Zimbabwe’s Data Protection Laws were updated as part of the recent 2024 regulations issued under the Cyber and Data Protection Act. 

As part of the recent update, the new regulations require data controllers to apply and pay for annual licenses based on the number of data subjects they process. 
– Tier 1: 50 – 1,000 data subjects – USD 50
– Tier 2: 1,001 – 100,000 data subjects – USD 300
– Tier 3: 100,001 – 500,000 data subjects – USD 500
– Tier 4: 500,001+ data subjects – USD 2,500

These licenses must be renewed annually—making data processing in Zimbabwe a ‘pay-to-process’ model. Unlike other African countries such as Kenya, there does not appear to be any exemption for this based on turnover or number of employees.

In addition to licensing requirements, if you intend on processing biometric data (like the use of fingerprint or facial recognition access control systems), you must give prior notice to the Zimbabwe Data Protection Authority before processing.

In general, when compared to South Africa’s Protection of Personal Information Act, the 2024 regulations are quite onerous in terms of the licensing requirements and direct oversight by the local authority.

As a result, proceed with caution and work alongside privacy law experts before collecting or handling personal information in Zimbabwe.