Privacy Law at Malawi
Malawi's data protection framework is governed by the Data Protection Act, 2024 (MDPA), which was assented to by President Dr. Lazarus McCarthy Chakwera on January 31, 2024, and came into force on February 2, 2024.
📘 Key Provisions of the MDPA
1. Scope and Applicability The MDPA applies to the processing of personal data by both public and private entities within Malawi, as well as those outside Malawi that process data related to individuals in Malawi
2. Data Protection Authority The Malawi Communications Regulatory Authority (MACRA) is designated as the Data Protection Authority responsible for overseeing the implementation and enforcement of the MDPA
3. Data Subject Rights The MDPA grants individuals the following rights
Access: The right to obtain confirmation of whether personal data concerning them is being processed
Rectification: The right to correct inaccurate or incomplete data
Erasure: The right to request deletion of data under certain conditions
Portability: The right to obtain and reuse personal data
Objection: The right to object to data processing
Restriction: The right to request limitation of data processing
4. Data Processing Principles The MDPA outlines several principles for processing personal data
Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and transparently
Purpose limitation: Data should be collected for specified, legitimate purposes and not further processed in a manner incompatible with those purposes
Data minimisation: Only data necessary for the intended purpose should be collected
Accuracy: Data must be accurate and kept up to date
Storage limitation: Data should not be kept longer than necessary
Integrity and confidentiality: Data must be processed in a manner that ensures appropriate security
5. Data Controllers and Processors Entities that determine the purposes and means of processing personal data (controllers) and those who process data on their behalf (processors) are required to
- Follow data protection principles - Implement appropriate technical and organizational measures to ensure compliance - Maintain records of processing activities - Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities - Establish contractual relationships with processors - Appoint a Data Protection Officer (DPO) if engaged in large-scale processing
6. Data Security The MDPA mandates the implementation of technical and organizational measures to ensure data security, including encryption, access controls, and regular risk assessments
7. Breach Notification Data controllers must notify MACRA of data breaches within 72 hours. If the breach poses a high risk to individuals' rights and freedoms, affected individuals must also be informed without undue delay
8. Cross-Border Data Transfers - Transfers of personal data outside Malawi are permitted if the receiving country ensures an adequate level of data protection or if appropriate safeguards are in place
9. Registration Requirements Data controllers and processors of significant importance must register with MACRA. This includes those processing data of more than 10,000 subjects or data of national importance
10. Complaint Mechanism Data subjects can lodge complaints with MACRA, which will investigate and issue compliance orders as necessary
🛡️ Implementation and Enforcement
MACRA is responsible for overseeing the implementation and enforcement of the MDPA. This includes developing and publishing guidelines on data protection, promoting public awareness, and ensuring compliance with the Ac.
RELATED Blog
0 comments