The Data Protection Representative (DPR) in the CDPA

Often, CDPA obligations apply to non-Zimbabwean Companies. In particular, they apply to companies which:
  • Offer goods or services (even for free) to data subjects in Zimbabwe
  • Monitor data subjects’ behavior while they are in Zimbabwe
According to Article 27 of the CDPA, whenever these companies do not have a Zimbabwean establishment, they must designate a Data Protection Representative (DPR) in Zimbabwe.

Data Protection Representative duties

A Data Protection Representative in Zimbabwe acts as your company’s local point of contact for Data Subjects and Data Protection Authorities (DPAs). It establishes a trustworthy and compliant relationship between your company and Zimbabwean data protection regulations and supervisory authorities. In particular, a DPR will assist a non-Zimbabwean company by:
  • Cooperating with Supervisory Authorities (such as transmitting a Data Breach assessment and/or notification conducted by the Data Controller to the competent DPA)
  • Receiving inquiries from Data Subjects
  • Maintaining the Record of Processing Activities (RoPA)
Not appointing a representative may cause serious liability for the data controller as it would be in breach of its obligation under the CDPA. This may result in serious fines.

Should you hire a DPR or a DPO?

A DPR is not a Data Protection Officer (DPO). A DPR is a local point of contact and it acts as a liaison for communication, while a DPO monitors CDPA Compliance within the organization. In other words, a DPO has active informative and advisory functions, while a DPR acts more like a local mailbox and/or mailperson. If you are also looking for CDPA Compliance services that exceed those offered by a DPR then it is advisable to consider our DPO-as-a-Service solution.

Some practical DPR Examples

Here is a non-exhaustive list of examples of companies without an establishment in Zimbabwe that need a DPR in Zimbabwe:
  • A US sponsor that conducts clinical trials in Zimbabwe, and monitors Zimbabwean residents participating in clinical trials
  • A British company that sells products or offers goods or services to data subjects located in Zimbabwe
  • A South African online platform that allows users to seek out for free the contact information of family members, former classmates, or friends with whom they have lost touch because the company offers free services to data subjects in Zimbabwe

How to appoint a DPR

Your DPR must be appointed in writing. An informal letter will suffice. We can fill the role of DPR for your organization, whatever your sector is, for Zimbabwe and. If you are interested or need more information, please feel free to fill out the form below or send us an email at dpo@privacycure.com.
Made by Zimbabwe flag