Data Protection Act, 2021
Act 3 of 2021
Part I – Preliminary
1. Short title and commencementThis Act may be cited as the Data Protection Act, 2021, and shall come into operation on the date appointed by the Minister by statutory instrument.
2. InterpretationIn this Act, unless the context otherwise requires—"anonymisation" means the process of removing direct and indirect personal identifiers that may lead to an individual being identified;"Authority" means the Zambia Information Communications and Technology Authority established by the Information Communications and Technologies Act, 2009;[Act No. 15 of 2009]"automated" in relation to data, means electronically transmitted in whole or in part, by means of a data message in which the conduct of a data message of one or more parties are not reviewed by a natural person in the operation of the electronic system, in the ordinary course of that natural person’s business or employment;"biometric data" means Personal data resulting from scientific analysis relating to the physical, physiological or behavioural characteristics of a natural person, which confirm the unique identification of that natural person;"child" has the meaning assigned to the word in the Constitution;[ Cap. 1]"child abuse" includes physical and emotional neglect, physical injury, other than accidental injury, ill treatment and sexual abuse of a child;"child abuse data" means personal data consisting of information as to whether the child data subject is or has been the subject of, or may be at risk of, child abuse;"code of conduct" means a data protection charter approved by the Authority which regulates the conduct of a data controller or data processor, in order to ensure that the data controller or data processor of personal data complies with this Act and any other applicable written law;"Commission" means the Competition and Consumer Protection Commission established by the Competition and Consumer Protection Act, 2010;[Act No. 24 of 2010]"consent" means any written, freely given, specific, informed and unambiguous indication of the data subject’s wishes by which such data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to that data subject;"consumer" has the meaning assigned to the word in the Competition and Consumer Protection Act, 2010;[Act No. 24 of 2010]"data" means numbers, letters, alphabetic or numeric strings, symbols or codes in any form;"data auditor" means a person licensed as a data auditor under section 29;"data controller" means a person who, either alone or jointly with other persons, controls and is responsible for keeping and using personal data on a computer, or in structured manual files, and requests, collects, collates, processes or stores personal data from or in respect of a data subject;"data processor" means a person, or a private or public body that processes personal data for and on behalf of and under the instruction of a data controller;"Data Protection Commissioner" means a person appointed as Data Protection Commissioner under section 5;"data retention" means a process of retention of personal data for a specified purpose for a defined period;"data subject" means an individual from, or in respect of whom, personal information is processed;"genetic data" means any personal information relating to the inherited or acquired genetic characteristics of an individual which result from the analysis of a biological sample from the individual in question, in particular chromosomal deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained;"health practitioner" has the meaning assigned to the word under the Health Professions Act, 2009;[Act No. 24 of 2009]"Independent Broadcasting Authority" means the Independent Broadcasting Authority established by the Independent Broadcasting Authority Act, 2002;[Act No. 17 of 2002]"information system" means a system for the generation, sending, reception, storage, display or other processing of data messages, and includes the internet;"joint controllers" means two or more data controllers who jointly determine the purposes for which and the means by which personal data is processed;"law enforcement officer" means—(a)a police officer above the rank of sub-inspector;(b)an officer of the Anti-Corruption Commission;(c)an officer of the Drug Enforcement Commission;(d)an officer of the Zambia Security Intelligence Service; and(e)any other person appointed by the Minister for purposes of this Act;"legally disqualified" has the meaning assigned to the words in the Mental Health Act, 2019;[Act No. 6 of 2019]"legal practitioner" has the meaning assigned to the words in the Legal Practitioners Act;[Cap. 30]"meta data" means data that describes other data;"personal data" means data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"processing" means an operation or a set of operations which is or are performed on personal data, whether or not by automatic means, including the collection, recording or holding of the data or the carrying out of any operation or set of operations on data, including—(a)organisation, adaptation or alteration of the data;(b)retrieval, consultation or use of the data;(c)alignment, combination, blocking, erasure or destruction of the data; or(d)disclosure of the information or data by transmission, dissemination or otherwise making available;"profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, including analysis or prediction of the data subject’s aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;"pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, where that additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;"public body" has the meaning assigned to the words in the Public Finance Management Act, 2018;[Act No. 1 of 2018]"recipient" means a person to whom data is disclosed, including an employee or agent of a data controller, a data processor or an employee or agent of a data processor in the course of processing the data for the data controller, but does not include a person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law;"Register" means the Register kept and maintained under section 80;"sensitive personal data" means personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms and includes(a)the race, marital status, ethnic origin or sex of a data subject;(b)genetic data and biometric data;(c)child abuse data;(d)a data subject’s political opinions;(e)a data subject’s religious beliefs or other beliefs of a similar nature;(f)whether a data subject is a member of a trade union; or(g)a data subject’s physical or mental health, or physical or mental condition;"third party" means a person other than—(a)a data subject;(b)a data controller, or(c)a data processor or other person authorised to process data on behalf of data controller or data processor."vulnerable person" means a person aged 18 or above and whose ability to make informed decisions about their rights and well being is temporally or permanently impaired through physical or medically certified hindrance or impairment; and
Part II – Office of the Data Protection Commissioner
4. Establishment of Office of Data Protection Commissioner
5. Data Protection Commissioner
6. Appointment of Deputy Data Protection Commissioners and other staff
Part III – Inspectorate
8. Power of inspectors
9. Arrest without warrant
10. Seizure of propertyA law enforcement officer may seize and detain property which the inspector has reason to believe was used to commit an offence under this Act until an order of the court is made regarding the disposal thereof.
11. Restoration of property
Part IV – Principles and rules relating to processing of personal data
12. Principles relating to processing of personal data
13. Processing of personal dataSubject to the other provisions of this Act, a data controller may process personal data where—
14. Processing of sensitive personal data
15. Consent, justification and objection
16. Collection of personal data
17. Processing of child and vulnerable person’s personal data
18. Offence and penalty for contravention of personal data obligation
Part V – Regulation of data controllers, data processors and data auditors
19. Prohibition from controlling or processing personal data without registration
20. Application for registration as data processor or data controller
21. Registration of data controller and data processor
22. Renewal of certificate of registration
23. Change in details of data controller or data processorA registered data controller or data processor under this Act shall notify the Data Protection Commissioner of any change in the particulars relating to the registration within seven days of the change.
24. Suspension or cancellation of registration
25. Re-registrationWhere a certificate of registration is cancelled or suspended under section 24, the holder of the certificate of registration may apply to the Data Protection Commissioner for re-registration in a prescribed form and manner on payment of a prescribed fee.
26. Surrender of certificate of registration
27. Exemption from registrationThe Data Protection Commissioner may, by declaration, exempt a person for a limited or unlimited period of time, from the requirement to hold a certificate of registration to process personal data.
28. Power to forbear
Part VI – Data auditors
29. Data auditorsThe Data Protection Commissioner shall licence data auditors in the prescribed manner and form on payment of the prescribed fee.
30. Application for licence
31. Issue of licencesA licence under this Act shall only be issued to an applicant that possesses the relevant technical capabilities determined by the Data Protection Commissioner.
32. Conditions of licenceA licence issued under this Act shall—
33. Variation of licence
34. Surrender of licence
35. Transfer or licence
36. Suspension and cancellation
37. Renewal of licence
38. Functions of data auditorThe functions of a data auditor are to—
Part VII – Exemptions from principles and rules of processing of data
39. National security, defence and public orderA data controller that processes personal data in the interests of national security, defence and public order is exempt from the provisions of part IV, except for section 12(1)(c), (d), (e) and (g).
40. Prevention, detection, investigation and prosecution of contraventions of law
41. Processing for purposes of legal proceedings
42. Research, archiving or statistical purposes
43. Journalistic purpose
44. Processing to be lawful and legitimateThe requirement for the processing of personal data under this Part shall be for the lawful and legitimate purposes.
Part VIII – Duties of data controller and data processor
45. Record of processing activities
46. Data protection impact assessment
47. Security of processing
48. Appointment of data protection officer
49. Notification of security breach
50. AccountabilityA data controller and data processor shall—
51. Data retention
52. Duties of data processor
53. Non-disclosure of personal data
54. Joint controllers
55. Offence by data controller
56. Personal data in legal proceedingsA person shall not process personal data in legal proceedings, except—
57. NotificationA data controller or data processor shall notify the Data Protection Commissioner of any third party agreement that allows the third party to trade on the profile of a data subject.
Part IX – Rights of the data subject
58. Right of access and notification
59. Right to rectification
60. Right to erasure
61. Right of objection
62. Decision taken on basis of automatic data processing
63. Right to restriction of processing
64. Information when personal data collected directly from data subjectA data controller shall where personal data relating to the data subject is collected directly from the data subject, concurrently provide the data subject with the following information, unless it is established that the data subject is in receipt of that information:
65. Right to data portability
66. Notification obligationA data controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with this Act to each recipient to whom the personal data have been disclosed, where practicable.
67. Derogation from rightsThe rights of a data subject under this Part shall, to the extent necessary, not apply where processing is—
68. ComplaintsA data subject may lodge a complaint with the Data Protection Commissioner if the data subject considers that the processing of personal data by a data controller or data processor contravenes this Act.
69. AppealsA person who is aggrieved with the decision of the Data Protection Commissioner may appeal to the High Court within thirty days of the Data Protection Commission’s decision.
Part X – Transfer of personal data outside the Republic
70. Cross-border transfer of personal data
71. Conditions for cross-border transfer of personal data
Part XI – General provisions
72. Right to compensationA data subject who has suffered damage as a result of an infringement of that data subject’s right under this Act, may receive compensation from the data controller or data processor as determined by a court of competent jurisdiction for the damage suffered.
74. Power of Data Protection Commissioner to compound certain offencesWhere the Data Protection Commissioner is satisfied, after an investigation, or where a person admits that the person has committed an offence under this Act, the Data Protection Commissioner may, compound the offence by collecting from that person a sum of money that the Data Protection Commissioner considers appropriate, but not exceeding fifty percent of the maximum amount of the fine to which that person would have been liable on conviction.
76. Offence by principal officer shareholder or partner of body corporate or unincorporate bodyWhere an offence under this Act is committed by a body corporate or unincorporate body, with the knowledge, consent or connivance of the director, manager, shareholder or partner, of that body corporate or unincorporate body, that director, manager, shareholder or partner of the body corporate or unincorporate body commits an offence and is liable, on conviction, to the penalty specified for that offence.
77. General penaltyA person who commits an offence under this Act for which a specified penalty is not provided, is liable, on conviction, to a fine not exceeding three hundred thousand penalty units or to imprisonment for a term not exceeding three years, or to both.
78. Code of conduct
81. Auditing of data controller
|Data Protection (Registration and Licensing) Regulations, 2021||Statutory Instrument 58 of 2021|