On 23 March 2021, Zambia’s Parliament enacted the Data Protection Act No 3 of 2021 (the “DPA”) to regulate the collection and storage of the “personal data” (i.e. data that can be used to identify an individual, such as a person’s name or identification number) of individuals in Zambia.

6 June 22

Although the DPA is in force, the regulator – the Data Protection Commissioner (the “DPC”) is yet to be appointed at the date of this alert and as such, the DPA is not fully operationalised. This notwithstanding, this legal alert will focus on the DPA’s requirements for entities to process and store personal data on servers or data centres that are located in Zambia.

The Data Localisation Requirements Under the DPA
Section 70(1) of the DPA makes it mandatory for data controllers and data processors to store and process personal data and sensitive personal data (i.e. data relating to, inter alia, the sex or marital status of a data subject) on servers or data centres that are located in Zambia. This was not the case before the enactment of the DPA, as entities could store and process personal data on data servers or data centres located outside Zambia.

Exceptions to the DPA’S Localisation Requirements
Despite the above requirements, personal data may be stored outside Zambia, where: • the Minister of Science and Technology (the “Minister”) promulgates a Statutory Instrument which sets out certain categories of personal data that may be stored outside Zambia; or • a data subject expressly consents to the transfer of their personal data outside Zambia and the transfer is made subject to standard contracts or intragroup schemes that have been approved by the DPC or the DPC has approved the particular transfer of personal data or a set of transfers due to a situation of necessity. However, if none of the above approvals are obtained, then the personal data would still need to be stored on servers or data centres that are located in Zambia. Therefore, businesses that wish to process and store personal data outside Zambia, must ensure that they obtain consent not only from the data subject, but from the DPC as well, once the office of the DPC is fully constituted. Furthermore, once the requisite approvals are obtained, the businesses must ensure that their processing and storage of the personal data conforms to the conditions of the consent and approvals obtained from the relevant data subjects and the DPC.

The DPA has enhanced the way personal data is to be processed and stored by making it mandatory for personal data to be stored on servers or data centres located in Zambia. To this extent, data controllers and data processors may only store personal data outside of Zambia once they have obtained the requisite approvals.

Should you have any questions on this legal alert, please do not hesitate to contact Harriet Mdala or Emmanuel Manda 

__________

Contributor
Bupe-Kunda Kauseni

Authors