Under the Cyber & Data Protection Act [Chapter 12:07] and S.I. 155 of 2024, every organisation processing personal data must be POTRAZ-licensed. CDPA Solutions provides automated compliance tools, POTRAZ-certified DPO services, and sector-specific frameworks โ so you stay protected.
Most organisations in Zimbabwe are legally exposed. They know the law exists but lack the tools and expertise to comply. CDPA Solutions changes that.
Every entity processing personal data for commercial gain must hold a POTRAZ licence before processing begins. The deadline was 12 March 2025. Operating without a licence is now a criminal offence liable to Level 11 fines or up to 7 years imprisonment.
Every data controller must appoint a DPO and notify POTRAZ via Form DP2 within 14 days. The DPO must hold a certification course approved by POTRAZ. Failure to appoint carries a fine not exceeding Level 7 and/or up to 2 years imprisonment. Note: Tier 1 controllers may be exempt from DPO appointment depending on sector and nature of processing โ schools processing children's data are NOT exempt.
Using Google Workspace, Microsoft 365 or any offshore cloud constitutes a cross-border transfer. You must: notify POTRAZ in writing, conduct a DPIA, obtain data subject consent, and apply for a separate POTRAZ authorisation. Disclosure to parents alone is insufficient.
Schools processing children's data face the strictest obligations: written parental consent, regular DPIAs, data protection by design and default, verification of guardian identity, and no automated decision-making affecting children's rights. Cross-border transfers of children's data require prior POTRAZ authorisation.
Sector-specific frameworks built around the exact requirements of the CDPA, S.I. 155 of 2024, and the POTRAZ Implementation Guidelines โ not generic templates.
Schools are the highest-risk category. You process sensitive data of children (under 18) โ placing you under the strictest provisions of both CDPA Section 12 and CDPG 2 of 2024. Schools are not eligible for Tier 1 DPO exemption due to the nature of their processing.
Health data is explicitly classified as sensitive data under CDPA Section 12. Only a health professional may process health-related data, and written consent is required for biometric, genetic and health data processing.
MFIs process National IDs, financial history and credit data โ all classified as sensitive data under the CDPA. FinGuard addresses both POTRAZ data protection obligations and RBZ KYC requirements.
Property managers collect ID copies, payslips, and bank statements from every tenant and buyer. PropSafe legally secures your data handling and ensures cross-border compliance if your landlords are international.
If you collect customer names, emails or payment data and have 50 or more data subjects, you are a Data Controller under the CDPA. BizSecure covers the Tier 1 licensing threshold (50โ1,000 data subjects).
Select your sector toolkit. Pay via EcoCash, Zimswitch or bank transfer. Access your compliance dashboard immediately.
A POTRAZ-certified DPO is matched to your account. They review your data footprint and initiate POTRAZ filings within 24 hours.
Forms DP1 and DP2 filed with POTRAZ. Cross-border authorisation applied for if required. All within 5 business days.
Receive your Certificate of Conformance. Organisation is POTRAZ-registered, legally protected, and audit-ready.
Every tier includes core CDPA documentation. Upgrade for POTRAZ-certified DPO oversight and ongoing compliance management.
For smaller organisations ready to manage compliance internally with the right documents.
For organisations that need a POTRAZ-certified DPO on record without the cost of a full-time hire.
For school groups, hospital networks, or MFIs with multiple branches requiring a dedicated compliance programme.
All prices in USD. EcoCash, Zimswitch and bank transfer accepted. POTRAZ licensing fees (Tier 1: $50 | Tier 2: $300 | Tier 3: $500 | Tier 4: $2,500) are separate government charges payable directly to POTRAZ.
Highest-risk category. Children's data obligations, parental consent, DPIAs and cross-border authorisation for cloud services.
Explore SafeSchool โHealth, biometric and genetic data require written consent under CDPA Section 12. Only health professionals may process health data.
Explore MedShield โFinancial history and ID data are sensitive under CDPA. FinGuard satisfies both POTRAZ and RBZ compliance obligations.
Explore FinGuard โEvery tenancy application collects sensitive data. PropSafe ensures legally compliant data handling from Day 1.
Explore PropSafe โAre you a POTRAZ-certified Data Protection Officer? We provide the clients and infrastructure โ you provide the professional certification and oversight.
We handle all sales and marketing. You focus on delivering compliance services to organisations we place with you.
Our automated toolkit handles 80% of groundwork. You review, advise, sign Form DP2, and liaise with POTRAZ.
You carry the professional oversight responsibility and receive the larger share. The data controller remains ultimately liable under CDPA Section 33(2).
Clear response time obligations: 4 hours for critical breaches, 24 hours for high-priority POTRAZ requests, 48 hours for standard queries.
POTRAZ-approved certification or accredited equivalent required. Foreign nationals may qualify if registered by POTRAZ.
Lawyers with POTRAZ-certified DPO status can provide clients both legal advice and official DPO oversight.
IT security professionals with POTRAZ certification can extend compliance services through our platform.
60% of retainer to POTRAZ-certified DPO. 40% to CDPA Solutions platform. 30/70 on one-off toolkit sales.
1110 Performance Close, Mt Pleasant Business Park, Harare
P.O. Box MP 843, Mt Pleasant
dataprotectionunit@dpa.zw
regulator@potraz.zw
+263 242 333032/46/48
Forms DP1, DP2 and DP3 available at
www.potraz.zw
Consult the registration guide before completing Form DP1.
POTRAZ is actively auditing. The 12 March 2025 deadline has passed. There is no "I didn't know" defence under the CDPA. Get your organisation protected today.
Our team responds within 24 hours. Tell us about your organisation and we will recommend the right compliance framework and connect you with a POTRAZ-certified DPO partner.
We respond within 24 hours. Your data is processed under our own CDPA-compliant privacy policy.