Data Protection Act, 2021

Data Protection [No. 3 of 2021 87

# THE DATA PROTECTION ACT, 2021

# ARRANGEMENT OF SECTIONS

PART I

PRELIMINARY PROVISIONS

Section

1. Short title and commencement
2. Interpretation
3. Application

PART II

OFFICE OF THE DATA PROTECTION COMMISSIONER

1. Establishment of Office of Data Protection Commissioner
2. Data protection Commissioner
3. Appointment of Deputy Data Protection Commissioners and other staff

PART III

INSPECTORATE

1. Inspector
2. Power of inspectors
3. Arrest without warrant
4. Seizure of property
5. Restoration of property

PART IV

PRINCIPLES AND RULES RELATING TO PROCESSING OF PERSONAL DATA

1. Principles relating to processing of personal data
2. Processing of personal data
3. Processing of sensitive personal data
4. Consent, justification and objection
5. Collection of personal data
6. Processing of child and vulnerable person’s personal data
7. Offence and penalty for contravention of personal data obligation

Single copies of this Act may be obtained from the Government Printer, P.O. Box 30136, 10101 Lusaka, Price K80.00 each.

88 No. 3 of 2021] Data Protection

PART V

REGULATION OF DATA CONTROLLERS, DATA PROCESSORS AND DATA AUDITORS

1. Prohibition from controlling or processing personal data without registration
2. Application for registration as data processor or data controller
3. Registration of data controller and data processor
4. Renewal of certificate of registration
5. Change in details of data controller or data processor
6. Suspension and cancellation of registration
7. Re-registration
8. Surrender of certificate of registration
9. Exemption from registration
10. Power to forbear

PART VI

DATA AUDITORS

1. Data auditors
2. Application for licence
3. Issue of licences
4. Conditions of licence
5. Variation of licence
6. Surrender of licence
7. Transfer of licence
8. Suspension and cancellation
9. Renewal of licence
10. Functions of a data auditor

PART VII

EXEMPTION FROM PRINCIPLES AND RULES OF PROCESSING OF DATA

1. National security, defence and public order
2. Prevention, detection investigation and prosecution of contraventions of law
3. Processing for purpose of legal proceedings

Data Protection [No. 3 of 2021 89

1. Research, archiving or statistical purpose
2. Journalistic purpose
3. Processing to be lawful and legitimate

PART VIII

DUTIES OF DATA CONTROLLER AND DATA PROCESSOR

1. Record of processing activities
2. Data protection impact assessment
3. Security of processing
4. Appointment of data protection officer
5. Notification of security breach
6. Accountability
7. Data retention
8. Duties of data processor
9. Non-disclosure of personal data
10. Joint controllers
11. Offence by data controller
12. Personal data in legal proceedings
13. Notification

PART IX

RIGHTS OF THE DATA SUBJECT

1. Right of access and notification
2. Right to rectification
3. Right to erasure
4. Right of objection
5. Decision taken on basis of automatic data processing
6. Right to restriction of processing
7. Information when personal data collected directly from data subject
8. Right to data portability
9. Notification obligation
10. Derogation from rights
11. Complaints
12. Appeals

90 No. 3 of 2021] Data Protection