On December 3, 2021, Zimbabwe enacted its first data protection law, the Data Protection Act [Chapter 11:12], which addresses the controlling, processing, and cross-border transfer of personal data. The law establishes the Cyber Security and Monitoring Center and grants data protection authority to Zimbabwe’s existing telecommunications regulator, the Postal and Telecommunications Regulatory Authority of Zimbabwe (“POTRAZ”). The law imposes various requirements on data controllers, including mandatory notification to POTRAZ within 24 hours of a data security breach. The act amends cyber crime laws including Zimbabwe’s Criminal Law (Codification and Reform Act) and the Interception of Communications Act. Penalties for data controllers, depending on the offense, include fines and multi-year imprisonment.