https://www.facebook.com/565634399970240/

Aegis-Pulse Zim, Harare (2025)

From cybersecurity and privacy to software and social media trends, we decode the digital world so you don’t have to.

25/03/2025

The Importance of Standardised Data Processing Agreements for Data Processors

Many organisations use cloud-based services such as Office 365 or Google Workspace. The Cyber and Data Protection Act (CDPA) along with the SI 155 Regulation are now in full force and Data Protection Officers (DPOs) are in a race to ensure that their organisations comply. Achieving compliance is however a tricky affair especially when dealing with local and international data processors.

Challenges Faced by DPOs in Ensuring Compliance
1. Local Data Processors: Undefined Roles and Responsibilities

Whenever new laws and regulations come into place, there is an adjustment phase where organisations come to terms with new roles and responsibilities. Unfortunately, we are at the stage where local data processors struggle with understanding their specific roles and responsibilities under the “new law”. In some cases, data processors operate as both data controllers and data processors and this can result in what may be perceived as ambiguity in compliance responsibilities. Misunderstandings in this area then tend to hinder effective data protection measures and increase regulatory risks. Under the (CDPA) the risks fall squarely on the data controller.

2. International Data Processors: Pre-Existing Compliance Frameworks

For international data processors having years of experience dealing with different regulatory bodies, compliance is often pre-structured within their existing systems. International service providers, such as Microsoft and Google, already have Data Processing Agreements in place, usually in the form of Data Processing Addendums (Addendums are made to existing contracts such as license agreements, to meet regulatory requirements). A challenge for new DPOs is knowing where to find these agreements and ensure they align with local regulations.

Why Standardised Data Protection Agreements Are Essential for Data Processors
When service providers are data processors for multiple clients e.g. Cloud Storage Facilitators; it is advisable that they take the proactive approach of crafting standardised Data Processing Agreements (DPAs) for their clients that align with regulatory requirements. Instead of waiting for each data controller to request a customised agreement, having a standardised document offers many benefits, such as:

• Streamlining compliance efforts by reducing administrative overhead.

• Ensuring consistency across all client engagements.

• Minimizes legal risks by maintaining a single, well-structured agreement that meets regulatory expectations.

• Enhances trust and transparency between data processors and controllers.

How Leading Data Processors Implement Standardised DPAs
A good example of the practice of standardised Data Processing Agreements/Addendums is Google Workspace, which provides a predefined DPA within its platform. Instead of requiring individual negotiations, Google allows organisations to complete compliance documentation within their account settings.

The Google Workspace Addendum can be found under:

“Account Settings” → “Legal and Compliance”, where organisations can enter their DPO details and complete compliance documentation.

Conclusion
For organisations acting as data processors, creating standardised DPAs that align with regulatory requirements makes for smoother operations, better compliance, and reduced regulatory risks. By taking the initiative and being proactive, data processors can provide a stress-free compliance framework for their clients, improving trust and operational efficiency. For DPOs under data processors it would be best to leverage existing agreements provided by international processors to align with local laws and simplify compliance efforts.

written by P.J. Jones POTRAZ Certified DPO

16/03/2025

Introduction to Data Protection in Zimbabwe
By P. Jones POTRAZ Certified Data Protection Officer

Background:

Before its promulgation as an Act in 2021, the Cyber and Data Protection Bill underwent a period of extensive circulation and discussion. This process included consultative workshops with various stakeholders and the public with the aim to gather input and refine the proposed legislation. Unfortunately, much of the focus in the discussions was on the Bill's amendments to existing laws. These were specifically those related to cybercrime definitions, rather than what the Act was principally for; data protection. The CDPA (Cyber and Data Protection Act) was eventually passed into law in 2021, establishing the necessary framework for data protection in Zimbabwe.

Implementation and Evolution:

The initial implementation of the Act faced challenges. Despite provisions requiring organizations and individuals acting as data controllers to register with the Data Protection Authority and appoint Data Protection Officers (DPOs), there was limited implementation. The evolution of the technology industry necessitated the implementation of data protection measures to safeguard individuals in the digital realm. To address this, the government introduced Statutory Instrument 155 of 2024. These regulations, building on the foundation laid by the CDPA, introduced mandatory licensing for data controllers and reinforced the requirement for DPO appointments. The regulations also introduced a tiered licensing system based on the volume of data processed, aiming to tailor regulatory requirements to the scale of data processing activities.

The Definitions:

From the Act

“data controller” or “controller”—

(a) refers to any natural person or legal person who is licensable by the Authority;

(b) includes public bodies and any other person who determines the purpose and means of processing data;

“Data Protection Authority” or “Authority” refers to Postal and Telecommunications Regulatory Authority of Zimbabwe established in terms of section 5 of the Postal and Telecommunications Act [Chapter 12:05];

“data protection officer” or “DPO” refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner,

compliance with the obligations provided for in this Act;

“data subject” refers to an individual who is an identifiable person and the subject of data;

Who Needs to Register as a Data Controller:

Based on the above definitions, any legal person that determines the purpose and means of processing data. The Regulations (SI 155 of 2024) go on to further expand on terms and add the following:

Processing of data

S(3).

(1) No person shall process personal information for the purposes indicated in subsection (2) unless they are licensed with the Authority.

(2) Subject to section 4, any person who processes personal information with the intention to—

(a) decide the means, purpose or outcome of the processing;

(b) decide what personal data should be collected;

(c) decide which individuals to collect personal data from;

(d) obtain a commercial gain or other benefit from the processing of personal data;

shall apply for a licence in terms of these regulations.

Consequences of not Registering:

The Regulations also stipulate penalties for not registering.

S(3)(3) Any person who processes personal information in terms of

this section without a data controller licence within the stipulated time

frames shall be guilty of an offence and liable to a fine not exceeding

level 11 or to imprisonment for a period not exceeding seven years

or to both such fine and such imprisonment.

Simplified that is a Level 11 ($1000) fine (at writing of this article) and/or imprisonment not exceeding 7 years.

Where to Apply for a License and License Categories:

The Authority (POTRAZ) is specified by the Act as the Data Authority and is also given the powers to license entities. It should be noted though that to be licensed a DPO needs to have been appointed by the Data Controller and the Authority notified in writing of their appointment. The DPO is the one that handles the license application to the Authority.

Data Controller Licenses are not equal in tier as data demands of different types of data controller are different. As such section 6 of the regulations (SI 155 of 2024) reflects this.

Licence categories

6. (1) The Authority shall issue any of the following data controller licences to any person eligible for licensing in terms of section 3—

(a) a tier 1 data controller licence shall be issued to a person who processes information for a minimum of 50 or a

maximum of 1000 data subjects;

(b) a tier 2 data controller licence shall be issued to a person who processes information for a minimum of 1001 or a maximum of 100,000 data subjects;

(c) a tier 3 data controller licence shall be issued to a person who processes information for a minimum of 100,001 or a maximum of 500,000 data subjects;

(d) a tier 4 data controller licence shall be issued to a person who processes information for more than 500,000 data subjects.

(2) Any person who seeks to get a data controller licence in terms of subsection (1) shall on being issued with a licence, pay a licence fee specified in the Second Schedule.

Exemptions:

There are exemptions that are specified in the Act to licensing however they are further elaborated on in the regulations (SI 155 of 2024)

Exemption from licensing

8. (1) Data controllers processing personal data for one or more

of the following purposes—

S.I. 155 of 2024

893

(a) personal, family or household affairs;

(b) law enforcement;

(c) journalistic, historical or archival purposes;

shall be exempted from applying for a data controller licence.

(2) A data controller referred to in subparagraph 1(b) and (c)

shall be required to register with the Authority, and to comply with

data protection principles under the Act.

For the purposes of the Act, the Courts are included under law enforcement.

Who can become a DPO:

The regulations give the guidelines for becoming a DPO via Section 13 of SI 155 of 2024, which outlines the qualifications required to become a DPO in Zimbabwe. The regulations stipulate that individuals aspiring to be DPOs must possess a combination of skills, qualifications, and experience relevant to data protection.

Guidelines on qualifications of data protection officers

13. (1) A data protection officer shall have skill, qualifications,

or experience in any of the following—

(a) data science; or

(b) data analytics; or

(c) information security systems; or

(d) information systems audit; or

(e) law; or

(f) audit; or

(g) any other relevant qualification;

(h) knowledge of national data protection laws and practices;

and

(i) an understanding of the data controller’s business

operations and processing activities.

While guidelines allow for the above to be selected to become a DPO, s(13)(2) of SI 155 of 2024 goes on to say in addition to these qualifications, all prospective DPOs must undergo a mandatory certification course approved by the Data Protection Authority. This requirement ensures that DPOs have a standardized level of competency and understanding of Zimbabwe's data protection framework.

(2) Every data protection officer shall be required to undergo

a certification course approved by the Authority.

Conclusion:

This shift toward more stringent regulations signifies a move to bolster data protection practices in Zimbabwe and ensure greater compliance with the principles outlined in the CDPA. Truthfully Zimbabwe has been playing catch up with the rest of the world and these regulations are foot forward it needs to not only regulate, but to protect the data of Zimbabwe’s citizens.

Written by P.Jones POTRAZ Certified Data Protection Officer

Address

Harare
0000

Website

facebook.com

Alerts

Be the first to know and let us send you an email when Aegis-Pulse Zim posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Aegis-Pulse Zim

25/03/2025

16/03/2025

Address

Website

Alerts

Shortcuts

Share

Category