Zimbabwe’s Postal and Telecommunications Regulatory Authority (POTRAZ) has issued a firm warning to organisations processing personal data without a licence, signaling stricter enforcement of the country’s data protection laws.
In Regulatory Notice 1 of 2026, POTRAZ reminded entities that the mandatory Data Controller Licence—introduced under the Cyber and Data Protection Act and enforced via Statutory Instrument 155 of 2024—required full compliance by March 12, 2025. Despite this, several organisations continue to operate without authorisation.
The requirement applies broadly to both individuals and businesses handling personal data within or outside Zimbabwe, across systems including digital platforms, surveillance, and biometrics. POTRAZ has urged all non-compliant entities to immediately regularise their status by applying for or renewing licences.
The regulator emphasized that licensing reflects not just legal compliance but a commitment to safeguarding stakeholder data, and warned of potential enforcement action for continued non-compliance.
