By 
The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has issued a stern warning to organisations processing personal data without the requisite licence. The regulatory authority noted with concern, the widespread non-compliance despite the lapse of the March 2025 deadline.
The warning follows the promulgation of the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 Statutory Instrument 155 of 2024 in September 2024. The regulations established a mandatory requirement for natural or legal persons that process personal data to obtain a Data Controller Licence by 12 March 2025.
As the designated Data Protection Authority under section 5 of the Cyber and Data Protection Act [Chapter 12:07], POTRAZ has observed that some organisations continue to process personal information without the necessary authorisation, prompting the regulatory body to demand immediate compliance.
“It is against this background that the Authority issues this Notice to all unlicensed organisations processing personal information to comply with the statutory licensing obligation,” POTRAZ stated.
“All such entities are required to regularise their data processing activities with immediate effect by applying for an initial Data Controller licence or renewing their existing licence”.
The licensing requirement applies to non-exempt natural and legal persons permanently established in Zimbabwe, as well as those processing personal data using both print and electronic means. This includes organisations utilising surveillance or biometric systems, which fall within the scope of regulated data processing activities.
POTRAZ emphasised that obtaining a Data Controller licence transcends mere statutory compliance, framing it as a fundamental demonstration of commitment to data protection principles.
“Licensing as a Data Controller is not just a statutory obligation; it is a demonstration of your commitment to safeguarding personal data entrusted to you by all your stakeholders,” the authority stated.
“Stay compliant and process personal data lawfully”.
The Cyber and Data Protection Act establishes a comprehensive framework for data protection in Zimbabwe, requiring data controllers. These are entities that determine the purposes and means of processing personal data to register with POTRAZ and appoint Data Protection Officers where applicable. The licensing regime forms a critical component of the country’s data governance architecture, designed to ensure accountability and transparency in how organisations handle personal information.
POTRAZ has urged all unlicensed entities to apply online through the dedicated licensing portal .
Comments