- within Privacy topic(s)
- with readers working within the Insurance industries
- within Insurance, Litigation, Mediation & Arbitration and Antitrust/Competition Law topic(s)
This proposed legislation aims to reinforce individuals' fundamental right to protection of their personal data and privacy by establishing clear rules for the collection, processing and storage of personal data. It also seeks to consolidate a secure and inclusive digital environment and ensure Mozambique's compliance with the standards of the African Union Convention on Cybersecurity and Personal Data Protection. The bill is one of a series of initiatives taken by Mozambique to strengthen its digital sovereignty, alongside the approval of two bills on cybersecurity and cybercrime on 30 September.
If approved, the Personal Data Protection Bill will apply to any natural or legal person, whether public or private, who carries out activities relating to personal data for economic or non-private purposes in Mozambique. However, the processing of personal data for journalism, artistic and literary expression, the free development of personality, dignity and exercising citizenship rights is excluded from the scope of the bill.
These rules may also be waived by the competent authorities when necessary for national defence and public security
These are the most important aspects of the bill:
National Personal Data Protection System
At the institutional level, the bill provides for the establishment of a National Personal Data Protection System. This system will comprise several entities and two main bodies.
It also seeks to consolidate a secure and inclusive digital environment and ensure Mozambique's compliance with the standards of the African Union Convention on Cybersecurity and Personal Data Protection.
- the National Personal Data Protection Council, which is chaired by the Prime Minister and comprises representatives from the government, business and civil society. The Council is responsible for (i) political and strategic coordination in matters of personal data, (ii) the annual preparation of a report evaluating the implementation of the National Data Protection Policy and Strategy, and (iii) responding to communications from the government.
- the National Personal Data Protection Authority (ANPD), which corresponds to the current Regulatory Authority for Information and Communication Technologies. The ANPD regulates all operations relating to the processing of personal data in Mozambique, as well as cross-border operations involving the processing of the personal data of national citizens. The ANPD is also responsible for monitoring and applying sanctions in cases of non-compliance with the rules of this bill, as well as for international cooperation in the area of data protection.
The data processor and the data protection officer
With regard to data processors, the bill refers to the controller and the processor. The controller is the natural or legal person, whether public or private, who is responsible for decisions relating to processing. The processor is the entity that carries out the processing on behalf of the controller.
The bill also refers to the appointment of a personal data protection officer by the data processor. This officer is defined as a natural person responsible for maintaining communication between the processor, data subjects, and the ANDP.
Requirements for processing personal data
Personal data is defined as any information relating to an identified or identifiable natural person (the data subject). Sensitive personal data is defined as data relating to the racial or ethnic origin, religious or political beliefs, trade union membership, health, sex life or economic situation of the data subject.
The bill limits the admissibility of processing personal data to certain situations. These include (i) compliance with a legal obligation, (ii) reasons of public interest, (iii) the performance of a contract to which the data subject is a party; and (iv) the express and unambiguous consent of the data subject. However, consent is not required when personal data is manifestly made public by the data subject.
Regarding the processing of sensitive data, the bill prohibits processing except in situations involving (i) unequivocal, express, written consent from the data subject, (ii) reasons of public interest, and (iii) compliance with a legal or regulatory obligation to which the data processor is bound.
The bill also includes specific rules on processing credit and solvency data, data relating to children, data relating to illegal activities, purposes of public interest, video surveillance systems, and call recording
For the purposes of this bill, anonymised data is not considered personal data as it is not associated with an individual.
The rights of personal data subjects
In order to protect these individuals, the bill provides for a number of rights to be granted to them. These include the right to access information about how their data is processed. This information must be made available by the personal data processor. Data subjects also have the right to object to the processing of their personal data in certain situations and to request the rectification, updating or deletion of their personal data.
The obligations of the data processor and the data protection officer
The data protection officer is responsible for recording and reporting security incidents to the relevant authority. They are also responsible for implementing internal risk supervision and mitigation mechanisms, as well as providing support to the data processor in recording data processing operations. The officer must also accept and respond to complaints and communications from data subjects, providing the necessary clarifications.
To perform their duties and ensure their technical autonomy, the data protection officer must be provided with the necessary human, technical and administrative resources by the data controller. The controller must also seek guidance from the data protection officer on strategic decisions relating to data processing and provide data subjects with the means to exercise their rights and communicate with the data protection officer.
Alongside the obligations of the data controller, the data processor must adopt the necessary security, technical, and administrative measures to protect personal data against unauthorised access, destruction, loss, alteration, or unlawful communication. Furthermore, the processor must keep chronological records of data collection, alteration, consultation, disclosure and deletion operations. In the event of a security incident, the processor must report it to the ANPD and the data subject.
Finally, the processor must implement good practice rules that establish operating procedures and standards for data processing and security, as well as the process for complaints by data subjects and internal supervision and risk mitigation mechanisms.
Specific obligations for public bodies
The bill provides for the obligation of public bodies that process personal data for reasons of public interest to communicate the purpose and procedure to data subjects, as well as the deadlines and procedures for exercising any rights relating to their personal data. Public entities must also appoint a data protection officer.
Alongside the obligations of the data controller, the data processor must adopt the necessary security, technical, and administrative measures to protect personal data against unauthorised access, destruction, loss, alteration, or unlawful communication.
International transfer of personal data
The bill also regulates the international transfer of personal data. In this regard, transfers to countries that provide an equivalent level of data protection to that established by the bill are permitted and must be notified to the ANPD. Transfers to countries that do not ensure the same level of protection will require authorisation from the ANPD, provided certain conditions are met, such as obtaining the data subject's consent, complying with international agreements to which Mozambique is a party, or responding to a request for humanitarian aid.
Applicable penalties
The bill defines the processing of personal data by a data processor that violates data protection rules and causes financial or moral damage as a very serious offence.
In the event of non-compliance with the rules set out in the bill, the ANPD may impose administrative penalties depending on the nature and seriousness of the infringement, as well as the agent's fault. Administrative penalties applicable to the processing agent include a warning, blocking or deletion of the personal data to which the infringement relates, suspension of the database operation, or a partial or total prohibition on activities relating to data processing.
Next steps
Regarding the legislative procedure and approval of the bill, the National Institute of Information and Communication Technologies (INTIC) of Mozambique has been coordinating the technical aspects. On 5 September 2025, they published a public consultation, and, on 7 October, they met with the Council of Europe to ensure that the bill aligns with international standards.
After the public consultation closes, the bill will undergo technical harmonisation between different government entities. It will then be submitted for consideration by the Ministry of Communications and Digital Transformation and, finally, for approval by both the Council of Ministers and the Assembly of the Republic.
After the public consultation closes, the bill will undergo technical harmonisation between different government entities. It will then be submitted for consideration by the Ministry of Communications and Digital Transformation and, finally, for approval by both the Council of Ministers and the Assembly of the Republic.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
