1. Introduction
1.1
Malawi has recently enacted a Data Protection Act (No. 3 of 2024) (the “Act”), which
provides a comprehensive legal framework for data protection. The commencement date of
the Act was 3rd June 2024.
1.2
A data controller or data processor of significant importance (defined below) is required
to
comply with the requirements prescribed under the Act within six months of the
commencement date, that is, by 2 nd December 2024. 2 Whereas a data controller or processor
who is not a data controller or processor of significant importance is exempt from
compliance with the Act for a period of twenty-four months from the date the Act comes
into operation.
1.3
This advisory note covers the following:
i.
Key definitions in the Act
ii.
Data Protection Principles
iii.
Obligations of a Controller and Processor
iv.
Rights of a Data Subject
v.
Sensitive personal data
vi.
Cross-border data transfers
vii.
Appointment of a Data Protection Officer
viii.
Enforcement, sanctions and remedies
2. Key Definitions
2.1
“Personal data” is defined broadly and means, “any data relating to an identifiable
natural person which, directly or indirectly, by reference to an identifier such as a name, an
identification number, location data, an online identifier or one or more factors specific to
the physical, physiological, genetic, psychological, cultural, social or economic identity of
that person”.
2.2
“Processing” means any operation, or set of operations, performed on personal data,
whether or not by automated means, and includes collection, recording, organization,
structuring, storage, alteration, retrieval, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction
of personal data.
2.3
“Data subject” means a natural person to whom particular personal data relates.
2.4
“Data controller” means a natural or legal person who, alone or jointly with another
natural or legal person, determines the purpose and means of processing personal data.
2.5
“Data processor” means a natural or legal person who processes personal data on
behalf of a data controller.
3. Data Protection Principles
3.1
The Act lays down several key principles which controllers and processors must
comply with when processing personal data as follows:
3.1.1
First data protection principle: Lawfulness, fairness and
transparency. Personal data must be processed lawfully, fairly and in a transparent
manner in relation to the data subject.
3.1.2
The controller must only process personal data on the basis of one or more of legal
grounds below:
3.1.2.1
The data subject consents to the processing; or
3.1.2.2
The processing is necessary:
3.1.2.2.1
for performing a contract with the data subject;
3.1.2.2.2
for complying with a legal obligation;
3.1.2.2.3
for protecting the vital interests of the data subject;
3.1.2.2.4
as authorised by law and carried out by public authority;
3.1.2.2.5
as required by law or court order;
3.1.2.2.6
as necessary for performing a task carried out in the public interest; or
3.1.2.2.7
for pursuing the legitimate interests of the controller or a third
party, except where the data subject's interests or fundamental
rights and freedoms override the controller's interests.
3.1.2.3
The requirements are set out in full under section 8 of the Act as follows:
“(2) the processing of personal data shall be lawful if—
(a)
the data subject provides consent to a data controller or data
processor to process the data for one or more specific purposes or,
where the data subject has no capacity to provide consent, another
natural person who has authority to provide consent on behalf of the
data subject provides the consent; or
(b)
the processing of the data is—
(i)
necessary for the performance of a contract to which the data
subject is a party or, at the request of the data subject prior to
the data subject entering into the contract;
(ii)
a legal requirement or obligation of the data controller or data
processor;
(iii)
necessary in order to protect vital interests of the data subject
or another natural person;
(iv)
authorized by a written law and carried out by a competent
public authority in furtherance of its legal mandate;
(v)
required by, or under, any written law or an order of a court of
law;
(vi)
necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in
the data controller or data processor; or
(vii)
necessary for the purpose of a legitimate interest pursued by
the data controller or data processor or by a third party to
whom the data is disclosed, except where the interest of the
data controller or data processor or third party is overridden
by the interest of a fundamental right or freedom of a data
subject.”
3.1.2.4
Consent rules
3.1.2.4.1
Consent is one of the lawful bases for processing personal data
under the Act. The Act contains stringent requirements on
controllers to obtain valid consent from data subjects.
3.1.2.4.2
These include that consent must be:
3.1.2.4.2.1
specific, informed and an unambiguous
agreement or approval by a natural person,
3.1.2.4.2.2
given freely, in writing, orally or by any
affirmative action, to a data controller or data
processor to process personal data relating to that
person or to another natural person on whose
behalf the person has the authority to provide the
consent. As such, silence, pre-ticked boxes or
inactivity are unlikely to constitute consent, in
our understanding. Rather consent can be
obtained, for example, by signing or
thumbprinting a statement on paper, ticking a
box, orally confirming something or by some
other action or conduct which clearly shows the
individual's acceptance of the processing.
3.1.2.4.2.3
Where the data subject is a child (below the age
of 18) or a person who is not capable of
providing consent, consent must be obtained
from the legal guardian of the data subject.
3.1.2.4.2.4
If consent is given in a written document, and
that document also concerns other matters, each
matter on which consent is sought has to be
presented in a clearly distinguishable manner.
3.1.2.4.2.5
The data subject must have the right to withdraw
consent at any time and it must be as easy to
withdraw consent as to give it. Individuals must
be informed of their right to withdraw their
consent.
3.1.2.4.2.6
The Act flags up the common practice of
requiring consent to data processing as a
condition for the performance of a contract and
provides that it shall be a relevant factor where a
question arises on whether consent was freely
given. Our view is that it is better to avoid
making consent a pre-condition of receiving a
service, unless it is necessary for that service.
3.1.2.4.2.7
Explicit consent is required for certain types of
data processing, including, for example, sensitive
personal data and cross-border data transfers to
recipients not offering an adequate level of
protection.
3.1.2.4.2.8
Where consent is being relied on to process data,
fresh consent may be needed if data is processed
for a new purpose, even if the new purpose is
considered "compatible" with the original
purpose.
3.1.3
Second data protection principle: purpose limitation.
3.1.3.1
Personal data shall be collected for specified, explicit and legitimate
purposes and not processed in a manner that is incompatible with those
purposes. This means that, as a general rule, the controller cannot use an
individual's personal data for any purposes other than those notified to the individual at the point their
personal data was first collected or obtained
from a third party. Further processing beyond that which was originally
anticipated is only permitted as long as the new processing is compatible
with the initial purpose.
3.1.3.2
As such, further processing of personal data for a purpose incompatible
with that for which the data was initially collected would require that the
data subject gives their consent to the new processing.
3.1.3.3
Further processing for archiving purposes in the public interest, research
or statistical purposes shall not be considered to be incompatible with the
initial purposes for which it was collected.
3.1.3.4
The Act provides a helpful list of considerations in ascertaining whether
processing for another purpose is compatible with the purpose for which
the personal data was initially collected, as follows:
3.1.3.4.1
any link between the purposes for which the personal data has
been collected and the purposes of the intended further
processing.
3.1.3.4.2
the context in which the personal data has been collected, in
particular regarding the relationship between data subjects and
the controller.
3.1.3.4.3
the nature of the data to be processed, in particular, having
regard to the sensitivity of the data;
3.1.3.4.4
potential consequences of the intended data processing to the
data subject; and
3.1.3.4.5
the existence of appropriate safeguards, including encryption
and pseudonymization.
3.1.4
Third data protection principle: data minimisation. Personal data shall be
adequate, relevant and limited to what is necessary in relation to the purposes for
which it is processed. 4 Collecting personal data for a general or unspecified purpose
would contravene this requirement.
3.1.5
Fourth data protection principle: accuracy. Personal data shall be accurate and,
where necessary kept up to date. 5 Every reasonable step must be taken to ensure that
personal data that is inaccurate, having regard to the purposes for which it is
processed, is erased or rectified without delay.
3.1.6
Fifth data protection principle: storage limitation Personal data shall be kept for
no longer than is necessary for the purposes for which it is processed. 6 Personal data
may, however, be kept for longer periods if the personal data will be processed
solely for archiving purposes for public interest, research or statistical purposes
subject to the principle of minimisation and pseudonymising the data, where
appropriate.
3.1.7
Sixth data protection principle: integrity and confidentiality. Personal data shall
be processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or organisational
measures.
4. Obligations on controllers
4.1
Legal basis for processing: Controllers must make sure that they adhere to the data
protection principles set out above.
4.2
Technical and organisational measures: Data controllers should develop and
implement appropriate technical and organizational measures to ensure that the processing
of personal data complies with the Act. 9 This is related to implementation of data
protection by design into the company’s processes. The Act requires controllers to
implement appropriate technical and organisational measures, like pseudonymisation and
encryption, to ensure the security of personal data. 10 Controllers must take into account the
cost of implementation and the nature, scope, context and purposes of processing. They
must also take into account the degree and likelihood of harm to a data subject that could result from the
loss, disclosure or other misuse of personal data, and the retention period of
personal data.
4.3
Notification of data protection breaches: The Act provides for mandatory
reporting of personal data breaches to the Data Protection Authority, Malawi
Communications Regulatory Authority (“Authority”), without undue delay and where
feasible within 72 hours of having become aware of it. The notification should include:
4.3.1
a description of the nature of the personal data breach;
4.3.2
where possible, a description of the categories of personal data affected by the
breach;
4.3.3
where possible, the number of data subjects affected by the breach;
4.3.4
a description of the likely consequences of the personal data breach;
4.3.5
a description of the measures taken or proposed to be taken by the data controller to
address the personal data breach; and
4.3.6
the name and contact details of the data protection officer of the data controller.
4.4
Processors are required to notify the controller of any breaches.
4.5
The controller is also required to notify, without undue delay, individuals affected
by the breach where the breach is likely to result in a high risk to the rights and freedoms
of individuals. 12 The notification shall describe the nature of the personal data breach, the
likely consequence of the breach and the measures taken or proposed to be taken by the
data controller to address the breach. Where the notification involves a disproportionate
effort or expense, the data controller shall be required to make a public notification, in at
least one newspaper of wide circulation in Malawi and any other mode of communication
the data controller considers appropriate.
4.6
We recommend that companies should have data breach handling processes in place
in line with the requirements of the Act.
4.7
Documentation (records of processing activities): Controllers and processors must
keep written records of each data processing activity carried out by them. 13 The controller
shall maintain a record of processing activities to contain all of the following information:
(a)
the name and contact details of the data controller or data processor and where
applicable, a joint data controller, the representative of the data controller or data
processor and the designated data protection officer;
(b)
the purpose of processing the personal data;
(c)
a description of the categories of data subjects and the categories of personal data;
(d)
the categories of recipients to whom the personal data has been, or will be, disclosed;
(e)
where possible, the envisaged time limits for the erasure of the different categories of
the personal data;
(f)
where possible, a general description of the technical and organizational measures
implemented to adhere to this Act; and
(g)
any other information as may be prescribed by the Authority.
4.8
Data Protection Impact Assessment. Controllers must carry out a Data Protection Impact
Assessment (DPIA) for operations that present specific risks to individuals due to the
nature, scope, context or purpose of the processing operation. A DPIA is in particular
required where the personal data will be processed using an automated processing system,
including profiling; where sensitive personal data or personal data relating to a criminal
offence or conviction will be processed on a large scale; or where there will be systematic
monitoring of a publicly accessible area on a large scale. The Authority can, by notice
published in the gazette, prescribe other circumstances.
4.9
The assessment shall contain at least:
4.9.1
A systematic description of the envisaged processing operations and the purposes of
the processing, including, where applicable the legitimate interest pursued by the
controller.
4.9.2
An assessment of the necessity and proportionality of the processing operations in
relation to the purposes.
4.9.3
Where applicable, the legitimate interest pursued by the data controller, data
processor or third party, as the case may be;
4.9.4
An assessment of the necessity and proportionality of the processing of the personal
data, in relation to the purpose of processing the data;
4.9.5
An assessment of the risk to the rights and freedoms of the data subject;
4.9.6
The measures envisaged to be put in place to address the risk taking into account the
rights, and legitimate interests of the data subject and any other natural person
concerned; and
4.9.7
Any other information as may be prescribed by the Authority.
4.10
A data controller shall submit the data impact assessment report to the Authority,
prior to the processing of the personal data.
4.11
A data controller shall, where there is a change in the risk represented in the data
protection impact assessment report, carry out a review of the risk to assess if the processing of the
personal data is being done in accordance with the data protection impact
assessment.
4.12
Registration of data controllers or processors of significant importance. A data
controller or data processor shall not process personal data as a data controller of
significant importance and a data processor of significant importance, unless the data
controller or data processor is registered as a data controller of significant importance or a
data processor of significant importance, as the case may be.
4.13
A “data controller of significant importance” means a data controller who is
domiciled, ordinarily resident, or ordinarily operates in Malawi and processes or intends to
process personal data of more than ten thousand data subjects who are resident in Malawi;
or processes or intends to process personal data of significance to the economy, society or
security of Malawi. “Data processor of significant importance” has a similar meaning.
4.14
The first threshold is based on the number of data subjects. A company could be a
data controller of significant importance if they handle personal data of more than 10,000
data subjects who are residents of Malawi. The Act does not contain specific guidance on
the second alternative basis on personal data of significance to the economy, society or
security of Malawi means. Perhaps one could examine the requirement by considering the
impact of a data breach or misuse of personal data held by the company on the economy,
society or security of Malawi. If the breach or misuse would heavily impact the economy,
society or security, it could be deemed a data controller of significant importance. Specific
advice would have to be obtain on this based on the nature and extent of data processing
activities by a company.
5. Rights of a data subject
5.1
Provision of information: A data subject is entitled to be provided with the following
information.
5.1.1
the identity and contact detatls of the data controller or representative of the data
controller;
5.1.2
the legal basis for processing the personal data;
5.1.3
the purpose for processing the personal data;
5.1.4
where possible, the storage period for the personal data;
5.1.5
the existence of automated decision-making, including profiling;
5.1.6
the rights of the data subject;
5.1.7
the right to lodge a complaint with the Authority;
5.1.8
whether the data controller intends to transfer the personal data to a place outside
Malawi.
5.2
Access request. A data subject has the right to obtain from a data controller or data
processor, confirmation of whether personal data concerning the data subject is being
processed by the data controller or data processor, and where that is the case, the right to
access the personal data being processed.
5.3
Where the data controller or data processor confirms the processing of the personal data of
the data subject, the data controller or data processor shall provide the data subject with a
copy of the personal data being processed in a commonly used electronic format; within
thirty days of receipt of the request; and where practicable, at no expense to the data subject;
and the information set out in paragraph 5.1 above.
5.4
Data portability: A data subject has the right to have provided to them or other controllers,
free of charge, a copy of their personal data in a commonly used electronic and structured
format that allows for further use, within thirty days of receipt of the request.
5.5
Right to rectification. As stated above, the Act requires controllers to ensure that personal
data is accurate, kept up to date, and erased or corrected without delay when inaccurate. To
reinforce those requirements, data subjects have the right to request the controller to correct
inaccurate personal data, and to obtain completion of incomplete personal data.
5.6
Right to erasure: Data subjects have the right to request the erasure of the personal data
that a controller holds about them, also known as the right to be forgotten. A data subject
has the right to request erasure of their personal data if one of the following applies:
5.6.1
The personal data is no longer necessary for the purpose the controller collected it
for.
5.6.2
The data subject withdrew their consent to the controller's processing activities and
no other legal justification for processing applies.
5.6.3
the data subject objects to the processing of the personal data and that there is no
overriding legitimate ground for processing the data;
5.6.4
the personal data has been unlawfully processed; or
5.6.5
there is a legal obligation under a written law to erase the personal data.
5.7
The controller must also take reasonable steps, including technical measures, to inform
other controllers that are processing the personal data, to his or her knowledge, about the
data subject's erasure request.
5.8
Right to restriction of processing personal data. A data subject has the right to restrict
the processing of personal data of the data subject where (a) the accuracy of the data is
contested by the data subject; or (b) the data controller or data processor no longer needs
the data for the intended purpose of processing. A data controller or data processor who
receives a request from a data subject to restrict processing of personal data of the data
shall adhere to the request, unless the data controller or data processor shows cause, in
writing, why the request cannot be adhered to.
5.9
Right to object. A data subject has the right to object to the processing of personal data of
the data subject where the processing is causing, or is likely to cause, substantial damage or
substantial distress to the data subject; and the damage or distress would be, unwarranted.
A data controller or data processor shall, upon receipt of an objection from a data subject,
cease to process the personal data, unless the data controller or data processor, as the case
may be, demonstrates that— (a) there is a compelling legitimate ground for the processing
which overrides the interest or right of the data subject; or (b) the processing is necessary
for the establishment, exercise or defence of a legal claim. A data subject may, where the
personal data of the data subject is processed for a direct marketing purpose, object to the
processing of the data for that purpose.
5.10
Automated decision-making objection right: Data subjects have the right not to be
subject to solely automated decision-making, including profiling, which has legal or other
similarly significant effects on the data subject. 21 This right does not apply when the
automated decision is necessary for entering into or performing a contract with the data
subject; required or authorised by domestic law which requires suitable measures to
safeguard the data subject's rights and freedoms and legitimate interests; or based on
explicit data subject consent. Where any of these exceptions apply, a data controller shall implement the appropriate measures to safeguard the rights and interests of the data
subject.
5.11
We recommend that procedures be developed for dealing with subject access
requests and associated rights, with relevant templates or forms for the various requests.
Derogation of data subjects’ rights
5.12
The rights of a data subject may be restricted where the processing of the personal
data of the data subject is for the purpose of—
(a)
national security, including safeguarding against and the prevention of a threat to
national security;
(b)
the prevention, investigation, detection or prosecution of a criminal offence or the
execution of a criminal penalty;
(c)
pursuing a national economic or financial interest, including a monetary, budgetary
and taxation matter;
(d)
public health;
(e)
social security;
(f)
judicial proceedings;
(g)
the prevention, investigation, detection and prosecution of a breach of ethics for a
regulated profession;
(h)
monitoring, inspection or exercise of a regulatory function by a public authority;
(i)
protecting the data subject or the rights and freedoms of another natural person; or
(j)
the enforcement of a civil law claim.
6. Sensitive personal data
6.1
Sensitive personal data” means personal data relating to a natural person’s—
(a)
biometric data;
(b)
race or ethnic origin;
(c)
religious or other belief relating to the freedom of conscience of the person;
(d)
health status;
(e)
political opinion or affiliation; and
(f)
such other data as the Minister may prescribe.
6.2
A data controller and data processor shall not process sensitive personal data of a data
subject unless—
(a)
the data subject has provided consent to the processing of the data for a specific
purpose;
(b)
the processing of the data is necessary to protect the interest of the data subject;
(c)
the processing of the data is necessary for the purpose of exercising or performing a
right or obligation of the data controller, data processor or data subject under a written
law or a court order;
(d)
the processing of the data is in the interest of public health;
(e)
the processing of the data is for public interest;
(f)
the processing of the data is necessary for the establishment, exercise or defence of a
legal claim, obtaining legal advice or conduct of a legal proceeding;
(g)
the processing of the data is necessary for the purpose of archiving the data for public
interest or for research or statistical purposes;
(h)
the data subject has intentionally made the data public; or
(i)
the data controller or data processor is a foundation, association or any other not-for-
profit body with a charitable, educational, literary, artistic, philosophical, religious or
trade union aim and the data processing is carried out in the course of implementing a legitimate activity of the data controller or data processor to its members or former
members or to a natural person who is in regular contact with the data controller or data
processor, in connection with its purposes.
6.3
Where sensitive personal data is processed in accordance with the above provisions, the data
controller or data processor shall put in place appropriate measures to safeguard the
fundamental rights and interests of the data subject.
7. Cross-border data transfers
7.1
A data controller and data processor are restricted from transferring personal data from Malawi
to another country or an international organization, unless—
(a)
the recipient of the data is subject to—
i.
a law;
ii.
a binding corporate rule;
iii.
a personal data protection contractual clause (we recommend the development of
standard data protection clauses for all contracts, especially where personal data will
be transferred abroad);
iv.
code of conduct; or
v.
a certification mechanism, that affords an adequate level of protection of personal
data as assessed by the Authority.
(b)
one of these conditions apply:
i.
the data subject has provided consent to the transfer of his or her personal data, upon
being informed of the possible risk of the transfer;
ii.
the processing of the data is necessary for the performance of a contract to
which the data subject is a party or, at the request of the data subject, the
implementation of a pre-contractual measure;
iii.
the transfer is necessary for the conclusion or performance of a contract
between the data controller and a third party, which is in the interest of the data
subject; or
iv.
the transfer is for the benefit of the data subject and—
a)
that it is not reasonably practicable to obtain consent of the data subject to the
transfer; or
b)
if it were reasonably practicable to obtain the consent of the data subject, that
the data subject would likely give the consent.
8. Appointment of a Data Protection Officer
8.1
The Act imposes an obligation on both controllers and processors to appoint a suitably
qualified person as Data Protection Officer (DPO) where:
8.1.1
the data processing is being carried out by a public authority (except for courts acting
in their judicial capacity); or
8.1.2
the core activities of the data controller or data processor consist of processing
operations which, by virtue of their nature, scope and purposes, require regular and
systematic monitoring of data subjects on a large scale; or the core activities of the
data controller or data processor consist of processing, on a large scale, sensitive
personal data, or personal data relating to criminal offences and convictions.
8.2
There is no guidance in the Act on what is meant by "core activities", "regular and systematic
monitoring" and "large-scale processing". In our view, based on interpretations under the UK
GDPR from which the Act is modelled (which would be persuasive to the Authority in
Malawi), core activities are those key operations necessary for achieving the organisation's objectives. Back-office functions such as payroll administration or general IT support
services would not be considered core activities.
8.3
On “monitoring” Recital 24 of the GDPR provides that "In order to determine whether a
processing activity can be considered to monitor the behaviour of data subjects, it should be
ascertained whether natural persons are tracked on the internet including potential
subsequent use of personal data processing techniques which consist of profiling a natural
person, particularly in order to take decisions concerning her or him for analysing or
predicting her or his personal preferences, behaviours and attitudes." However, there is no
guidance in the GDPR in respect of what is meant by "regular and systematic". Our view is
that regular would reasonably mean occurring at particular intervals, repeated or recurring or
constantly taking place. As to “systematic”, WP29 Guidance interprets "systematic" as
meaning one or more of the following: Occurring according to a system; pre-arranged,
organised or methodical; taking place as part of a general plan for data collection; carried out
as part of a strategy. It also provides examples of "regular and systematic monitoring of data
subjects", which include: operating a telecommunications network; providing
telecommunications services; and Data-driven marketing services.
8.4
A company would therefore not be required to appoint a DPO unless:
8.4.1
as part of their core business, they are required to engage in large-scale regular and
systematic monitoring of data subjects;
8.4.2
their core activities consist of processing sensitive personal data on a large scale.
8.5
Specific advice would have to be sought by a company on whether they are obliged to
appoint a DPO. Suffice to mention that, in any event, a company can consider appointing a
DPO, even if it is the assessment reveals that they are not obligated under the law, as it would
be beneficial for compliance oversight, particularly as data protection requirements continue
to evolve and enforcement becomes stricter.
8.6
The duties of a DPO shall include to:
8.6.1
advise a data controller or data processor on the obligations of the data controller or
data processor under the Act;
8.6.2
monitor compliance of the data controller or data processor with the Act and any
data protection policy developed and implemented by the data controller or data
processor;
8.6.3
advise the data controller or data processor on data protection impact assessments;
and
8.6.4
act as the contact point for the Authority and the data controller or data processor, on
compliance matters under the Act.
8.7
The Act does not set out the requisite experience or qualifications of the DPO, save to
mention that he or she must be suitably qualified. Our view is that The DPO should, at a
minimum have knowledge of data protection laws and practices, and some experience in
compliance. The required level of experience should be commensurate with the sensitivity,
complexity and amount of data that the company processes.
8.8
The Act does not prescribe whether the DPO should be internal to an organisation or
externally appointed and there are no Regulations promulgated yet. Our view is that, as long
as an individual can perform the duties in 8.6 above, they can be designated as DPO
regardless of whether they are an existing employee or externally appointed.
8.9
If an organisation opts to designate an existing employee as DPO, we would recommend that
their duties should not conflict with the DPO’s primary tasks and they should have the
capacity to effectively discharge DPO duties and not take the duties as secondary.
8.10
If an organisation opts for an external DPO, we would advise that the DPO must be easily
accessible to the employees and the Authority, and people whose personal data you process.
8.11
The Act does not restrict the appointment of a single DPO for a group of companies.
However, the DPO must be accessible to all employees of both organisations and still be able
to perform their tasks effectively, taking into account the structure and size of the entities.
9. Enforcement, sanctions and remedies
9.1
Under the Act, data subjects have the right to:
9.1.1
Lodge a complaint with the Authority. 25 The Authority shall have powers to investigate
the complaint. Where merited, the Authority has powers to issue a compliance order
which may include:
9.1.1.1
an order requiring the data controller or data processor to comply with a
specified provision of the Act;
9.1.1.2
a cease and desist order requiring the data controller or data processor to
stop or refrain from doing an act which is in contravention of the Act;
9.1.1.3
an order requiring the data controller or data processor to pay compensation
to a data subject affected by the action or inaction of the data controller or
data processor;
9.1.1.4
an order requiring the data controller or data processor to account for the
profits made out of the contravention;
9.1.1.5
an order requiring the data controller or data processor to pay an
administrative penalty not exceeding k20,000,000; or any other order as the
authority may consider just and appropriate.
9.1.2
A data controller or data processor who fails to comply with a compliance order other
than an order to pay compensation or an administrative penalty or an order to make
good of profits, commits an offence and shall, upon conviction, be liable to—
(a)
in the case of a natural person, a fine of k10,000,000 and to imprisonment for two
years; or
(b)
in the case of a legal person, a fine of k50,000,000.
9.1.3
A person aggrieved by a decision of the authority may, within thirty days of receiving
the decision, apply to the high court for review of the decision.
9.2
A data subject who suffers injury, loss or harm, as a result of a contravention of the Act by a
data controller or data processor, is also at liberty to commence legal action for a civil remedy
against the data controller or data processor concerned.
9.3
Where a legal person or an entity is convicted of an offence under the Act, every natural
person who—
(a)
is a director of, or is otherwise concerned with the management of, the legal person; and
(b)
knowingly authorized or permitted the act or omission constituting the offence,
commits the same offence which the legal person is guilty of, and may be proceeded against
and be sentenced in the same manner as any other natural person.
9.4
Where a data controller or data processor charged with an offence under the Act is a legal
person, any person who, at the time the offence was committed was a chief executive officer,
manager or officer of such legal person, may be charged jointly in the same proceeding with
the legal person, if the person was party to the offence committed.
9.5
A data controller and data processor shall be vicariously liable for any act or omission of an
agent, employee or other person authorized by the data controller or data processor to
perform any function regulated under the Act, in so far as the act or omission relates to an
operation of the data controller or data processor.
10. Conclusion
10.1
Malawi has just promulgated a robust legal framework for data privacy in Malawi.
With its commencement on 3 rd June 2024, the Act imposes strict compliance requirements,
especially for data controllers and processors of significant importance, who must adhere to
the stipulated obligations by 2 nd December 2024. An assessment will have to be made by
companies on whether they are data controllers or processors of significant importance
based on their data processing activities. Meanwhile, other entities have a grace period of up
to twenty-four months to align their practices with the new legal standards. The Authority
has not yet developed Regulations under the Act but compliance with the provisions of the
Act is still required within the set timeframe.
