DPA 2021

The Data Protection Act No. 3 of 2021

Flag of ZM
ZambiaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
April 1, 2021
Enacted
March 23, 2021
Enforcing Authority
Office of the Data Protection Commissioner
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Zambia; data auditors must be licensed

Overview

Zambia's Data Protection Act No. 3 of 2021 establishes the Office of the Data Protection Commissioner as the supervisory authority. Enacted in March 2021, enforcement formally began in March 2025 after a transition period. The law requires registration of data controllers and a unique licensing system for data auditors. A two-tier penalty structure applies: corporate entities face up to 2% of annual turnover, while individuals risk up to 5 years imprisonment.

What This Means for Your Website

If your website collects personal data from Zambian visitors, you must register as a data controller with the Data Protection Commissioner. Consent is required for processing, and you must adhere to principles of lawfulness, fairness, transparency, purpose limitation, and data minimization. With enforcement now active since March 2025, compliance is no longer optional.

Key Requirements

Corporate penalties reach 100 million penalty units or 2% of annual turnover, whichever is higher. Individual penalties include up to 1 million penalty units or 5 years imprisonment. Data controllers must register, implement breach notification procedures, and ensure data subjects can exercise their rights of access, correction, and deletion.

How ConsentStack Handles This

ConsentStack detects Zambian visitors and presents a compliant consent banner requiring opt-in before non-essential data processing. The platform maintains consent records to support your registration obligations with the Data Protection Commissioner.

Penalties

Corporates: 100,000,000 penalty units or 2% of annual turnover (whichever is higher). Individuals: 1,000,000 penalty units or 5 years imprisonment.

Revenue-based
2% of annual revenue

Key Requirements

  • Consent required for personal data processing
  • Principles of lawfulness, fairness, transparency, purpose limitation, and data minimization
  • Registration of data controllers mandatory
  • Licensing of data auditors required
  • Data subjects have rights of access, correction, and deletion
  • Data breach notification requirements

Notable Provisions

  • Enforcement began March 2025 after extended transition
  • Two-tier penalty: corporate entities vs. individuals
  • 2% annual turnover cap for corporate penalties
  • Data auditor licensing requirement unique in the region

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

When did Zambia start enforcing its DPA?

Enforcement formally began in March 2025 after an extended transition period from the law's April 2021 effective date.

What are the corporate penalties under Zambia's DPA?

Corporate entities face up to 100 million penalty units or 2% of annual turnover, whichever is higher.

Does Zambia require data controller registration?

Yes. All data controllers must register with the Office of the Data Protection Commissioner before processing personal data.

Stay compliant with DPA 2021

ConsentStack helps you implement Opt-in consent for Zambia automatically.

Get started free