It is a law that was enacted to protect the privacy of the individual and of personal data by regulating the collection and processing of personal data by data controllers and data processors.

According to the Data Protection Act of 2021 (DPA), personal data” means data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

When you give your personal data to an organization or person, they have a duty to keep this data private and safe, but readily available whenever it is legitimately needed to be accessed This process is known as data protection.

Registration is one of the very important elements of compliance with the data protection legislation as entities, including individuals, cannot perform the functions of Data Controllers or Data Processors unless they have registered with the Data Protection Commission (DPC).

Providing the prescribed information to the PDC during registration, ensures that entities play their part in promoting a transparent, and accountable data processing ecosystem which encourages the safeguarding of privacy rights of persons in Zambia. As society sees an exponential use of new technologies and the increased pace of digitalization, it is essential that individuals know how entities that are processing their data comply with the law, which helps increase trust and contributes to economic growth.

Registration also helps the ODPC effectively regulate the processing of data to minimize potential harm, damage or distress caused to individuals.

Registration is mandatory for all data controllers and processors that process personal data. However, t

Data controllers or data processors processing personal data for the purposes below are exempt from some of the provisions in the DPA that restrict the processing of personal data:

• A data controller that processes personal data in the interests of national security, defense and public order is exempt from the provisions of part IV, except for section 12 (1) (c), (d), (e) and (g).
• Processing authorized by a written law in the interests of prevention, detection, investigation and prosecution of an offence or any other contravention of the law shall be exempt from the provisions of part IV, except for section 12 (1) (c), (d), (e) and (g) of the DPA
• Where processing of personal data is necessary for enforcing a legal right or claim, seeking a relief, defending a charge, opposing a claim, or obtaining legal advice from a legal practitioner in an impending legal proceeding, that processing shall be exempt from the provisions of Part IV except section 12 (1) (c), (d), (e) and (g) of the DPA
• Where processing of personal data by a court or tribunal is necessary for the exercise of any judicial function, that processing is exempt from the provisions of part IV except section 12 (1) (c), (d), (e) and (g) of the DPA
• Where processing of personal data is necessary for research, archiving, or statistical purposes, that processing is exempt from the provisions of Part IV, except section 12 (1)(c), (d), (e) and (g). However, where sensitive personal data is being processed for research purposes that relate to scientific or historical research by a person other than a public body, that person shall not process such sensitive personal data without the authorization of the Data Protection Commissioner. Where personal data is being processed for scientific research purposes by a person other than a public body, that person shall ensure that the personal data is anonymized.
•  Where the processing of personal data is necessary for or relevant to a journalistic purpose, that processing is exempt from the provisions of the Act, except— (a) section 12(1)(c), (d), (e) and (g); and (b) section 47 provided the processing is for  lawful and legitimate purposes,  isin compliance with any law regulating journalists in Zambia and follows any code or guidelines issued by the Independent Broadcasting Authority.

• Applications are to be submitted electronically through the DPC’s website in the prescribed form and payment of registration fees.  The required organizational details must be submitted as well as a description of the processing activities. 
• Where the Data Commissioner is satisfied that the applicant has fulfilled the requirements, a certificate of registration shall be issued within 14 days and an entry of the details of the applicant shall be made in the register of data controllers and data processors.
• The certificate of registration will be valid for a period of 24 months from the date of issuance. A certificate of registration is renewable every 24 months and an application for renewal will need to be made at the appropriate time.
• Where the data commissioner is dissatisfied and rejects the registration application, the Data Commissioner shall notify the applicant within 14 days and provide reasons. Where the application had been declined, the applicant may make a fresh application.

The law applies to data controllers and data processors processing data about data subjects located in Zambia. Any data controller or the data processor not established or resident in Zambia but processing personal data of persons residing in Zambia will be required to register.

The registration fees depend on the category within which the data controller falls. The Registration Regulations classify Data controllers into three main tiers;

• Micro Organizations – (Application Fee is 167, Certificate of Registration Fee is 1,667)
• Medium Organizations - (Application Fee is 333, Certificate of Registration Fee is 3,334)
• Large Organizations - (Application Fee is 1000, Certificate of Registration Fee is 10,000)
• Data Processor - (Application Fee is 1000, Certificate of Registration Fee is 10,000)

Data Auditors are also required to register under the various categories as shown below;

• Data Auditor (Public Critical Information) – (Application Fee is 3,333 for entities and 1,677 for individuals, License Fee is 10,000 for entities and 16,667 for individuals)
• Data Auditor (Private Critical Information) – (Application Fee is 3,333 for both entities and individuals, License Fee is 33,333 for entities and 16,667 for individuals)
• Data Auditor (General) – (Application Fee is 3,333 for entities and 1,677 for individuals, License Fee is 33,333 for entities and 16,667 for individuals)

**There is also a register inspection fee of 333

Where an offence relates to infringement of a data subject’s rights or is in violation of  Data Protection Act or following investigations by the Commissioner, and such offences are committed by a controller or processor, will be required to pay a fine or be imprisoned controller or prosessor.

If you are not happy with how your personal data are being used, you should contact the organization or person in question. If you believe that the organization or person is still not respecting your data protection rights, you should contact the Data Protection Commission to ask for help.