DATA PROTECTION ACT: SUBSIDIARY LEGISLATION

A person who intends to operate as a data controller or data processor shall apply to the Data Protection Commissioner for a certificate of registration in Form I set out in the First Schedule.

5. Request for further particulars

The Data Protection Commissioner may, where the Data Protection Commissioner requires further particulars in relation to an application, request an applicant to submit further particulars, within a specified period, in Form II set out in the First Schedule.

6. Issue of certificate of registration

The Data Protection Commissioner shall, where the applicant meets the requirements of the Act, issue a certificate of registration in Form III set out in the First Schedule.

7. Duration of certificate of registration

The certificate of registration issued under these Regulations is valid for a period of one year.

8. Rejection of application

The Data Protection Commissioner shall, where the Data Protection Commissioner rejects an application, inform the applicant within 14 days from the date of the decision of the rejection in Form IV set out in the First Schedule.

9. Renewal of certificate of registration

A holder of a certificate of registration shall apply for renewal of a certificate of registration in Form V set out in the First Schedule.

10. Notice of change of particulars

A holder of a certificate of registration shall notify the Data Protection Commissioner of any change in particulars relating to registration in Form VI set out in the First Schedule.

11. Notice of surrender of certificate of registration

The data controller or data processor shall notify the Data Protection Commissioner, where a data controller or data processor ceases to carry on business in the data processing or controlling industry, in Form VII set out in the First Schedule.

12. Suspension or cancellation of certificate of registration

(1) The Data Protection Commissioner shall, before the Data Protection Commissioner suspends or cancels a certificate of registration, notify the holder of the certificate of registration of the intention to suspend or cancel the certificate of registration in Form VIII set out in the First Schedule.

(2) Where the holder of the certificate of registration is notified of the intention of the Data Protection Commissioner under sub-regulation (1), the holder of the certificate of registration shall

(i) show cause why the certificate of registration should not be suspended or cancelled; or

(ii) take remedial measures to the satisfaction of the Data Protection Commissioner within the times specified in notice.

(3) The Data Protection Commissioner shall, where the holder fails to show cause why the certificate should not be cancelled or suspended or fails to take remedial measures to the satisfaction of the Data Protection Commissioner, cancel or suspend the certificate of registration.

(4) Where the Data Protection Commissioner suspends or cancels a certificate of registration under sub-regulation (3), the Data Protection Commissioner shall, inform the holder of a certificate of registration of the suspension or cancellation of the certificate in Form IX set out in the First Schedule.

13. Application for re-registration

A person whose certificate of registration issued under these Regulations has been cancelled, may apply for re-registration as a data processor or data controller in Form V set out in the First Schedule.

PART II
DATA AUDITOR

14. Application for licence

(1) A person who intends to provide data audit services shall apply to the Data Protection Commissioner for a licence in Form I set out in the First Schedule.

(2) A Data Protection Commissioner shall, where the applicant

(a) meets the requirements of the Act, issue the applicant with a licence in Form X set out in the First Schedule; or

(b) does not meet the requirements of the Act, reject the application and inform the applicant of the rejection in Form IV set out in the First Schedule stating the reasons for the rejection.

15. Duration of licence

The licence issued under these Regulations is valid for a period of two years.

16. Renewal of licence

A licensee who intends to renew that licence shall, apply to the Data Protection Commissioner, for renewal of a licence at least three months before the expiry of the licence, in Form V set out in the First Schedule.

17. Transfer of licence

An application to transfer or assign a licence shall be made to the Data Protection Commissioner, in Form XI set out in the First Schedule.

18. Amendment of licence

A licensee may within the validity of the licence, apply to the Data Protection Commissioner for an amendment or variation of the terms and conditions of the licence in Form XII set out in the First Schedule.

19. Notice to surrender licence

A licensee shall, notify the Data Protection Commissioner, where a licensee ceases to provide the services relating to the licence, within one month of ceasing to carry on business, in Form VII set out in the First Schedule.

20. Suspension or cancellation of licence

(1) The Data Protection Commissioner shall, before the Data Protection Commissioner suspends or cancels a licence, notify the holder of the licence of the Data Protection Commissioner"™s intention to suspend or cancel the licence in Form VIII set out in the First Schedule.

(2) The Data Protection Commissioner shall suspend or cancel the licence and inform the licensee in Form IX set out in the First Schedule where a licensee who is notified of the intention to suspend or cancel a licence under sub-regulation (1)

(i) fails to show cause why the licence should not be cancelled or suspended; or

(ii) does not take any remedial measures to the satisfaction of Data Protection Commissioner within the specified time.

PART III
GENERAL PROVISIONS

21. Record of processing activities

A data controller or data processor shall keep and maintain a record of processing activities and meta data in Form XIII set out in the First Schedule.

22. Data protection impact assessment

The data protection impact assessment shall be made in Form XIV set out in the First Schedule.

23. Register

The Data Protection Commissioner shall keep and maintain a register, which shall be open to inspection by the public during normal working hours on payment of a fee set out in the Second schedule.

24. Fees

The fees set out in the Second Schedule are fees payable for the matters specified in that Schedule.

FIRST SCHEDULE

[Regulations 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21 and 22]

FORM I

[Regulations 4 and 14]

REPUBLIC OF ZAMBIA

MINISTRY OF TRANSPORT AND COMMUNICATIONS

The Data Protection Act, 2021
(Act No. 3 of 2021)

The Data Protection (Registration and Licensing) Regulations, 2021

APPLICATION FOR REGISTRATION/LICENCE
	Shaded fields for official use only	Certificate/ License code
Date and time
Information Required	Information Provided
1.	Type of document	Licence (Data Auditor) Certificate (Data Controller and Data Processor)
2.	Type of data service	Data Processor Data Controller Data Auditor
3.	Data service category (Data Auditor Only)	Data Auditor - Public Critical Information Infrastructure Data Auditor - Private Public Critical Information Infrastructure Data Auditor- General
4.	Name(s) of applicant(s)
5.	(a) Nationality of applicant(s)
	(b) Identity card of applicant(s) - Attach certified copies	NRC No.	Passport No.
6.	Type of applicant	Individual	Company	Partnership
7.	(a) Notification address
Tel:
Email:
(b) Information of contact person authorised to represent the applicant
Tel:
Email:

8.	Where the applicant is a company, the following details are required:
(a) company name:
(b) company address:
(c) company registration No.:
9.	Have you ever applied to provide data auditing, data controller or data processor services in Zambia? If yes please give details:
(a)	Service applied for	Location	Brief description of service	Date of application	Status of application (Granted, rejected or pending)



(b)	If application was rejected, give reasons for rejection:
10.	Service commencement details
(a) Proposed commencement date:
(b) Brief description:
11.	Have you been convicted of an offence involving fraud or dishonesty or of any offence under the Data Protection Act 2021, Electronic Communication and Transaction Act, 2021 or any of their predecessors, Or any other law within Zambia? If yes, specify details:
..........................................................................................................................................
Nature of offence: ...............................................................................................................
Date of conviction: ..............................................................................................................
Sentence: ..........................................................................................................................
12.	Where the applicant is a controller, the following database registration details are required: (To be filled by a Data Controller ONLY)
(a) Name of database(s):
(b) A description of the information to be stored:
(c) What is the information used for?
(d) Will/Is the information be passed or shared with other organisation(s)/persons? If "˜yes"™ who and why?
(e) Is/Will the information be transferred outside Zambia? If "˜yes"™, where? And why?
(f) Detail how the information will/is kept safe and secure:
13.	Appendices	Applicability
Appendix No. 1	Database Registration Details	Applicable to Data Controller and Data Processor ONLY
Appendix No. 2	Such other relevant information as the Authority may require
14.	QUALITY OF SERVICE UNDERTAKING I/We declare that the quality of service I/we provide shall meet the minimum requirements set out under the Act or any other law or, guidelines published by the Data Protection Commissioner or any international standard.

15.	DECLARATION I/We declare that all the particulars and information provided in this application are complete, correct and true and
I/We agree that in the event that any of the said particulars and information provided is found to be untrue or fraudulent, the licence will be revoked.
16.	I/We agree that in the event of the revocation of the licence, any fee paid to the authority for licence shall be forfeited.
I/We declare that in the event that the nature of my/our business changes, or I/we no longer carry out operations in terms of the registration.
I/We will notify the Authority in which case my/our registration may be revoked or revised.
Declared at ......... this ... day of ...................... 20.. by the following persons who are duly authorised to sign for and on behalf of the applicant under the authority of the Power of Attorney or Board resolution which is hereby attached.
My Details - Attachments

..................................... ..................................... Applicant Date
..................................... ..................................... Officer Date
FOR OFFICIAL USE ONLY
Received by .............................................. Date received ..................................... Officer
Amount received: ...................................
Serial No. of application: ..........................

FORM II

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

DATA PROTECTION ACT: SUBSIDIARY LEGISLATION

INDEX TO SUBSIDIARY LEGISLATION

Data Protection Act (Commencement) Order

Data Protection (Registration and Licensing) Regulations

DATA PROTECTION ACT (COMMENCEMENT) ORDER

[Section 1]

Arrangement of Paragraphs

Paragraph

1. Title

2. Commencement of Act No. 3 of 2021

SI 22 of 2021.

1. Title

This Order may be cited as the Data Protection Act (Commencement) Order, 2021.

2. Commencement of Act No. 3 of 2021

The Data Protection Act, 2021, shall come into operation on the date of publication of this Order.

DATA PROTECTION (REGISTRATION AND LICENSING) REGULATIONS

[Section 82]

Arrangement of Regulations

Regulation

PART I
PRELIMINARY PROVISIONS

1. Title

2. Interpretation

3. Categories of data controllers and data processors

4. Application for certificate of registration

5. Request for further particulars

6. Issue of certificate of registration

7. Duration of certificate of registration

8. Rejection of application

9. Renewal of certificate of registration

10. Notice of change of particulars

11. Notice of surrender of certificate of registration

12. Suspension or cancellation of certificate of registration

13. Application for re-registration

PART II
DATA AUDITOR

14. Application for licece

15. Duration of licence

16. Renewal of licence

17. Transfer of licence

18. Amendment of licence

19. Notice to surrender licence

20. Suspension or cancellation of licence

PART III
GENERAL PROVISIONS

21. Record of processing activities

22. Data protection impact assessment

SI 58 of 2021.

PART I
PRELIMINARY PROVISIONS

1. Title

These Regulations may be cited as the Data Protection (Registration and Licensing) Regulations, 2021.

2. Interpretation

In these Regulations, unless the context otherwise requires

"micro organisation" means an entity with a maximum of 10 employees;

"medium organisation" means an entity with more than 10 employees but not more than 50 employees;

"large organisation" means an entity with more than 50 employees; and

"licensee" means a person licensed to offer data auditing services under regulation 14.

3. Categories of data controllers and data processors

(1) The Data Protection Commissioner shall register a data controller and a data processor in the following category

(a) micro organisation;

(b) medium organisation;

(d) an individual.

(2) The Data Protection Commissioner shall charge different fees for each category as set out in the Second Schedule.

4. Application for certificate of registration

A person who intends to operate as a data controller or data processor shall apply to the Data Protection Commissioner for a certificate of registration in Form I set out in the First Schedule.

5. Request for further particulars

6. Issue of certificate of registration

The Data Protection Commissioner shall, where the applicant meets the requirements of the Act, issue a certificate of registration in Form III set out in the First Schedule.

7. Duration of certificate of registration

The certificate of registration issued under these Regulations is valid for a period of one year.

8. Rejection of application

9. Renewal of certificate of registration

A holder of a certificate of registration shall apply for renewal of a certificate of registration in Form V set out in the First Schedule.

10. Notice of change of particulars

A holder of a certificate of registration shall notify the Data Protection Commissioner of any change in particulars relating to registration in Form VI set out in the First Schedule.

11. Notice of surrender of certificate of registration

12. Suspension or cancellation of certificate of registration

(2) Where the holder of the certificate of registration is notified of the intention of the Data Protection Commissioner under sub-regulation (1), the holder of the certificate of registration shall

(i) show cause why the certificate of registration should not be suspended or cancelled; or

(ii) take remedial measures to the satisfaction of the Data Protection Commissioner within the times specified in notice.

13. Application for re-registration

PART II
DATA AUDITOR

14. Application for licence

(1) A person who intends to provide data audit services shall apply to the Data Protection Commissioner for a licence in Form I set out in the First Schedule.

(2) A Data Protection Commissioner shall, where the applicant

(a) meets the requirements of the Act, issue the applicant with a licence in Form X set out in the First Schedule; or

(b) does not meet the requirements of the Act, reject the application and inform the applicant of the rejection in Form IV set out in the First Schedule stating the reasons for the rejection.

15. Duration of licence

The licence issued under these Regulations is valid for a period of two years.

16. Renewal of licence

17. Transfer of licence

An application to transfer or assign a licence shall be made to the Data Protection Commissioner, in Form XI set out in the First Schedule.

18. Amendment of licence

19. Notice to surrender licence

20. Suspension or cancellation of licence

(i) fails to show cause why the licence should not be cancelled or suspended; or

(ii) does not take any remedial measures to the satisfaction of Data Protection Commissioner within the specified time.

PART III
GENERAL PROVISIONS

21. Record of processing activities

A data controller or data processor shall keep and maintain a record of processing activities and meta data in Form XIII set out in the First Schedule.

22. Data protection impact assessment

The data protection impact assessment shall be made in Form XIV set out in the First Schedule.

23. Register

The Data Protection Commissioner shall keep and maintain a register, which shall be open to inspection by the public during normal working hours on payment of a fee set out in the Second schedule.

24. Fees

The fees set out in the Second Schedule are fees payable for the matters specified in that Schedule.

FIRST SCHEDULE

[Regulations 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21 and 22]

FORM I

[Regulations 4 and 14]

REPUBLIC OF ZAMBIA

MINISTRY OF TRANSPORT AND COMMUNICATIONS

The Data Protection Act, 2021
(Act No. 3 of 2021)

The Data Protection (Registration and Licensing) Regulations, 2021

APPLICATION FOR REGISTRATION/LICENCE
	Shaded fields for official use only	Certificate/ License code
Date and time
Information Required	Information Provided
1.	Type of document	Licence (Data Auditor) Certificate (Data Controller and Data Processor)
2.	Type of data service	Data Processor Data Controller Data Auditor
3.	Data service category (Data Auditor Only)	Data Auditor - Public Critical Information Infrastructure Data Auditor - Private Public Critical Information Infrastructure Data Auditor- General
4.	Name(s) of applicant(s)
5.	(a) Nationality of applicant(s)
	(b) Identity card of applicant(s) - Attach certified copies	NRC No.	Passport No.
6.	Type of applicant	Individual	Company	Partnership
7.	(a) Notification address
Tel:
Email:
(b) Information of contact person authorised to represent the applicant
Tel:
Email:

8.	Where the applicant is a company, the following details are required:
(a) company name:
(b) company address:
(c) company registration No.:
9.	Have you ever applied to provide data auditing, data controller or data processor services in Zambia? If yes please give details:
(a)	Service applied for	Location	Brief description of service	Date of application	Status of application (Granted, rejected or pending)



(b)	If application was rejected, give reasons for rejection:
10.	Service commencement details
(a) Proposed commencement date:
(b) Brief description:
11.	Have you been convicted of an offence involving fraud or dishonesty or of any offence under the Data Protection Act 2021, Electronic Communication and Transaction Act, 2021 or any of their predecessors, Or any other law within Zambia? If yes, specify details:
..........................................................................................................................................
Nature of offence: ...............................................................................................................
Date of conviction: ..............................................................................................................
Sentence: ..........................................................................................................................
12.	Where the applicant is a controller, the following database registration details are required: (To be filled by a Data Controller ONLY)
(a) Name of database(s):
(b) A description of the information to be stored:
(c) What is the information used for?
(d) Will/Is the information be passed or shared with other organisation(s)/persons? If "˜yes"™ who and why?
(e) Is/Will the information be transferred outside Zambia? If "˜yes"™, where? And why?
(f) Detail how the information will/is kept safe and secure:
13.	Appendices	Applicability
Appendix No. 1	Database Registration Details	Applicable to Data Controller and Data Processor ONLY
Appendix No. 2	Such other relevant information as the Authority may require
14.	QUALITY OF SERVICE UNDERTAKING I/We declare that the quality of service I/we provide shall meet the minimum requirements set out under the Act or any other law or, guidelines published by the Data Protection Commissioner or any international standard.

15.	DECLARATION I/We declare that all the particulars and information provided in this application are complete, correct and true and
I/We agree that in the event that any of the said particulars and information provided is found to be untrue or fraudulent, the licence will be revoked.
16.	I/We agree that in the event of the revocation of the licence, any fee paid to the authority for licence shall be forfeited.
I/We declare that in the event that the nature of my/our business changes, or I/we no longer carry out operations in terms of the registration.
I/We will notify the Authority in which case my/our registration may be revoked or revised.
Declared at ......... this ... day of ...................... 20.. by the following persons who are duly authorised to sign for and on behalf of the applicant under the authority of the Power of Attorney or Board resolution which is hereby attached.
My Details - Attachments

..................................... ..................................... Applicant Date
..................................... ..................................... Officer Date
FOR OFFICIAL USE ONLY
Received by .............................................. Date received ..................................... Officer
Amount received: ...................................
Serial No. of application: ..........................

FORM II

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

{{{_source.title}}} {{#_source.showPrice}} {{{_source.displayPrice}}} {{/_source.showPrice}}