CDPA 2021

Cyber and Data Protection Act [Chapter 12:07] (Act 5 of 2021)

Flag of ZW
ZimbabweOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 11, 2022
Enacted
December 3, 2021
Enforcing Authority
Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)
Consent Model
Opt-in
Applies To
All entities processing personal data within Zimbabwe; data controller license required from POTRAZ

Overview

Zimbabwe's Cyber and Data Protection Act (CDPA), enacted in December 2021 and effective March 2022, combines cybersecurity and data protection into a single legislative framework. POTRAZ serves as the data protection authority. The law requires all data controllers to obtain a license and mandates written consent for sensitive, biometric, and health data processing. It carries imprisonment terms of up to 15 years for serious violations.

What This Means for Your Website

If your website processes personal data of Zimbabwe-based visitors, you must obtain a data controller license from POTRAZ and secure consent before processing. Written consent is explicitly required for sensitive categories including biometric and health data. The 24-hour breach notification requirement is among the shortest globally and demands rapid incident response capabilities.

Key Requirements

POTRAZ enforces the CDPA with fines of up to USD 1,000 per violation and imprisonment of 7-15 years for serious offences. Data controllers must maintain processing records, implement security risk assessments, and comply with the strict 24-hour breach notification timeline. All data controllers were required to be licensed by March 2025.

How ConsentStack Handles This

ConsentStack detects Zimbabwean visitors and displays a compliant consent banner with affirmative opt-in. For sensitive data categories, the platform ensures explicit written consent mechanisms are available as required by the CDPA.

Penalties

Fines up to level 11 (USD 1,000) per violation; up to 7 years imprisonment; 10-15 years for serious violations

Maximum Fine
USD1,000 per violation

Key Requirements

  • Written consent required for sensitive, biometric, and health data
  • Data controller licensing mandatory from POTRAZ
  • 24-hour data breach notification to POTRAZ
  • Data security measures required including risk assessments
  • Processing records mandatory
  • Data subjects have rights of access, correction, and deletion

Notable Provisions

  • Written consent requirement for sensitive/biometric/health data
  • 24-hour breach notification among the shortest globally
  • 10-15 years imprisonment for serious violations
  • Data controller licensing deadline was March 2025

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does Zimbabwe require a data controller license?

Yes. All data controllers must obtain a license from POTRAZ before processing personal data in Zimbabwe.

What is Zimbabwe's breach notification timeline?

Zimbabwe requires breach notification to POTRAZ within 24 hours, one of the shortest timelines globally.

What are the penalties under Zimbabwe's CDPA?

Fines up to USD 1,000 per violation and imprisonment of up to 7 years, with 10-15 years for serious violations.

Stay compliant with CDPA 2021

ConsentStack helps you implement Opt-in consent for Zimbabwe automatically.

Get started free