🛎 HotelGuard — Complai Africa

CDPA Compliance for Hotels, Lodges & Hospitality Businesses

If you collect customer names, phone numbers or payment data from 50 or more people, you are a Data Controller under the CDPA. HotelGuard gives you everything you need for Tier 1 POTRAZ compliance.

⚖ Ask DPO AI Free
📁 HotelGuard Document Bundle
🛎
SME Data Protection Policy
Tier 1 POTRAZ
Included
📋
Customer Consent & Privacy Notice
Web and physical display
Included
🤝
Staff Confidentiality Agreement
All staff
Included
🔍
DPIA Template
New processing activities
Included
📑
Supplier Data Processing Agreement
Payroll, IT, and marketing
Included
🚨
Breach Response Protocol + DP3
72-hour rule
Included
📊
Business Data Asset Register
POTRAZ DP1 ready
Included
Your Legal Obligations

What the CDPA Requires from Your Organisation

These are mandatory legal requirements under Zimbabwe law, currently being enforced by POTRAZ.

CDPA S.3
Am I a Data Controller?
Any organisation collecting and using personal data for 50+ individuals (customers + employees + website visitors combined) is a Data Controller and must register with POTRAZ. Complai Africa helps you prepare the supporting templates and guidance for that process.
S.I. 155 S.6
Tier 1 for Most SMEs
Most SMEs fall under Tier 1 (50–1,000 data subjects) at USD $50 per year paid directly to POTRAZ. Your licence renews annually.
CDPG 1/2025
DPO Exemption Possible
Some general SMEs processing standard personal data may qualify for a DPO exemption under CDPG 1 of 2025. POTRAZ determines eligibility based on your processing nature.
CDPA S.14
Marketing Consent Required
Sending marketing via SMS, WhatsApp or email requires explicit opt-in consent from each customer. Pre-ticked boxes or implied consent do not meet the CDPA standard.
What Your Plan Includes

Comply Foundations, HospitalityProtect Extras, and DPO Support

HotelGuard combines your Comply tier with HospitalityProtect overlays for guest, CCTV, and booking-platform data. DPO Shield is the recurring managed layer when you need a named DPO and ongoing review.

🛎
Hotel / Guest Data Protection Policy
Tier 1 POTRAZ
Comply
📋
Guest Consent & Privacy Notice
Web and physical display
HospitalityProtect
🤝
Staff Confidentiality Agreement
All staff
Comply
🔍
DPIA Template
New processing activities
Comply
📑
Loyalty Programme Data Policy
Guest clubs, offers, and repeat-booking campaigns
HospitalityProtect
🚨
CCTV Notice Template Set
Reception, corridors, and parking areas
HospitalityProtect
📊
Business Data Asset Register
POTRAZ DP1 ready
Business+
🔎
Compliance Gap Assessment
27-point checklist
Business+
📑
Record of Processing Activities (ROPA)
All business data
Business+
📋
Booking Platform Cross-Border Note
OTA, PMS, and reservation platform transfers
HospitalityProtect
Comply Tier Foundations

ROPA and Impact Assessments from Your Comply Tier

These frameworks come from your Comply package. HospitalityProtect adds guest and booking-platform overlays, while DPO Shield supports recurring governance and sign-off.

📊

Record of Processing Activities (ROPA)

Required under CDPA Section 13. This sits inside Comply Business and above, and becomes the foundation of your POTRAZ-facing operating record.

Your HotelGuard ROPA covers:

  • Customer names and contact details
  • Customer purchase and transaction history
  • Customer payment data (if stored)
  • Loyalty programme data
  • Delivery address records
  • Employee personal records
  • Employee payroll and bank account data
  • Supplier and vendor contact data
  • Website contact form submissions
  • CCTV footage
  • Social media and WhatsApp records
Included in: Comply Business and above
🔍

Data Protection Impact Assessment (DPIA)

Required under CDPA Section 18 before any high-risk processing activity. Comply provides the base framework, while HospitalityProtect adds guest and CCTV-specific prompts.

A DPIA is required when you:

  • Launching a customer loyalty or rewards programme
  • Implementing CCTV surveillance on premises
  • Introducing a new customer database or CRM
  • Starting a WhatsApp marketing broadcast list
  • Adopting cloud-based accounting or payroll software
  • Any processing of employee health records
Included in: all Comply tiers, with scope varying by package
Common Questions

Frequently Asked Questions

I have a small shop. I collect customer phone numbers for deliveries. Do I need to comply? +
If you have 50+ customers' phone numbers, yes. Phone numbers are personal data under the CDPA. You need to register with POTRAZ ($50), have a data protection policy, and use numbers only for the stated purpose — not unsolicited marketing. Complai Africa helps with the documentation and DPO-matching route, but the filing remains the organisation's responsibility.
We send WhatsApp marketing to our customer list. Is this legal? +
Only if each customer explicitly opted in to receive marketing from you via WhatsApp. If you collected numbers for delivery and are now sending promotions, this is likely a violation. You need separate marketing consent.
We use a payroll service provider. Do we need a contract with them? +
Yes — a Data Processing Agreement under CDPA Section 17. Your payroll provider processes employee personal data on your behalf. They must sign a DPA before accessing this data. Your HotelGuard toolkit includes a template version to help you put that contract in place.
What is the penalty if we ignore the CDPA? +
POTRAZ is in active enforcement mode. Penalties include fines up to Level 11 (~USD $3,000+) for operating without a licence and Level 12 (~USD $5,000+) for unlawful processing. Directors can be personally liable. Imprisonment up to 10 years applies for serious violations.

Need help interpreting the hospitality requirements?

⚖ Ask AskDPO AI — Free, instant guidance

Choose Your HotelGuard Path

Start with Comply Business, then select the HospitalityProtect add-on in the next checkout step. Add DPO Shield Business afterward if your hospitality operation needs recurring cover and help matching with a suitable POTRAZ-certified DPO.

Start Your Compliance
Please enter your organisation name, your name, and a valid email.

🔒 Secure payment via the Complai Africa client portal