Law: The Data Protection Act No. 3 of 2021 (the Data Protection Act)

Regulator: Office of the Data Protection Commissioner (DPC)

Summary: The Data Protection Act No. 3 of 2021 (the Data Protection Act) entered into force on April 1, 2021, together with the Electronic Communications and Transactions Act No. 4 of 2021 (the Electronic Communications and Transactions Act) and the Cyber Security and Cyber Crimes Act No. 2 of 2021 (the Cyber Security and Cyber Crimes Act) following the publication in the Government Gazette of the respective Commencement Orders. The Data Protection Act provides a system for using and protecting personal data, introduces requirements for data controllers and processors, and recognizes various data subjects' rights. In addition, the Data Protection Act establishes the Office of the Data Protection Commissioner (ODPC), although no one has yet been appointed as Data Protection Commissioner.

The Data Protection Act largely follows the model of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and internationally accepted data protection principles. In addition, in 2016 Zambia signed the Convention on Cyber Security and Personal Data Protection (the Malabo Convention) and ratified the same in 2021.