DATA PROTECTION ACT: SUBSIDIARY LEGISLATION
INDEX TO SUBSIDIARY LEGISLATION
Data Protection Act (Commencement) Order
Data Protection (Registration and Licensing) Regulations
DATA PROTECTION ACT (COMMENCEMENT) ORDER
[Section 1]
Arrangement of Paragraphs
Paragraph
2. Commencement of Act No. 3 of 2021
SI 22 of 2021.
This Order may be cited as the Data Protection Act (Commencement) Order, 2021.
2. Commencement of Act No. 3 of 2021
The Data Protection Act, 2021, shall come into operation on the date of publication of this Order.
DATA PROTECTION (REGISTRATION AND LICENSING) REGULATIONS
[Section 82]
Arrangement of Regulations
Regulation
PART I
PRELIMINARY PROVISIONS
3. Categories of data controllers and data processors
4. Application for certificate of registration
5. Request for further particulars
6. Issue of certificate of registration
7. Duration of certificate of registration
9. Renewal of certificate of registration
10. Notice of change of particulars
11. Notice of surrender of certificate of registration
12. Suspension or cancellation of certificate of registration
13. Application for re-registration
PART II
DATA AUDITOR
19. Notice to surrender licence
20. Suspension or cancellation of licence
PART III
GENERAL PROVISIONS
21. Record of processing activities
22. Data protection impact assessment
SI 58 of 2021.
PART I
PRELIMINARY PROVISIONS
These Regulations may be cited as the Data Protection (Registration and Licensing) Regulations, 2021.
In these Regulations, unless the context otherwise requires"”
"micro organisation" means an entity with a maximum of 10 employees;
"medium organisation" means an entity with more than 10 employees but not more than 50 employees;
"large organisation" means an entity with more than 50 employees; and
"licensee" means a person licensed to offer data auditing services under regulation 14.
3. Categories of data controllers and data processors
(1) The Data Protection Commissioner shall register a data controller and a data processor in the following category"”
(a) micro organisation;
(b) medium organisation;
(c) a large organisation; and
(d) an individual.
(2) The Data Protection Commissioner shall charge different fees for each category as set out in the Second Schedule.
4. Application for certificate of registration
A person who intends to operate as a data controller or data processor shall apply to the Data Protection Commissioner for a certificate of registration in Form I set out in the First Schedule.
5. Request for further particulars
The Data Protection Commissioner may, where the Data Protection Commissioner requires further particulars in relation to an application, request an applicant to submit further particulars, within a specified period, in Form II set out in the First Schedule.
6. Issue of certificate of registration
The Data Protection Commissioner shall, where the applicant meets the requirements of the Act, issue a certificate of registration in Form III set out in the First Schedule.
7. Duration of certificate of registration
The certificate of registration issued under these Regulations is valid for a period of one year.
The Data Protection Commissioner shall, where the Data Protection Commissioner rejects an application, inform the applicant within 14 days from the date of the decision of the rejection in Form IV set out in the First Schedule.
9. Renewal of certificate of registration
A holder of a certificate of registration shall apply for renewal of a certificate of registration in Form V set out in the First Schedule.
10. Notice of change of particulars
A holder of a certificate of registration shall notify the Data Protection Commissioner of any change in particulars relating to registration in Form VI set out in the First Schedule.
11. Notice of surrender of certificate of registration
The data controller or data processor shall notify the Data Protection Commissioner, where a data controller or data processor ceases to carry on business in the data processing or controlling industry, in Form VII set out in the First Schedule.
12. Suspension or cancellation of certificate of registration
(1) The Data Protection Commissioner shall, before the Data Protection Commissioner suspends or cancels a certificate of registration, notify the holder of the certificate of registration of the intention to suspend or cancel the certificate of registration in Form VIII set out in the First Schedule.
(2) Where the holder of the certificate of registration is notified of the intention of the Data Protection Commissioner under sub-regulation (1), the holder of the certificate of registration shall"”
(i) show cause why the certificate of registration should not be suspended or cancelled; or
(ii) take remedial measures to the satisfaction of the Data Protection Commissioner within the times specified in notice.
(3) The Data Protection Commissioner shall, where the holder fails to show cause why the certificate should not be cancelled or suspended or fails to take remedial measures to the satisfaction of the Data Protection Commissioner, cancel or suspend the certificate of registration.
(4) Where the Data Protection Commissioner suspends or cancels a certificate of registration under sub-regulation (3), the Data Protection Commissioner shall, inform the holder of a certificate of registration of the suspension or cancellation of the certificate in Form IX set out in the First Schedule.
13. Application for re-registration
A person whose certificate of registration issued under these Regulations has been cancelled, may apply for re-registration as a data processor or data controller in Form V set out in the First Schedule.
PART II
DATA AUDITOR
(1) A person who intends to provide data audit services shall apply to the Data Protection Commissioner for a licence in Form I set out in the First Schedule.
(2) A Data Protection Commissioner shall, where the applicant"”
(a) meets the requirements of the Act, issue the applicant with a licence in Form X set out in the First Schedule; or
(b) does not meet the requirements of the Act, reject the application and inform the applicant of the rejection in Form IV set out in the First Schedule stating the reasons for the rejection.
The licence issued under these Regulations is valid for a period of two years.
A licensee who intends to renew that licence shall, apply to the Data Protection Commissioner, for renewal of a licence at least three months before the expiry of the licence, in Form V set out in the First Schedule.
An application to transfer or assign a licence shall be made to the Data Protection Commissioner, in Form XI set out in the First Schedule.
A licensee may within the validity of the licence, apply to the Data Protection Commissioner for an amendment or variation of the terms and conditions of the licence in Form XII set out in the First Schedule.
19. Notice to surrender licence
A licensee shall, notify the Data Protection Commissioner, where a licensee ceases to provide the services relating to the licence, within one month of ceasing to carry on business, in Form VII set out in the First Schedule.
20. Suspension or cancellation of licence
(1) The Data Protection Commissioner shall, before the Data Protection Commissioner suspends or cancels a licence, notify the holder of the licence of the Data Protection Commissioner"™s intention to suspend or cancel the licence in Form VIII set out in the First Schedule.
(2) The Data Protection Commissioner shall suspend or cancel the licence and inform the licensee in Form IX set out in the First Schedule where a licensee who is notified of the intention to suspend or cancel a licence under sub-regulation (1)"”
(i) fails to show cause why the licence should not be cancelled or suspended; or
(ii) does not take any remedial measures to the satisfaction of Data Protection Commissioner within the specified time.
PART III
GENERAL PROVISIONS
21. Record of processing activities
A data controller or data processor shall keep and maintain a record of processing activities and meta data in Form XIII set out in the First Schedule.
22. Data protection impact assessment
The data protection impact assessment shall be made in Form XIV set out in the First Schedule.
The Data Protection Commissioner shall keep and maintain a register, which shall be open to inspection by the public during normal working hours on payment of a fee set out in the Second schedule.
The fees set out in the Second Schedule are fees payable for the matters specified in that Schedule.
[Regulations 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21 and 22]
FORM I
[Regulations 4 and 14]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
APPLICATION FOR REGISTRATION/LICENCE |
||||
|
Shaded fields for official use only |
Certificate/ License code |
|||
|
Date and time |
||||
|
Information Required |
Information Provided |
|||
|
1. |
Type of document |
|
||
|
2. |
Type of data service |
|
||
|
3. |
Data service category (Data Auditor Only) |
|
||
|
4. |
Name(s) of applicant(s) |
|||
|
5. |
(a) Nationality of applicant(s) |
|||
|
(b) Identity card of applicant(s) - Attach certified copies |
NRC No. |
Passport No. |
||
|
6. |
Type of applicant |
|
|
|
|
7. |
(a) Notification address |
|||
|
Tel: |
||||
|
Email: |
||||
|
(b) Information of contact person authorised to represent the applicant |
||||
|
Tel: |
||||
|
Email: |
Licence (Data Auditor) |
8. |
Where the applicant is a company, the following details are required: |
||||
|
(a) company name: |
|||||
|
(b) company address: |
|||||
|
(c) company registration No.: |
|||||
|
9. |
Have you ever applied to provide data auditing, data controller or data processor services in Zambia? |
||||
|
(a) |
Service applied for |
Location |
Brief description of service |
Date of application |
Status of application (Granted, rejected or pending) |
|
(b) |
If application was rejected, give reasons for rejection: |
||||
|
10. |
Service commencement details |
||||
|
(a) Proposed commencement date: |
|||||
|
(b) Brief description: |
|||||
|
11. |
Have you been convicted of an offence involving fraud or dishonesty or of any offence under the Data Protection Act 2021, Electronic Communication and Transaction Act, 2021 or any of their predecessors, |
||||
|
.......................................................................................................................................... |
|||||
|
Nature of offence: ............................................................................................................... |
|||||
|
Date of conviction: .............................................................................................................. |
|||||
|
Sentence: .......................................................................................................................... |
|||||
|
12. |
Where the applicant is a controller, the following database registration details are required: (To be filled by a Data Controller ONLY) |
||||
|
(a) Name of database(s): |
|||||
|
(b) A description of the information to be stored: |
|||||
|
(c) What is the information used for? |
|||||
|
(d) Will/Is the information be passed or shared with other organisation(s)/persons? |
|||||
|
(e) Is/Will the information be transferred outside Zambia? |
|||||
|
(f) Detail how the information will/is kept safe and secure: |
|||||
|
13. |
Appendices |
Applicability |
|||
|
Appendix No. 1 |
Database Registration Details |
Applicable to Data Controller and Data Processor ONLY |
|||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||||
|
14. |
QUALITY OF SERVICE UNDERTAKING |
|
15. |
DECLARATION |
|
I/We agree that in the event that any of the said particulars and information provided is found to be untrue or fraudulent, the licence will be revoked. |
|
|
16. |
I/We agree that in the event of the revocation of the licence, any fee paid to the authority for licence shall be forfeited. |
|
I/We declare that in the event that the nature of my/our business changes, or I/we no longer carry out operations in terms of the registration. |
|
|
I/We will notify the Authority in which case my/our registration may be revoked or revised. |
|
|
Declared at ......... this ... day of ...................... 20.. by the following persons who are duly authorised to sign for and on behalf of the applicant under the authority of the Power of Attorney or Board resolution which is hereby attached. |
|
|
My Details - Attachments |
|
|
..................................... ..................................... |
|
|
..................................... ..................................... |
|
|
FOR OFFICIAL USE ONLY |
|
|
Received by .............................................. Date received ..................................... |
|
|
Amount received: ................................... |
|
|
Serial No. of application: .......................... |
FORM II
{mprestriction ids="2,3,5"}
[Regulation 5]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
REQUEST FOR FURTHER PARTICULARS |
|
To: [Insert Applicant/Certificate Holder Name] ....................................................... |
|
In relation to your application for a(n) [Insert Certificate Category] ............................... with reference number [Insert Reference Number] .................... address of [Insert Applicant/Certificate Holder"™s Current Address] ............................................................................ |
|
[Insert details of further particulars being requested] |
|
The failure to submit the requested information within [Insert Period] .................. from the date hereof shall lead to your application being treated as invalid and shall be rejected. |
|
Dated this [Insert Day] .............. day of [Insert Month] ........................ [Insert Year] ............ |
|
................. |
FORM III
[Regulation 6]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
Certificate No.: ...... |
In accordance with Section 21 of the Data Protection Act No. 3 of 2021, this
INSERT CERTIFICATE TYPE
is granted by the Data Protection Commissioner to"“
INSERT HOLDER NAME
INSERT HOLDER ADDRESS
for
establishment and operation of a INSERT STATION/SYSTEM TYPE for the purpose of carrying on
INSERT SERVICE
as specified in the Terms and Conditions as shown in the Annexures attached hereto.
Date of Issue: ..............
Date of Expiry: .............
Initial Fee: ...............
Annual Renewal Fee: ...........
...................
Data Protection Commissioner
FORM IV
[Regulation 8]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
NOTICE OF REJECTION |
|
To: [Insert Applicant Name] .................................................................................................. of [Insert Applicant Address] ............................................................................................. IN THE MATTER OF [Insert Reference Number] ............................................ You are hereby notified that your application has been rejected on the following grounds: |
|
The grounds for rejection of the application are shown in the Annexures attached hereto. |
|
Dated this [Insert Day] .......... day of [Insert Month] ....................... [Insert Year] ............... |
|
................. |
FORM V
[Regulations 9, 13 and 16]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
APPLICATION FOR REGISTRATION, RENEWAL FOR REGISTRATION/LICENCE |
||||
|
Shaded fields for official use only |
Certificate/ License code |
|||
|
Date and time |
||||
|
Information Required |
Information Provided |
|||
|
1. |
Reason for renewal |
|
||
|
2. |
Type of data service |
|
||
|
3. |
Name(s) of applicant(s) |
|||
|
4. |
(a) Nationality of applicant(s) |
|||
|
(b) Identity card of applicant(s) - Attach certified copies |
NRC No. |
Passport No. |
||
|
5. |
Type of applicant |
|
|
|
|
6. |
(a) Notification address |
|||
|
Tel: |
||||
|
Email: |
||||
|
(b) Information of contact person authorised to represent the applicant |
||||
|
Tel: |
||||
|
Email: |
|
7. |
Where the applicant is a company, the following details are required: |
|||
|
(a) company name: |
||||
|
(b) company address: |
||||
|
(c) company registration No.: |
||||
|
8. |
Have you ever applied to provide data auditing, data controller or data processor services in Zambia? |
|||
|
Service applied for |
Location |
Brief description of service |
Date of application |
Status of application (Granted, rejected or pending) |
|
(b) |
If application was rejected, give reasons for rejection: |
|||
|
9. |
Service commencement details |
|||
|
(a) Proposed commencement date: |
||||
|
(b) Brief description: |
||||
|
10. |
Have you been convicted of an offence involving fraud or dishonesty or of any offence under the Data Protection Act 2021, Electronic Communication and Transaction Act, 2021 or any of their predecessors, |
|||
|
.......................................................................................................................................... |
||||
|
Nature of offence: ............................................................................................................... |
||||
|
Date of Conviction: .............................................................................................................. |
||||
|
Sentence: ........................................................................................................................... |
||||
|
11. |
Appendices |
Applicability |
||
|
Appendix No. 1 |
Database Registration Information |
Applicable to Data Controller and Data Processor ONLY |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
|||
|
12. |
QUALITY OF SERVICE UNDERTAKING |
|
13. |
DECLARATION |
|
I/We agree that in the event that any of the said particulars and information provided is found to be untrue or fraudulent, the licence will be revoked. |
|
|
I/We agree that in the event of the revocation of the licence, any fee paid to the authority for licence shall be forfeited. |
|
|
I/We declare that in the event that the nature of my/our business changes, or I/we no longer carry out operations in terms of the registration, |
|
|
I/We will notify the Data Protection Commissioner in which case my/our registration may be revoked or revised. |
|
|
Declared at ....... this .... day of ............... 20.. by the following persons who are duly authorised to sign for and on behalf of the applicant under the authority of the Power of Attorney or Board resolution which is hereby attached. |
|
|
My Details - Attachments |
|
|
..................................... ..................................... |
|
|
..................................... ..................................... |
|
|
FOR OFFICIAL USE ONLY |
|
|
Received by: .............................................. Date received: ..................................... |
|
|
Amount received: ................................... |
|
|
Serial No. of application: .......................... |
FORM VI
[Regulation 10]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
CHANGE OF PARTICULARS |
|||
|
Shaded fields for official use only |
Certificate/ License code |
||
|
Date and time |
|||
|
Information Required |
Information Provided |
||
|
Type of data service |
|
||
|
1. |
Certificate/License No. |
||
|
2. |
Name of holder |
||
|
3. |
Expiry date |
||
|
4. |
Name of assignee |
||
|
Nationality |
|||
|
Identity card (NRC) No. or Passport No. - (attach certified copies) |
|||
|
5. |
Holder"™s address: |
||
|
Tel: |
|||
|
Email: |
|||
|
6. |
Reasons for changes |
(a) |
|
|
(b) |
|||
|
(c) |
|||
|
(d) |
|||
|
(e) |
|||
|
(f) |
|||
|
7. |
Appendix |
||
|
Appendix No. 1 |
Reasons for change of details |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||
|
My Details - Attachments |
|
..................................... ..................................... |
|
..................................... ..................................... |
|
FOR OFFICIAL USE ONLY |
|
Received by: .............................................. |
|
Amount Received: ................................... |
|
Serial No. of application: .......................... |
FORM VII
[Regulations 11 and 19]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
NOTICE OF INTENTION TO SURRENDER LICENCE/CERTIFICATE OF REGISTRATION |
|||
|
Shaded fields for official use only |
Certificate code |
||
|
Date and time |
|||
|
Information Required |
Information Provided |
||
|
Type of data service |
|
||
|
1. |
Certificate/License No. |
||
|
2. |
Name of holder |
||
|
3. |
Name(s) of assignee(s) |
||
|
Nationality of assignee(s) |
|||
|
Details of assignee |
NRC No. |
Passport No. |
|
|
Type of assignee |
|
|
|
|
4. |
Assignee"™s address |
||
|
Tel: |
|||
|
Email: |
|||
|
5. |
Reasons for surrender |
(a) |
|
|
(b) |
|||
|
(c) |
|||
|
(d) |
|||
|
(e) |
|||
|
6. |
Appendices |
||
|
Appendix No. 1 |
Reasons for surrender |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||
|
My Details "“ Attachments |
|
................................................... ..................................... |
|
..................................... ..................................... |
|
FOR OFFICIAL USE ONLY |
|
Received by: .............................................. |
|
Amount received: ................................... |
|
Serial No. of application: .......................... |
FORM VIII
[Regulations 12(1) and 20(1)]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
NOTICE OF INTENTION TO SUSPEND OR CANCEL CERTIFICATE OF REGISTRATION |
|
To [Insert Applicant/Certificate Holder Name] ................................................. |
|
In the matter of [Insert Certificate Category] ....................................... with reference number [Insert Reference Number] ...................................... address of [Insert Applicant/Certificate Holder"™s Current Address] ................................................................ You are hearby notified that the Authority intends to suspend/cancel* your certificate on the following grounds: |
|
(a) ................................................................................................................................. |
|
(b) ................................................................................................................................. |
|
(c) ................................................................................................................................. |
|
(d) ................................................................................................................................. |
|
You are requested to appear before me on the ........... day of ........................ 20..... at the Ministry of Transport and Communications, Lusaka, to show cause why your certificate should not be rejected/take remedial measure to address the concerns raised in paragraphs .............. to ............ above before the .................. day of .............. 20...... If you fail to appear before me/take the necessary remedial measures* before the stipulated date, your certificate will be suspended and subsequently revoked. |
|
Accordingly, you are requested to take action to remedy the breaches set out in paragraphs ...... (above) within [Insert Number of Days] .............. days of receiving this notice. Failure to remedy the said breaches shall result in the suspension/cancellation* of your certificate. |
|
Dated this [Insert Day] ................ day of [Insert Month] ........................ [Insert Year] ............... |
|
................. |
FORM IX
[Regulations 12(4) and 20(2)]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
NOTIFICATION OF SUSPENSION OR REVOCATION OF CERTIFICATE OF REGISTRATION |
|
To [Insert Applicant/Certificate Holder Name] ............................................................................... |
|
In the matter of [Insert Certificate Category] ................................ with reference number [Insert Reference Number] ...................................... address of [Insert Applicant/Certificate Holder"™s Current Address] ...................................................... You are hearby notified that your certificate of registration has been suspended/revoked* on the following grounds: |
|
(a) ................................................................................................................................. |
|
(b) ................................................................................................................................. |
|
(c) ................................................................................................................................. |
|
(d) ................................................................................................................................. |
|
Dated this [Insert Day] ............ day of [Insert Month] ........................... [Insert Year] ......... |
|
................. |
FORM X
[Regulation 14(2)]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
Licence No.: .... |
In accordance with Section 31 of the Data Protection Act No. 3 of 2021, this
INSERT LICENCE TYPE
is granted by the Data Protection Commissioner to"“
INSERT NAME OF LICENSEE
INSERT LICENSEE ADDRESS
for
establishment and operation of a INSERT STATION/SYSTEM TYPE for the purpose of carrying on
INSERT SERVICE
as specified in the Terms and Conditions as shown in the Annexures attached hereto.
Date of Issue: ..............
Date of Expiry: .............
Initial Fee: ...............
Annual Renewal Fee: ...........
...................
Data Protection Commissioner
FORM XI
[Regulation 17]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
APPLICATION FOR TRANSFER |
|||
|
Shaded fields for official use only |
Certificate code |
||
|
Date and time |
|||
|
Information Required |
Information Provided |
||
|
1. |
License No. |
||
|
2. |
Current holder |
||
|
3. |
Name(s) of assignee(s) |
||
|
Nationality of assignee |
|||
|
Details of assignee |
NRC No. |
Passport No. |
|
|
Type of assignee |
|
|
|
|
4. |
Assignee"™s address |
||
|
Tel: |
|||
|
Email: |
|||
|
5. |
Appendices |
||
|
Appendix No. 1 |
Reasons for transferring |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||
|
My Details "“ Attachments |
|
............................................... ..................................... |
|
..................................... ..................................... |
|
FOR OFFICIAL USE ONLY |
|
Received by: .............................................. |
|
Amount received: ................................... |
|
Serial No. of application: .......................... |
FORM XII
[Regulation 18]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
APPLICATION FOR AMENDMENT |
|||
|
Shaded fields for official use only |
Certificate code |
||
|
Date and time |
|||
|
Information Required |
Information Provided |
||
|
Type of data service |
|
||
|
1. |
Certificate No. |
||
|
2. |
Current holder |
||
|
3. |
Name(s) of assignee(s) |
||
|
Nationality of assignee(s) |
|||
|
Details of assignee |
NRC No. |
Passport No. |
|
|
Type of assignee |
|
|
|
|
4. |
Assignee"™s address |
||
|
Tel: |
|||
|
Email: |
|||
|
5. |
Proposed amendments |
(a) |
|
|
(b) |
|||
|
(c) |
|||
|
(d) |
|||
|
(e) |
|||
|
6. |
Appendices |
||
|
Appendix No. 1 |
Reasons for amendment |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||
|
My Details "“ Attachments |
|
............................................... ..................................... |
|
..................................... ..................................... |
|
FOR OFFICIAL USE ONLY |
|
Received by: .............................................. |
|
Amount received: ................................... |
|
Serial No. of application: .......................... |
FORM XIII
[Regulation 21]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
RECORD OF PROCESSING ACTIVITIES |
|||||
|
PART 1- DATA CONTROLLER (To be filled by a Data Controller ONLY) |
|||||
|
Section 1: Controller Details |
|||||
|
Name and contact details |
Data Protection Officer (if applicable) |
Representative (if applicable) |
|||
|
Name: |
Name: |
Name: |
|||
|
Address: |
Address: |
Address: |
|||
|
Email: |
|
Email: |
|||
|
Telephone: |
Telephone: |
Telephone: |
|
No. |
Section 2: Record of Processing Activities |
|
2.1. |
Business function |
|
2.2. |
Purpose of processing |
|
2.3. |
Name and contact details of joint controller (if applicable) |
|
2.4. |
Categories of data subjects |
|
2.5. |
Categories of personal data |
|
2.6. |
Categories of recipients |
|
2.7. |
Link to contract with processor |
|
2.8. |
Names of other countries or international organisations that personal data are transferred to (if applicable) |
|
2.9. |
Safeguards for exceptional transfers of personal data to other countries or international organisations (if applicable) |
|
2.10. |
Retention schedule (if possible) |
|
2.11. |
General description of technical and organisational security measures (if possible) |
|
Section 3: Privacy Notices |
|
|
3.1. |
Lawful basis for processing personal data |
|
3.2. |
Condition for processing sensitive personal data |
|
3.3. |
Legitimate interests for the processing (if applicable) |
|
3.4. |
Link to record of legitimate interests assessment (if applicable) |
|
3.5. |
Rights available to data subjects |
|
3.6. |
Existence of automated decision-making, including profiling (if applicable) |
|
3.7. |
The source of the personal data (if applicable) |
|
Section 4: Consent |
|
|
4.1. |
Link to record of consent |
|
Section 5: Access Requests |
|
|
5.1. |
Location of personal data |
|
Section 6: Data Protection Impact Assessments |
|
|
6.1. |
Data Protection Impact Assessment required? |
|
6.2. |
Data Protection Impact Assessment progress |
|
6.3. |
Link to Data Protection Impact Assessment |
|
Section 7: Personal Data Breaches |
|
|
7.1. |
Has a personal data breach occurred? |
|
7.2. |
Link to record of personal data breach |
|
Section 8: Sensitive Personal Data or Criminal Conviction and Offence Data |
|
|
8.1. |
Condition for processing |
|
8.2. |
Lawful basis for processing |
|
8.3. |
Link to retention and erasure policy document |
|
8.4. |
Is personal data retained and erased in accordance with the policy document? |
|
8.5. |
Reasons for not adhering to policy document (if applicable) |
|
PART 2- DATA PROCESSOR (To be filled by a Data Processor ONLY) |
|||||
|
Section 1: Processor Details |
|||||
|
Name and contact details |
Data Protection Officer (if applicable) |
Representative (if applicable) |
|||
|
Name: |
Name: |
Name: |
|||
|
Address: |
Address: |
Address: |
|||
|
Email: |
Email: |
Email: |
|||
|
Telephone: |
Telephone: |
Telephone: |
|||
|
No. |
Section 2: Record of Processing Activities |
||||
|
2.1. |
Link to contract with controller (If applicable) |
||||
|
2.2. |
Name and contact details of controller |
||||
|
2.3. |
Name and contact details of controller"™s representative (If applicable) |
||||
|
2.4. |
Categories of processing |
||||
|
2.5. |
Names of other countries or international organisations that personal data are transferred to (If applicable) |
||||
|
2.6. |
Safeguards for exceptional transfers of personal data to other countries or international organisations (if applicable) |
||||
|
2.7. |
General description of technical and organisational security measures (if possible) |
||||
FORM XIV
[Regulation 22]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
Notes for Applicants |
|
|
1. In line with Section 48 of the Data Protection Act 2021, a data controller shall appoint a Data Protection Officer (DPO). |
|
|
2. In line with Section 46 of the Data Protection Act 2021, a data controller shall carry out a Data Protection Impact Assessment (DPIA) |
|
|
DATA PROTECTION IMPACT ASSESSMENT |
|
|
Section 1: Controller Details |
|
|
Name of controller |
|
|
Subject/title of DPO |
|
|
Name of controller contact/DPO (delete as appropriate) |
|
|
Section 2: Data Protection Impact Assessment |
|
|
Step 1: Identify the need for a DPIA |
|
|
Explain broadly what you aims to achieve with the personal data (PD) and what type of processing it involves. You may find it helpful to refer or link to other documents. Summarise why you identified the need for a DPIA. |
|
|
Step 2: Describe the processing |
|
|
Describe the nature of the processing: |
|
|
How will you collect, use, store and delete data? What is the source of the data? |
|
|
Will you be sharing data with anyone? |
|
|
You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? |
|
|
Describe the scope of the processing: |
||||
|
What is the nature of the data, and does it include special category or criminal offence data? |
||||
|
How much data will you be collecting and using? |
||||
|
How often? How long will you keep it? |
||||
|
How many individuals are affected? |
||||
|
What geographical area does it cover? |
||||
|
Describe the context of the processing: |
||||
|
What is the nature of your relationship with the individuals? |
||||
|
How much control will they have? |
||||
|
Would they expect you to use their data in this way? |
||||
|
Do they include children or other vulnerable groups? |
||||
|
Are there prior concerns over this type of processing or security flaws? |
||||
|
Is it novel in any way? |
||||
|
What is the current state of technology in this area? |
||||
|
Are there any current issues of public concern that you should factor in? |
||||
|
Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? |
||||
|
Describe the purposes of the processing: |
||||
|
What do you want to achieve? |
||||
|
What is the intended effect on data subjects? |
||||
|
What are the benefits of the processing - for you, and more broadly? |
||||
|
Step 3: Consultation process |
||||
|
Consider how to consult with relevant stakeholders: |
||||
|
Describe when and how you will seek individuals"™ views - or justify why it"™s not appropriate to do so? |
||||
|
Who else do you need to involve within your organisation? |
||||
|
Do you need to ask your processors to assist? |
||||
|
Do you plan to consult information security experts, or any other experts? |
||||
|
Step 4: Assess necessity and proportionality |
||||
|
Describe compliance and proportionality measures, in particular: |
||||
|
What is your lawful basis for processing? |
||||
|
Does the processing actually achieve your purpose? |
||||
|
Is there another way to achieve the same outcome? |
||||
|
How will you prevent function creep? |
||||
|
How will you ensure data quality and data minimisation? |
||||
|
What information will you give individuals? |
||||
|
How will you help to support their rights? |
||||
|
What measures do you take to ensure processors comply? |
||||
|
How do you safeguard any international transfers? |
||||
|
Step 5: Identify and assess risks |
||||
|
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 |
||||
|
Risk |
Options to reduce or eliminate risk |
Effect on risk (Eliminated, Reduced or Accepted) |
Residual risk (Low, Medium or High) |
Measure approved (Yes/No) |
|
Step 6: Identify measures to reduce risk |
||||
|
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 |
||||
|
Risk |
Options to reduce or eliminate risk |
Effect on risk (Eliminated, Reduced or Accepted) |
Residual risk (Low, Medium or High) |
Measure approved (Yes/No) |
|
Step 7: Sign off and record outcomes |
|
Item |
Name/Position/date |
Notes |
|
Measures approved by: |
Integrate actions back into project plan, with date and responsibility for completion |
|
|
Residual risks approved by: |
If accepting any residual high risk, consult the Data Protection Commissioner before going ahead |
|
|
DPO advice provided: |
DPO should advise on compliance, step 6 measures and whether processing can proceed |
|
|
Summary of DPO advice: |
||
|
DPO advice accepted or overruled by: |
If overruled, you must explain your reasons |
|
|
Comments: |
||
|
Consultation responses reviewed by: |
If your decision departs from individuals' views, you must explain your reasons |
|
|
Comments: |
||
|
This DPIA will be kept under review by: |
The DPO should also review ongoing compliance with DPIA |
[Regulations 3, 23 and 24]
PRESCRIBED FEES
|
Category |
Application |
Certificate of Registration |
|
Micro Organisation |
167 |
1,667 |
|
Category |
Application |
Licence |
|
Data auditor-public critical information |
3333 entity |
10,000 entity |
|
Data auditor-private critical information |
Entity/Individual |
33333 entity |
|
Data auditor-general |
3333 entity |
33333 entity |
|
Register inspection fee |
333 |
{/mprestriction}
DATA PROTECTION ACT: SUBSIDIARY LEGISLATION
INDEX TO SUBSIDIARY LEGISLATION
Data Protection Act (Commencement) Order
Data Protection (Registration and Licensing) Regulations
DATA PROTECTION ACT (COMMENCEMENT) ORDER
[Section 1]
Arrangement of Paragraphs
Paragraph
2. Commencement of Act No. 3 of 2021
SI 22 of 2021.
This Order may be cited as the Data Protection Act (Commencement) Order, 2021.
2. Commencement of Act No. 3 of 2021
The Data Protection Act, 2021, shall come into operation on the date of publication of this Order.
DATA PROTECTION (REGISTRATION AND LICENSING) REGULATIONS
[Section 82]
Arrangement of Regulations
Regulation
PART I
PRELIMINARY PROVISIONS
3. Categories of data controllers and data processors
4. Application for certificate of registration
5. Request for further particulars
6. Issue of certificate of registration
7. Duration of certificate of registration
9. Renewal of certificate of registration
10. Notice of change of particulars
11. Notice of surrender of certificate of registration
12. Suspension or cancellation of certificate of registration
13. Application for re-registration
PART II
DATA AUDITOR
19. Notice to surrender licence
20. Suspension or cancellation of licence
PART III
GENERAL PROVISIONS
21. Record of processing activities
22. Data protection impact assessment
SI 58 of 2021.
PART I
PRELIMINARY PROVISIONS
These Regulations may be cited as the Data Protection (Registration and Licensing) Regulations, 2021.
In these Regulations, unless the context otherwise requires"”
"micro organisation" means an entity with a maximum of 10 employees;
"medium organisation" means an entity with more than 10 employees but not more than 50 employees;
"large organisation" means an entity with more than 50 employees; and
"licensee" means a person licensed to offer data auditing services under regulation 14.
3. Categories of data controllers and data processors
(1) The Data Protection Commissioner shall register a data controller and a data processor in the following category"”
(a) micro organisation;
(b) medium organisation;
(c) a large organisation; and
(d) an individual.
(2) The Data Protection Commissioner shall charge different fees for each category as set out in the Second Schedule.
4. Application for certificate of registration
A person who intends to operate as a data controller or data processor shall apply to the Data Protection Commissioner for a certificate of registration in Form I set out in the First Schedule.
5. Request for further particulars
The Data Protection Commissioner may, where the Data Protection Commissioner requires further particulars in relation to an application, request an applicant to submit further particulars, within a specified period, in Form II set out in the First Schedule.
6. Issue of certificate of registration
The Data Protection Commissioner shall, where the applicant meets the requirements of the Act, issue a certificate of registration in Form III set out in the First Schedule.
7. Duration of certificate of registration
The certificate of registration issued under these Regulations is valid for a period of one year.
The Data Protection Commissioner shall, where the Data Protection Commissioner rejects an application, inform the applicant within 14 days from the date of the decision of the rejection in Form IV set out in the First Schedule.
9. Renewal of certificate of registration
A holder of a certificate of registration shall apply for renewal of a certificate of registration in Form V set out in the First Schedule.
10. Notice of change of particulars
A holder of a certificate of registration shall notify the Data Protection Commissioner of any change in particulars relating to registration in Form VI set out in the First Schedule.
11. Notice of surrender of certificate of registration
The data controller or data processor shall notify the Data Protection Commissioner, where a data controller or data processor ceases to carry on business in the data processing or controlling industry, in Form VII set out in the First Schedule.
12. Suspension or cancellation of certificate of registration
(1) The Data Protection Commissioner shall, before the Data Protection Commissioner suspends or cancels a certificate of registration, notify the holder of the certificate of registration of the intention to suspend or cancel the certificate of registration in Form VIII set out in the First Schedule.
(2) Where the holder of the certificate of registration is notified of the intention of the Data Protection Commissioner under sub-regulation (1), the holder of the certificate of registration shall"”
(i) show cause why the certificate of registration should not be suspended or cancelled; or
(ii) take remedial measures to the satisfaction of the Data Protection Commissioner within the times specified in notice.
(3) The Data Protection Commissioner shall, where the holder fails to show cause why the certificate should not be cancelled or suspended or fails to take remedial measures to the satisfaction of the Data Protection Commissioner, cancel or suspend the certificate of registration.
(4) Where the Data Protection Commissioner suspends or cancels a certificate of registration under sub-regulation (3), the Data Protection Commissioner shall, inform the holder of a certificate of registration of the suspension or cancellation of the certificate in Form IX set out in the First Schedule.
13. Application for re-registration
A person whose certificate of registration issued under these Regulations has been cancelled, may apply for re-registration as a data processor or data controller in Form V set out in the First Schedule.
PART II
DATA AUDITOR
(1) A person who intends to provide data audit services shall apply to the Data Protection Commissioner for a licence in Form I set out in the First Schedule.
(2) A Data Protection Commissioner shall, where the applicant"”
(a) meets the requirements of the Act, issue the applicant with a licence in Form X set out in the First Schedule; or
(b) does not meet the requirements of the Act, reject the application and inform the applicant of the rejection in Form IV set out in the First Schedule stating the reasons for the rejection.
The licence issued under these Regulations is valid for a period of two years.
A licensee who intends to renew that licence shall, apply to the Data Protection Commissioner, for renewal of a licence at least three months before the expiry of the licence, in Form V set out in the First Schedule.
An application to transfer or assign a licence shall be made to the Data Protection Commissioner, in Form XI set out in the First Schedule.
A licensee may within the validity of the licence, apply to the Data Protection Commissioner for an amendment or variation of the terms and conditions of the licence in Form XII set out in the First Schedule.
19. Notice to surrender licence
A licensee shall, notify the Data Protection Commissioner, where a licensee ceases to provide the services relating to the licence, within one month of ceasing to carry on business, in Form VII set out in the First Schedule.
20. Suspension or cancellation of licence
(1) The Data Protection Commissioner shall, before the Data Protection Commissioner suspends or cancels a licence, notify the holder of the licence of the Data Protection Commissioner"™s intention to suspend or cancel the licence in Form VIII set out in the First Schedule.
(2) The Data Protection Commissioner shall suspend or cancel the licence and inform the licensee in Form IX set out in the First Schedule where a licensee who is notified of the intention to suspend or cancel a licence under sub-regulation (1)"”
(i) fails to show cause why the licence should not be cancelled or suspended; or
(ii) does not take any remedial measures to the satisfaction of Data Protection Commissioner within the specified time.
PART III
GENERAL PROVISIONS
21. Record of processing activities
A data controller or data processor shall keep and maintain a record of processing activities and meta data in Form XIII set out in the First Schedule.
22. Data protection impact assessment
The data protection impact assessment shall be made in Form XIV set out in the First Schedule.
The Data Protection Commissioner shall keep and maintain a register, which shall be open to inspection by the public during normal working hours on payment of a fee set out in the Second schedule.
The fees set out in the Second Schedule are fees payable for the matters specified in that Schedule.
[Regulations 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21 and 22]
FORM I
[Regulations 4 and 14]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
APPLICATION FOR REGISTRATION/LICENCE |
||||
|
Shaded fields for official use only |
Certificate/ License code |
|||
|
Date and time |
||||
|
Information Required |
Information Provided |
|||
|
1. |
Type of document |
|
||
|
2. |
Type of data service |
|
||
|
3. |
Data service category (Data Auditor Only) |
|
||
|
4. |
Name(s) of applicant(s) |
|||
|
5. |
(a) Nationality of applicant(s) |
|||
|
(b) Identity card of applicant(s) - Attach certified copies |
NRC No. |
Passport No. |
||
|
6. |
Type of applicant |
|
|
|
|
7. |
(a) Notification address |
|||
|
Tel: |
||||
|
Email: |
||||
|
(b) Information of contact person authorised to represent the applicant |
||||
|
Tel: |
||||
|
Email: |
|
8. |
Where the applicant is a company, the following details are required: |
||||
|
(a) company name: |
|||||
|
(b) company address: |
|||||
|
(c) company registration No.: |
|||||
|
9. |
Have you ever applied to provide data auditing, data controller or data processor services in Zambia? |
||||
|
(a) |
Service applied for |
Location |
Brief description of service |
Date of application |
Status of application (Granted, rejected or pending) |
|
(b) |
If application was rejected, give reasons for rejection: |
||||
|
10. |
Service commencement details |
||||
|
(a) Proposed commencement date: |
|||||
|
(b) Brief description: |
|||||
|
11. |
Have you been convicted of an offence involving fraud or dishonesty or of any offence under the Data Protection Act 2021, Electronic Communication and Transaction Act, 2021 or any of their predecessors, |
||||
|
.......................................................................................................................................... |
|||||
|
Nature of offence: ............................................................................................................... |
|||||
|
Date of conviction: .............................................................................................................. |
|||||
|
Sentence: .......................................................................................................................... |
|||||
|
12. |
Where the applicant is a controller, the following database registration details are required: (To be filled by a Data Controller ONLY) |
||||
|
(a) Name of database(s): |
|||||
|
(b) A description of the information to be stored: |
|||||
|
(c) What is the information used for? |
|||||
|
(d) Will/Is the information be passed or shared with other organisation(s)/persons? |
|||||
|
(e) Is/Will the information be transferred outside Zambia? |
|||||
|
(f) Detail how the information will/is kept safe and secure: |
|||||
|
13. |
Appendices |
Applicability |
|||
|
Appendix No. 1 |
Database Registration Details |
Applicable to Data Controller and Data Processor ONLY |
|||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||||
|
14. |
QUALITY OF SERVICE UNDERTAKING |
|
15. |
DECLARATION |
|
I/We agree that in the event that any of the said particulars and information provided is found to be untrue or fraudulent, the licence will be revoked. |
|
|
16. |
I/We agree that in the event of the revocation of the licence, any fee paid to the authority for licence shall be forfeited. |
|
I/We declare that in the event that the nature of my/our business changes, or I/we no longer carry out operations in terms of the registration. |
|
|
I/We will notify the Authority in which case my/our registration may be revoked or revised. |
|
|
Declared at ......... this ... day of ...................... 20.. by the following persons who are duly authorised to sign for and on behalf of the applicant under the authority of the Power of Attorney or Board resolution which is hereby attached. |
|
|
My Details - Attachments |
|
|
..................................... ..................................... |
|
|
..................................... ..................................... |
|
|
FOR OFFICIAL USE ONLY |
|
|
Received by .............................................. Date received ..................................... |
|
|
Amount received: ................................... |
|
|
Serial No. of application: .......................... |
FORM II
{mprestriction ids="2,3,5"}
[Regulation 5]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
REQUEST FOR FURTHER PARTICULARS |
|
To: [Insert Applicant/Certificate Holder Name] ....................................................... |
|
In relation to your application for a(n) [Insert Certificate Category] ............................... with reference number [Insert Reference Number] .................... address of [Insert Applicant/Certificate Holder"™s Current Address] ............................................................................ |
|
[Insert details of further particulars being requested] |
|
The failure to submit the requested information within [Insert Period] .................. from the date hereof shall lead to your application being treated as invalid and shall be rejected. |
|
Dated this [Insert Day] .............. day of [Insert Month] ........................ [Insert Year] ............ |
|
................. |
FORM III
[Regulation 6]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
Certificate No.: ...... |
In accordance with Section 21 of the Data Protection Act No. 3 of 2021, this
INSERT CERTIFICATE TYPE
is granted by the Data Protection Commissioner to"“
INSERT HOLDER NAME
INSERT HOLDER ADDRESS
for
establishment and operation of a INSERT STATION/SYSTEM TYPE for the purpose of carrying on
INSERT SERVICE
as specified in the Terms and Conditions as shown in the Annexures attached hereto.
Date of Issue: ..............
Date of Expiry: .............
Initial Fee: ...............
Annual Renewal Fee: ...........
...................
Data Protection Commissioner
FORM IV
[Regulation 8]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
NOTICE OF REJECTION |
|
To: [Insert Applicant Name] .................................................................................................. of [Insert Applicant Address] ............................................................................................. IN THE MATTER OF [Insert Reference Number] ............................................ You are hereby notified that your application has been rejected on the following grounds: |
|
The grounds for rejection of the application are shown in the Annexures attached hereto. |
|
Dated this [Insert Day] .......... day of [Insert Month] ....................... [Insert Year] ............... |
|
................. |
FORM V
[Regulations 9, 13 and 16]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
APPLICATION FOR REGISTRATION, RENEWAL FOR REGISTRATION/LICENCE |
||||
|
Shaded fields for official use only |
Certificate/ License code |
|||
|
Date and time |
||||
|
Information Required |
Information Provided |
|||
|
1. |
Reason for renewal |
|
||
|
2. |
Type of data service |
|
||
|
3. |
Name(s) of applicant(s) |
|||
|
4. |
(a) Nationality of applicant(s) |
|||
|
(b) Identity card of applicant(s) - Attach certified copies |
NRC No. |
Passport No. |
||
|
5. |
Type of applicant |
|
|
|
|
6. |
(a) Notification address |
|||
|
Tel: |
||||
|
Email: |
||||
|
(b) Information of contact person authorised to represent the applicant |
||||
|
Tel: |
||||
|
Email: |
|
7. |
Where the applicant is a company, the following details are required: |
|||
|
(a) company name: |
||||
|
(b) company address: |
||||
|
(c) company registration No.: |
||||
|
8. |
Have you ever applied to provide data auditing, data controller or data processor services in Zambia? |
|||
|
Service applied for |
Location |
Brief description of service |
Date of application |
Status of application (Granted, rejected or pending) |
|
(b) |
If application was rejected, give reasons for rejection: |
|||
|
9. |
Service commencement details |
|||
|
(a) Proposed commencement date: |
||||
|
(b) Brief description: |
||||
|
10. |
Have you been convicted of an offence involving fraud or dishonesty or of any offence under the Data Protection Act 2021, Electronic Communication and Transaction Act, 2021 or any of their predecessors, |
|||
|
.......................................................................................................................................... |
||||
|
Nature of offence: ............................................................................................................... |
||||
|
Date of Conviction: .............................................................................................................. |
||||
|
Sentence: ........................................................................................................................... |
||||
|
11. |
Appendices |
Applicability |
||
|
Appendix No. 1 |
Database Registration Information |
Applicable to Data Controller and Data Processor ONLY |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
|||
|
12. |
QUALITY OF SERVICE UNDERTAKING |
|
13. |
DECLARATION |
|
I/We agree that in the event that any of the said particulars and information provided is found to be untrue or fraudulent, the licence will be revoked. |
|
|
I/We agree that in the event of the revocation of the licence, any fee paid to the authority for licence shall be forfeited. |
|
|
I/We declare that in the event that the nature of my/our business changes, or I/we no longer carry out operations in terms of the registration, |
|
|
I/We will notify the Data Protection Commissioner in which case my/our registration may be revoked or revised. |
|
|
Declared at ....... this .... day of ............... 20.. by the following persons who are duly authorised to sign for and on behalf of the applicant under the authority of the Power of Attorney or Board resolution which is hereby attached. |
|
|
My Details - Attachments |
|
|
..................................... ..................................... |
|
|
..................................... ..................................... |
|
|
FOR OFFICIAL USE ONLY |
|
|
Received by: .............................................. Date received: ..................................... |
|
|
Amount received: ................................... |
|
|
Serial No. of application: .......................... |
FORM VI
[Regulation 10]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
CHANGE OF PARTICULARS |
|||
|
Shaded fields for official use only |
Certificate/ License code |
||
|
Date and time |
|||
|
Information Required |
Information Provided |
||
|
Type of data service |
|
||
|
1. |
Certificate/License No. |
||
|
2. |
Name of holder |
||
|
3. |
Expiry date |
||
|
4. |
Name of assignee |
||
|
Nationality |
|||
|
Identity card (NRC) No. or Passport No. - (attach certified copies) |
|||
|
5. |
Holder"™s address: |
||
|
Tel: |
|||
|
Email: |
|||
|
6. |
Reasons for changes |
(a) |
|
|
(b) |
|||
|
(c) |
|||
|
(d) |
|||
|
(e) |
|||
|
(f) |
|||
|
7. |
Appendix |
||
|
Appendix No. 1 |
Reasons for change of details |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||
|
My Details - Attachments |
|
..................................... ..................................... |
|
..................................... ..................................... |
|
FOR OFFICIAL USE ONLY |
|
Received by: .............................................. |
|
Amount Received: ................................... |
|
Serial No. of application: .......................... |
FORM VII
[Regulations 11 and 19]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
NOTICE OF INTENTION TO SURRENDER LICENCE/CERTIFICATE OF REGISTRATION |
|||
|
Shaded fields for official use only |
Certificate code |
||
|
Date and time |
|||
|
Information Required |
Information Provided |
||
|
Type of data service |
|
||
|
1. |
Certificate/License No. |
||
|
2. |
Name of holder |
||
|
3. |
Name(s) of assignee(s) |
||
|
Nationality of assignee(s) |
|||
|
Details of assignee |
NRC No. |
Passport No. |
|
|
Type of assignee |
|
|
|
|
4. |
Assignee"™s address |
||
|
Tel: |
|||
|
Email: |
|||
|
5. |
Reasons for surrender |
(a) |
|
|
(b) |
|||
|
(c) |
|||
|
(d) |
|||
|
(e) |
|||
|
6. |
Appendices |
||
|
Appendix No. 1 |
Reasons for surrender |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||
|
My Details "“ Attachments |
|
................................................... ..................................... |
|
..................................... ..................................... |
|
FOR OFFICIAL USE ONLY |
|
Received by: .............................................. |
|
Amount received: ................................... |
|
Serial No. of application: .......................... |
FORM VIII
[Regulations 12(1) and 20(1)]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
NOTICE OF INTENTION TO SUSPEND OR CANCEL CERTIFICATE OF REGISTRATION |
|
To [Insert Applicant/Certificate Holder Name] ................................................. |
|
In the matter of [Insert Certificate Category] ....................................... with reference number [Insert Reference Number] ...................................... address of [Insert Applicant/Certificate Holder"™s Current Address] ................................................................ You are hearby notified that the Authority intends to suspend/cancel* your certificate on the following grounds: |
|
(a) ................................................................................................................................. |
|
(b) ................................................................................................................................. |
|
(c) ................................................................................................................................. |
|
(d) ................................................................................................................................. |
|
You are requested to appear before me on the ........... day of ........................ 20..... at the Ministry of Transport and Communications, Lusaka, to show cause why your certificate should not be rejected/take remedial measure to address the concerns raised in paragraphs .............. to ............ above before the .................. day of .............. 20...... If you fail to appear before me/take the necessary remedial measures* before the stipulated date, your certificate will be suspended and subsequently revoked. |
|
Accordingly, you are requested to take action to remedy the breaches set out in paragraphs ...... (above) within [Insert Number of Days] .............. days of receiving this notice. Failure to remedy the said breaches shall result in the suspension/cancellation* of your certificate. |
|
Dated this [Insert Day] ................ day of [Insert Month] ........................ [Insert Year] ............... |
|
................. |
FORM IX
[Regulations 12(4) and 20(2)]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
NOTIFICATION OF SUSPENSION OR REVOCATION OF CERTIFICATE OF REGISTRATION |
|
To [Insert Applicant/Certificate Holder Name] ............................................................................... |
|
In the matter of [Insert Certificate Category] ................................ with reference number [Insert Reference Number] ...................................... address of [Insert Applicant/Certificate Holder"™s Current Address] ...................................................... You are hearby notified that your certificate of registration has been suspended/revoked* on the following grounds: |
|
(a) ................................................................................................................................. |
|
(b) ................................................................................................................................. |
|
(c) ................................................................................................................................. |
|
(d) ................................................................................................................................. |
|
Dated this [Insert Day] ............ day of [Insert Month] ........................... [Insert Year] ......... |
|
................. |
FORM X
[Regulation 14(2)]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
Licence No.: .... |
In accordance with Section 31 of the Data Protection Act No. 3 of 2021, this
INSERT LICENCE TYPE
is granted by the Data Protection Commissioner to"“
INSERT NAME OF LICENSEE
INSERT LICENSEE ADDRESS
for
establishment and operation of a INSERT STATION/SYSTEM TYPE for the purpose of carrying on
INSERT SERVICE
as specified in the Terms and Conditions as shown in the Annexures attached hereto.
Date of Issue: ..............
Date of Expiry: .............
Initial Fee: ...............
Annual Renewal Fee: ...........
...................
Data Protection Commissioner
FORM XI
[Regulation 17]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
APPLICATION FOR TRANSFER |
|||
|
Shaded fields for official use only |
Certificate code |
||
|
Date and time |
|||
|
Information Required |
Information Provided |
||
|
1. |
License No. |
||
|
2. |
Current holder |
||
|
3. |
Name(s) of assignee(s) |
||
|
Nationality of assignee |
|||
|
Details of assignee |
NRC No. |
Passport No. |
|
|
Type of assignee |
|
|
|
|
4. |
Assignee"™s address |
||
|
Tel: |
|||
|
Email: |
|||
|
5. |
Appendices |
||
|
Appendix No. 1 |
Reasons for transferring |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||
|
My Details "“ Attachments |
|
............................................... ..................................... |
|
..................................... ..................................... |
|
FOR OFFICIAL USE ONLY |
|
Received by: .............................................. |
|
Amount received: ................................... |
|
Serial No. of application: .......................... |
FORM XII
[Regulation 18]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
APPLICATION FOR AMENDMENT |
|||
|
Shaded fields for official use only |
Certificate code |
||
|
Date and time |
|||
|
Information Required |
Information Provided |
||
|
Type of data service |
|
||
|
1. |
Certificate No. |
||
|
2. |
Current holder |
||
|
3. |
Name(s) of assignee(s) |
||
|
Nationality of assignee(s) |
|||
|
Details of assignee |
NRC No. |
Passport No. |
|
|
Type of assignee |
|
|
|
|
4. |
Assignee"™s address |
||
|
Tel: |
|||
|
Email: |
|||
|
5. |
Proposed amendments |
(a) |
|
|
(b) |
|||
|
(c) |
|||
|
(d) |
|||
|
(e) |
|||
|
6. |
Appendices |
||
|
Appendix No. 1 |
Reasons for amendment |
||
|
Appendix No. 2 |
Such other relevant information as the Authority may require |
||
|
My Details "“ Attachments |
|
............................................... ..................................... |
|
..................................... ..................................... |
|
FOR OFFICIAL USE ONLY |
|
Received by: .............................................. |
|
Amount received: ................................... |
|
Serial No. of application: .......................... |
FORM XIII
[Regulation 21]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
RECORD OF PROCESSING ACTIVITIES |
|||||
|
PART 1- DATA CONTROLLER (To be filled by a Data Controller ONLY) |
|||||
|
Section 1: Controller Details |
|||||
|
Name and contact details |
Data Protection Officer (if applicable) |
Representative (if applicable) |
|||
|
Name: |
Name: |
Name: |
|||
|
Address: |
Address: |
Address: |
|||
|
Email: |
|
Email: |
|||
|
Telephone: |
Telephone: |
Telephone: |
|
No. |
Section 2: Record of Processing Activities |
|
2.1. |
Business function |
|
2.2. |
Purpose of processing |
|
2.3. |
Name and contact details of joint controller (if applicable) |
|
2.4. |
Categories of data subjects |
|
2.5. |
Categories of personal data |
|
2.6. |
Categories of recipients |
|
2.7. |
Link to contract with processor |
|
2.8. |
Names of other countries or international organisations that personal data are transferred to (if applicable) |
|
2.9. |
Safeguards for exceptional transfers of personal data to other countries or international organisations (if applicable) |
|
2.10. |
Retention schedule (if possible) |
|
2.11. |
General description of technical and organisational security measures (if possible) |
|
Section 3: Privacy Notices |
|
|
3.1. |
Lawful basis for processing personal data |
|
3.2. |
Condition for processing sensitive personal data |
|
3.3. |
Legitimate interests for the processing (if applicable) |
|
3.4. |
Link to record of legitimate interests assessment (if applicable) |
|
3.5. |
Rights available to data subjects |
|
3.6. |
Existence of automated decision-making, including profiling (if applicable) |
|
3.7. |
The source of the personal data (if applicable) |
|
Section 4: Consent |
|
|
4.1. |
Link to record of consent |
|
Section 5: Access Requests |
|
|
5.1. |
Location of personal data |
|
Section 6: Data Protection Impact Assessments |
|
|
6.1. |
Data Protection Impact Assessment required? |
|
6.2. |
Data Protection Impact Assessment progress |
|
6.3. |
Link to Data Protection Impact Assessment |
|
Section 7: Personal Data Breaches |
|
|
7.1. |
Has a personal data breach occurred? |
|
7.2. |
Link to record of personal data breach |
|
Section 8: Sensitive Personal Data or Criminal Conviction and Offence Data |
|
|
8.1. |
Condition for processing |
|
8.2. |
Lawful basis for processing |
|
8.3. |
Link to retention and erasure policy document |
|
8.4. |
Is personal data retained and erased in accordance with the policy document? |
|
8.5. |
Reasons for not adhering to policy document (if applicable) |
|
PART 2- DATA PROCESSOR (To be filled by a Data Processor ONLY) |
|||||
|
Section 1: Processor Details |
|||||
|
Name and contact details |
Data Protection Officer (if applicable) |
Representative (if applicable) |
|||
|
Name: |
Name: |
Name: |
|||
|
Address: |
Address: |
Address: |
|||
|
Email: |
Email: |
Email: |
|||
|
Telephone: |
Telephone: |
Telephone: |
|||
|
No. |
Section 2: Record of Processing Activities |
||||
|
2.1. |
Link to contract with controller (If applicable) |
||||
|
2.2. |
Name and contact details of controller |
||||
|
2.3. |
Name and contact details of controller"™s representative (If applicable) |
||||
|
2.4. |
Categories of processing |
||||
|
2.5. |
Names of other countries or international organisations that personal data are transferred to (If applicable) |
||||
|
2.6. |
Safeguards for exceptional transfers of personal data to other countries or international organisations (if applicable) |
||||
|
2.7. |
General description of technical and organisational security measures (if possible) |
||||
FORM XIV
[Regulation 22]
|
|
|
REPUBLIC OF ZAMBIA |
|
MINISTRY OF TRANSPORT AND COMMUNICATIONS |
|
The Data Protection Act, 2021 |
|
The Data Protection (Registration and Licensing) Regulations, 2021 |
|
Notes for Applicants |
|
|
1. In line with Section 48 of the Data Protection Act 2021, a data controller shall appoint a Data Protection Officer (DPO). |
|
|
2. In line with Section 46 of the Data Protection Act 2021, a data controller shall carry out a Data Protection Impact Assessment (DPIA) |
|
|
DATA PROTECTION IMPACT ASSESSMENT |
|
|
Section 1: Controller Details |
|
|
Name of controller |
|
|
Subject/title of DPO |
|
|
Name of controller contact/DPO (delete as appropriate) |
|
|
Section 2: Data Protection Impact Assessment |
|
|
Step 1: Identify the need for a DPIA |
|
|
Explain broadly what you aims to achieve with the personal data (PD) and what type of processing it involves. You may find it helpful to refer or link to other documents. Summarise why you identified the need for a DPIA. |
|
|
Step 2: Describe the processing |
|
|
Describe the nature of the processing: |
|
|
How will you collect, use, store and delete data? What is the source of the data? |
|
|
Will you be sharing data with anyone? |
|
|
You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? |
|
|
Describe the scope of the processing: |
||||
|
What is the nature of the data, and does it include special category or criminal offence data? |
||||
|
How much data will you be collecting and using? |
||||
|
How often? How long will you keep it? |
||||
|
How many individuals are affected? |
||||
|
What geographical area does it cover? |
||||
|
Describe the context of the processing: |
||||
|
What is the nature of your relationship with the individuals? |
||||
|
How much control will they have? |
||||
|
Would they expect you to use their data in this way? |
||||
|
Do they include children or other vulnerable groups? |
||||
|
Are there prior concerns over this type of processing or security flaws? |
||||
|
Is it novel in any way? |
||||
|
What is the current state of technology in this area? |
||||
|
Are there any current issues of public concern that you should factor in? |
||||
|
Are you signed up to any approved code of conduct or certification scheme (once any have been approved)? |
||||
|
Describe the purposes of the processing: |
||||
|
What do you want to achieve? |
||||
|
What is the intended effect on data subjects? |
||||
|
What are the benefits of the processing - for you, and more broadly? |
||||
|
Step 3: Consultation process |
||||
|
Consider how to consult with relevant stakeholders: |
||||
|
Describe when and how you will seek individuals"™ views - or justify why it"™s not appropriate to do so? |
||||
|
Who else do you need to involve within your organisation? |
||||
|
Do you need to ask your processors to assist? |
||||
|
Do you plan to consult information security experts, or any other experts? |
||||
|
Step 4: Assess necessity and proportionality |
||||
|
Describe compliance and proportionality measures, in particular: |
||||
|
What is your lawful basis for processing? |
||||
|
Does the processing actually achieve your purpose? |
||||
|
Is there another way to achieve the same outcome? |
||||
|
How will you prevent function creep? |
||||
|
How will you ensure data quality and data minimisation? |
||||
|
What information will you give individuals? |
||||
|
How will you help to support their rights? |
||||
|
What measures do you take to ensure processors comply? |
||||
|
How do you safeguard any international transfers? |
||||
|
Step 5: Identify and assess risks |
||||
|
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 |
||||
|
Risk |
Options to reduce or eliminate risk |
Effect on risk (Eliminated, Reduced or Accepted) |
Residual risk (Low, Medium or High) |
Measure approved (Yes/No) |
|
Step 6: Identify measures to reduce risk |
||||
|
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5 |
||||
|
Risk |
Options to reduce or eliminate risk |
Effect on risk (Eliminated, Reduced or Accepted) |
Residual risk (Low, Medium or High) |
Measure approved (Yes/No) |
|
Step 7: Sign off and record outcomes |
|
Item |
Name/Position/date |
Notes |
|
Measures approved by: |
Integrate actions back into project plan, with date and responsibility for completion |
|
|
Residual risks approved by: |
If accepting any residual high risk, consult the Data Protection Commissioner before going ahead |
|
|
DPO advice provided: |
DPO should advise on compliance, step 6 measures and whether processing can proceed |
|
|
Summary of DPO advice: |
||
|
DPO advice accepted or overruled by: |
If overruled, you must explain your reasons |
|
|
Comments: |
||
|
Consultation responses reviewed by: |
If your decision departs from individuals' views, you must explain your reasons |
|
|
Comments: |
||
|
This DPIA will be kept under review by: |
The DPO should also review ongoing compliance with DPIA |
[Regulations 3, 23 and 24]
PRESCRIBED FEES
|
Category |
Application |
Certificate of Registration |
|
Micro Organisation |
167 |
1,667 |
|
Category |
Application |
Licence |
|
Data auditor-public critical information |
3333 entity |
10,000 entity |
|
Data auditor-private critical information |
Entity/Individual |
33333 entity |
|
Data auditor-general |
3333 entity |
33333 entity |
|
Register inspection fee |
333 |
{/mprestriction}