Data Protection Act, 2024

No. 3 Data Protection 1

(Published 2nd February, 2024)

Act

No. 3 of 2024

I assent

DR. LAZARUS McCARTHY CHAKWERA PRESIDENT 31st January, 2024

ARRANGEMENT OF SECTIONS

SECTION

PART I—PRELIMINARY 1. Short title and commencement 2. Interpretation 3. Application

PART II—ADMINISTRATION 4. Designation of Data Protection Authority 5. Functions of the Authority 6. Powers of the Authority 7. Advisory committees

PART III—PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA 8. Personal data to be processed lawfully, fairly, etc. 9. Purpose limitation 10. Data minimization 11. Data accuracy 12. Storage limitation 13. Data integrity and data confidentiality 14. Principles for determining the validity of consent 15. Provision of information to a data subject 16. Processing of sensitive personal data 17. Processing personal data of children and other legally incapacitated persons

Data Protection No. 3

# SECTION

1. Processing of personal data relating to criminal offences, convictions, etc.

PART IV—RIGHTS OF A DATA SUBJECT

1. Right to access personal data
2. Right to data portability
3. Right to rectification of personal data
4. Right to erasure of personal data
5. Right to restriction of processing personal data
6. Right to object
7. Automated decision-making
8. Derogations

PART V—DUTIES OF A DATA CONTROLLER AND DATA PROCESSOR

1. Adherence to data protection principles
2. Technical and organizational measures
3. Record of personal data processing activities
4. Data protection impact assessment
5. Joint data controllers
6. Regulation of the relationship between data controllers and data processors
7. Designation of a data protection officer
8. Duties of a data protection officer

PART VI—DATA SECURITY

1. Security of personal data
2. Notification of personal data breach
3. Communication of personal data breach to data subjects

PART VII—CROSS-BORDER TRANSFERS OF PERSONAL DATA

1. Cross-border transfer of personal data
2. Adequacy of protection of personal data
3. Binding corporate rules, certification mechanisms, etc.

PART VIII—REGISTRATION OF DATA CONTROLLERS OF MAJOR IMPORTANCE AND DATA PROCESSORS OF MAJOR IMPORTANCE

1. Registration of data controllers of significant importance and data processors of significant importance
2. Suspension or cancellation of registration
3. Exemptions

No. 3 Data Protection 3

# SECTION

PART IX—COMPLAINTS

1. Complaints
2. Compliance orders

PART X—MISCELLANEOUS

1. Appeal against decisions of the Authority
2. Civil remedies
3. Obstruction, interference with the Authority
4. Breach of confidentiality
5. Offences committed by legal persons, firms, etc.
6. Vicarious liability
7. Regulations
8. Transitional provision

An Act to provide for the protection of personal data of natural persons; the regulation of the processing and movement of personal data of natural persons; the rights of natural persons with respect to the processing of personal data; the obligations of data controllers and data processors; the designation of a Data Protection Authority; and matters incidental thereto

ENACTED by the Parliament of Malawi as follows—

PART I—PRELIMINARY

1. This Act may be cited as the Data Protection Act, 2024, and shall come into operation on such date as the Minister may appoint by notice published in the Gazette.