Data Protection Regulations further operationalised compliance through licensing, DPO appointment requirements, certification programmes, and a Code of Conduct framework. Zimbabwe's hosting of the 6th Privacy Symposium Africa and ongoing DPO training initiatives (noted in 2024) remain positive indicators of awareness-building and institutional capacity development.

However, the emerging issues identified in 2024 remain largely unresolved in 2025:

  • Absence of a publicly accessible register of data controllers and processors
  • Limited publication of enforcement statistics (investigations, fines, compliance rates)
  • Concerns about regulatory independence due to the designation of the telecom regulator as Data Protection Authority
  • Perceived over-regulation through licensing requirements
  • Ongoing surveillance concerns linked to SIM registration and interception frameworks

While the normative framework is now established, implementation maturity and transparency remain defining challenges.

Legal and Institutional Framework

The Constitution of Zimbabwe (2013) provides robust protection of privacy under Section 57, which guarantees protection against unlawful search, seizure, interference with communications, and disclosure of health information. Section 62(3) further provides the right to correction or deletion of inaccurate information held by the State.

Judicial interpretation has reinforced the breadth of this right. In Ethel Tsitsi Mpezeni v Zimbabwe Electoral Commission, the High Court affirmed that Section 57 extends beyond its listed clauses. Similarly, in NetOne Cellular (Pvt) Ltd & Another v Econet Wireless (Pvt) Ltd & Another, the Court confirmed that the right to privacy protects both natural and juristic persons from state and third-party intrusion.

Compared to 2024, the constitutional framework remains stable and continues to provide a strong normative foundation. Zimbabwe is a State Party to the International Covenant on Civil and Political Rights (ICCPR), which guarantees the right to privacy under Article 17. UN Human Rights Committee General Comment No. 16 clarifies that states must regulate the collection, storage, and processing of personal data by law and ensure rectification rights. These obligations reinforce domestic protections under Section 57 and the Cyber and Data Protection Act.

The primary legislation is the Cyber and Data Protection Act, 2021. The Act:

  • Designates the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as Data Protection Authority
  • Establishes lawful processing principles (necessity, fairness, transparency, proportionality)
  • Imposes explicit consent requirements for sensitive data
  • Requires breach notification within 24 hours
  • Regulates cross-border transfers based on adequacy
  • Provides whistleblower protection mechanisms
  • Creates offences and penalties for cybercrime and unlawful data interference

Complementary legislation includes:

  • The Access to Information and Protection of Privacy Act (AIPPA), governing personal information held by public bodies
  • The Interception of Communications Act (2007), permitting lawful interception under ministerial warrant
  • Postal and Telecommunications (Subscriber Registration) Regulations (2013, revised 2014), mandating SIM registration and establishing a Central Subscriber Information Database under POTRAZ oversight
  • The National Registration Act, regulating biometric and identity data collection

Compared to 2024, the legal framework remains intact and operational. However, persistent concerns remain regarding proportionality in interception powers and surveillance-related data consolidation. POTRAZ functions as both telecommunications regulator and Data Protection Authority under Section 5 of the Cyber and Data Protection Act. Its powers include:

  • Investigation and audit of controllers
  • Issuance of compliance orders
  • Licensing of data controllers and processors
  • Management of the Central Subscriber Information Database
  • Publication of guidelines and codes of conduct

Other institutional actors include the Zimbabwe Electoral Commission (ZEC), which maintains biometric voter databases, the Ministry of ICT, Postal and Courier Services, responsible for policy and regulatory oversight, and law enforcement agencies investigating cybercrime offences.

The institutional framework identified in 2024 remains unchanged. However, overlapping mandates and resource constraints continue to affect enforcement capacity.

Enforcement Dynamics and Challenges

The 2024 assessment identified enforcement transparency and regulatory independence as the most significant gaps in Zimbabwe's regime. These concerns persist in 2025. In line with the previous assessment, efforts were undertaken to engage Zimbabwe's Postal and Telecommunications Regulatory Authority of Zimbabwe, to obtain direct insight into registration systems, enforcement activity, institutional capacity, public outreach initiatives, and compliance monitoring under the national data protection framework.

The Authority responded positively and furnished substantive information regarding its regulatory operations and oversight mechanisms. This cooperative engagement enhanced the credibility of the present analysis and enabled a more informed evaluation of enforcement trends, operational effectiveness, and the overall state of implementation of Zimbabwe's data protection regime.

Since assuming the mandate, POTRAZ has progressively operationalised licensing, complaint handling, sectoral guidance, and supervisory oversight mechanisms, reflecting a maturing regulatory environment. POTRAZ maintains a publicly accessible register of licensed data controllers and processors, available through its official website under the Data Protection section. In addition, the Authority publishes lists of licensed controllers in local media, enhancing transparency and public visibility of regulated entities.

As of October 2025:

  • 721 licensed data controllers
  • No inactive controllers, as all licences issued remain valid initial applications
  • Licence renewals are scheduled to commence in March 2026

This indicates that Zimbabwe remains in the early licensing cycle of its data protection framework, with compliance monitoring currently focused on onboarding and ecosystem formalisation rather than renewals or sanctions for lapse.

The promulgation of the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, S.I. 155 of 2024, marked an important operational milestone, providing detailed procedures for controller licensing and mandatory DPO appointments.

Under Section 6 of the Cyber and Data Protection Act, data subjects have a statutory right to lodge complaints with the Authority. POTRAZ is mandated to receive, investigate, and resolve such complaints, working in collaboration with the Zimbabwe Republic Police and other sectoral regulators where necessary. To date, the Authority has received 20 formal complaints:

  • 15 investigated and resolved
  • 3 under active investigation
  • 2 dismissed due to jurisdictional limitations

The average complaint resolution timeframe is approximately 30 working days, depending on case complexity.

POTRAZ has issued 11 compliance guidance notices and findings, primarily relating to cross-border data transfers and personal data breaches. Enforcement remains largely corrective and advisory in nature, reflecting both the developmental stage of the regulatory regime and the absence of administrative fines within the Act. Currently, sanctions are limited to criminal penalties (fines or imprisonment), which may reduce deterrence in certain non-compliance scenarios. No landmark enforcement case has yet emerged, largely because implementation of the Cyber and Data Protection Act is still consolidating within the national legal system.

In 2025, POTRAZ conducted 20 proactive compliance audits, focusing on high-risk sectors including financial services, health, and ICT. These audits reviewed Data Protection Impact Assessments (DPIAs), internal gap analyses, and safeguards governing cross-border data transfers. The Authority applies a risk-based monitoring model, prioritising sectors that process sensitive personal data, particularly health, education, and fintech.

The Data Protection Unit (DPU) within POTRAZ comprises 14 dedicated officials, including legal experts, cybersecurity analysts, and compliance officers. Staff undergo continuous professional development in digital forensics, AI governance, privacy impact assessments, and international data governance standards. The Authority plans to double its data protection personnel by 2027.

Technically, the DPU operates a Computer Incident Response Team (CIRT) Laboratory equipped with:

  • Automated risk assessment tools
  • Forensic audit software
  • Threat intelligence systems
  • A Digital Financial Services monitoring system

The Authority is preparing to launch an E-Licensing System to streamline controller registration and compliance management.

For 2025, data protection activities are funded internally by POTRAZ, with budget allocation structured as follows:

  • 60% – Public engagement and awareness
  • 20% – Enforcement and compliance
  • 20% – Capacity building and international cooperation

This allocation underscores a strategic emphasis on ecosystem development and awareness-building during the early phase of implementation.

To facilitate compliance, POTRAZ has issued six (6) implementation guidelines to date:

  • Cross-Border Data Transfers
  • Processing of Children's Personal Data
  • Data Breach Notification and Handling
  • Licensing and Registration of Data Controllers
  • Right to Consent
  • Appointment, Designation and Certification of Data Protection Officers

Seven (7) additional draft guidelines are undergoing public consultation and are expected to be finalised before the end of 2025. This consultative and sector-specific guidance model enhances regulatory clarity and supports gradual institutionalisation of compliance standards across industries.

No legislative amendments were made during the review period.

Public awareness and professional capacity development form a central pillar of POTRAZ's oversight strategy. Since 2023, the Authority has conducted over 50 awareness campaigns nationwide, covering:

  • Schools and universities
  • Senior citizens
  • Rural communities
  • Radio programmes
  • Workshops for data controllers and data subjects

Through collaboration with the Harare Institute of Technology, POTRAZ established a specialised Data Protection Officer training programme, the first of its kind in the SADC region. To date:

  • 829 DPOs trained, with a target of 1,000 by end of 2025
  • Participation from Malawi, Eswatini, and Zambia

The Authority has also trained boards and executive leadership of 37 data controllers across health, education, banking, regulatory, and mining sectors.

Complaints and public queries can be submitted via email, regulatory portals, or in person. The Authority commits to responding within 14 days of receipt.

POTRAZ actively participates in regional and international privacy networks, including:

  • Network of African Data Protection Authorities (NADPA-RAPDP)
  • Africa CIRT and SADC CIRT
  • Global Privacy Assembly
  • AU Data Policy Framework initiatives
  • SADC Cybersecurity and Data Protection Programme

The Authority has signed a Memorandum of Understanding with the Information Regulator of South Africa to strengthen cross-border regulatory cooperation. Its DPO training programme received regional endorsement at a SADC forum in Madagascar in September 2025, reflecting growing regional leadership.

Despite progress, POTRAZ faces notable challenges:

  • Slow uptake of licensing among data controllers due to ecosystem immaturity
  • Absence of administrative fines within the Cyber and Data Protection Act
  • Continued need for deterrent enforcement tools

Strategic priorities for 2026–2027 include:

  • Launch of an E-Licensing system
  • Launch of an online DPO training platform
  • Expansion of cross-border enforcement cooperation
  • Strengthened collaboration with national and international regulators

Overall, Zimbabwe's data protection regime is evolving from its foundational legislative phase into a more structured implementation and operational stage. The Postal and Telecommunications Regulatory Authority of Zimbabwe has strengthened regulatory clarity through licensing, proactive audits, issuance of sector-specific guidelines, and sustained capacity-building initiatives, while awareness campaigns and DPO certification programmes have contributed to growing compliance culture among businesses and public institutions.

The core legal framework established in 2021–2022 remains intact and functional, reflecting a solid constitutional and statutory architecture. However, enforcement continues to be largely compliance-oriented rather than punitive, and the absence of administrative fines may constrain deterrence. Greater enforcement transparency, clearer reporting of compliance outcomes, and continued institutional strengthening will be essential to consolidating public trust and advancing regulatory maturity.

If planned reforms including digital licensing systems, expanded staffing, and enhanced regional cooperation are implemented as projected, Zimbabwe's oversight capacity is likely to strengthen significantly over the next regulatory cycle, enabling the framework to move from normative robustness toward demonstrable enforcement effectiveness.