Zambia DPA

Data Protection Act 2021 (No. 3 of 2021)

Zambia's comprehensive data protection law with special protections for vulnerable persons and DPIA requirements for high-risk processing.

Jurisdiction

Zambia

Enacted

Mar 29, 2021

Effective

Mar 1, 2025

Enforcement

Data Protection Commission

Enforcement began March 2025

CIPESA Analysis of Zambia DPA

Why It Matters

Zambia's explicit focus on vulnerable persons makes it highly relevant for mental health chatbots and AI companions serving at-risk users.

Recent Developments

Enforcement began March 2025 after 4-year implementation period

At a Glance

Applies to

Mental Health AppAI CompanionGeneral Chatbot

Requires

Transparency User Rights Data Minimization

Who Must Comply

Data controllers and processors in Zambia
Entities processing data of Zambian residents
Processing involving vulnerable populations

Obligations fall on:

Safety Provisions

Special protections for vulnerable persons including children
Data Protection Impact Assessment required for high-risk processing
Breach notification required
Data Protection Officer for certain entities
Cross-border transfer restrictions

Compliance & Enforcement

Key Dates

Mar 1, 2025

Full enforcement began

Penalties

criminal liability

Criminal liability

Primary Source

CIPESA Analysis of Zambia DPA

https://cipesa.org/download/briefs/Insights-into-Zambias-Data-Protection-Act-2021.pdf

View on map

Zambia

Focus Areas

Mental health & crisis

Child safety

Algorithmic accountability

Cite This

APA

Zambia. (2021). Data Protection Act 2021 (No. 3 of 2021).

Related Regulations

In Effect BW

Botswana DPA

Botswana's modernized data protection law requiring Data Protection Impact Assessment and establishing age 16 for consent.

In Effect SC

Seychelles DPA

Seychelles' modern data protection law requiring DPO for large-scale processing and recognizing Cross-Border Privacy Rules certification.

In Effect DZ

Algeria Law 18-07

Algeria's data protection law with mandatory DPO requirement added by 2025 amendment and 5-day breach notification.

In Effect RW

First African country to adopt comprehensive national AI policy. Establishes Responsible AI Office (RAIO) under MINICT. Implements RURA ethical guidelines covering beneficence, non-maleficence, autonomy, justice, explicability, transparency. Non-binding framework.

Proposed KE

Kenya AI Bill

First comprehensive AI bill in Sub-Saharan Africa. Proposes creation of AI Commissioner, AI Authority, and Advisory Committee. Establishes risk-based regulatory model aligned with EU AI Act framework, criminalizes harmful deepfakes, and mandates AI content labeling.

Enacted US-MD

MD HB 895

First US state law to outright ban surveillance-based personalized pricing in food retail and third-party delivery, prohibiting use of protected class data and dynamic pricing tied to consumer personal data with limited exceptions for cost-based pricing, loyalty programs, and explicit consent.

All regulations Check if this applies to you

Last updated January 22, 2026. Verify against primary sources before relying on this information.