POTRAZ Issues Urgent Warning to Unlicensed Data Processors

The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has issued a stern regulatory notice calling on all organisations processing personal data to obtain proper licensing immediately, warning that continued non-compliance is no longer acceptable.

The notice, dated 8 March 2026, comes nearly a year after the original compliance deadline of 12 March 2025 expired, with the regulator expressing frustration that many businesses continue operating without the required Data Controller Licence.

What’s Changed?

Under the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024, which came into effect in September 2024, any natural or legal person processing personal data in Zimbabwe must now hold a valid Data Controller Licence.

In the notice, POTRAZ made its position crystal clear:
“POTRAZ has noted with concern that some organisations continue to process personal data without the requisite licence, despite the lapse of the March 2025 compliance deadline. All such entities are required to regularise their data processing activities with immediate effect by applying for an initial Data Controller licence or renewing their existing licence.”

The language leaves little room for interpretation—this is not a gentle reminder, but a formal regulatory directive.

Why This Matters

Beyond being a legal requirement, POTRAZ emphasises that licensing demonstrates an organisation’s commitment to protecting the personal information entrusted to them by customers, employees, and stakeholders.
In an era where data breaches and privacy violations make headlines regularly, the licensing framework aims to ensure that Zimbabwean businesses maintain appropriate standards for handling sensitive information.

What’s at Stake?

While the notice doesn’t specify penalties, operating without a required licence under the Cyber and Data Protection Act could expose organisations to:

• Regulatory fines
• Enforcement actions
• Reputational damage
• Potential legal liability

The Bottom Line

With the deadline now long past, POTRAZ is signalling increased scrutiny of data processing activities across Zimbabwe. Businesses that have been waiting on the sidelines should treat this notice as a final call to action.
The message is clear: in Zimbabwe’s evolving digital economy, proper data governance isn’t optional—it’s mandatory. Organisations processing personal data without the requisite licence should regularise their operations immediately or risk facing regulatory consequences.