🏯 SafeSchool — Complai Africa

Complete CDPA Compliance for Schools

Schools are Zimbabwe's highest-risk data controllers. You process children's data under the strictest provisions of CDPA Section 12, CDPG 2 of 2024, and mandatory DPO appointment regardless of size. Complai Africa helps you prepare the right toolkit and identify a suitable DPO, while the school remains responsible for the formal appointment and filing.

⚖ Ask DPO AI Free
📁 SafeSchool Document Bundle
📋
Data Protection Policy
Board-ready
Included
✍️
Parental Consent Form (3-tier)
Guardian verified
Included
🤝
Staff Confidentiality Agreement
All staff
Included
🔍
DPIA Template
CCTV, biometrics, and e-learning
Included
📑
Vendor Data Processing Agreement
Google and Microsoft
Included
🌐
Cross-Border Transfer Package
POTRAZ authorisation
Included
🚨
Breach Response Protocol + DP3
24-hour rule
Included
Your Legal Obligations

What the CDPA Requires from Your Organisation

These are mandatory legal requirements under Zimbabwe law, currently being enforced by POTRAZ.

CDPA S.12
Children's Data — Highest Risk
Schools process data of under-18s, placing you in the highest-risk category. Separate written parental consent is mandatory for each processing purpose.
S.I. 155 S.7
DPO Appointment — Mandatory
Schools are NOT eligible for DPO exemption regardless of size. Children's data processing makes DPO appointment mandatory.
CDPG 5/2024
Google Workspace & Microsoft 365
Using any offshore cloud service is a cross-border transfer requiring a separate POTRAZ authorisation, updated parental consent, and a Data Sharing Agreement.
CDPG 2/2024
Children's Data Principles
No automated decision-making affecting children. Data must be stored in Zimbabwe or with prior POTRAZ authorisation. Retention periods strictly enforced.
What Your Plan Includes

Comply Foundations, EduProtect Extras, and DPO-Ready Delivery

SafeSchool combines your chosen Comply tier with EduProtect overlays for children's data. DPO Shield is optional recurring support layered on afterward.

📋
School Data Protection Policy
Board-ready
Comply
✍️
Parental Consent Forms
Guardian verified
EduProtect
🤝
Children's Data Handling Checklist
Staff and safeguarding workflows
EduProtect
🔍
DPIA Template
CCTV, biometrics, and e-learning
Comply
📑
Student Records Retention Schedule
Attendance, assessment, and alumni records
EduProtect
🌐
EdTech Cross-Border Assessment
Google Classroom, Microsoft 365, LMS tools
EduProtect
🚨
Breach Response Protocol + DP3
24-hour rule
Corporate+
📊
Data Asset Register & ROPA
POTRAZ DP1 ready
Business+
🔎
Compliance Gap Assessment
27-point checklist
Business+
📋
DSAR Response Kit
Parent and guardian requests
Business+
Comply Tier Foundations

ROPA and Impact Assessments from Your Comply Tier

These frameworks come from your Comply package, with EduProtect adding school-specific prompts and overlays where children's data needs extra controls.

📊

Record of Processing Activities (ROPA)

Required under CDPA Section 13. This sits inside Comply Business and above, and becomes the backbone of your POTRAZ Form DP1 position.

Your SafeSchool ROPA covers:

  • Student enrolment and identity records
  • Parent/guardian contact and consent data
  • Academic records and assessment data
  • Staff employment and payroll records
  • CCTV footage (reception and school grounds)
  • Website and online learning platform data
  • Health/medical information where held
  • Financial records (fees and donations)
Included in: Comply Business and above
🔍

Data Protection Impact Assessment (DPIA)

Required under CDPA Section 18 before any high-risk processing activity. Lite coverage starts in Comply Essentials, with broader scenario coverage expanding in higher tiers.

A DPIA is required when you:

  • Introducing CCTV or biometric attendance systems
  • Adopting any new cloud-based student management system
  • Implementing e-learning platforms processing children's data
  • Collecting biometric data (fingerprints for access)
  • Any new processing of health data of students
  • Cross-border transfer to any offshore cloud provider
Included in: all Comply tiers, with scope varying by package
Common Questions

Frequently Asked Questions

Our school has under 100 students. Do we still need to comply? +
Yes. The POTRAZ threshold is 50 data subjects — including staff, students, parents, and website visitors. Almost every school in Zimbabwe exceeds this. Because you process children's data, DPO appointment is mandatory regardless of size.
We use Google Classroom. Is this a problem? +
Google Workspace stores data outside Zimbabwe. Under CDPG 5 of 2024, this requires a separate POTRAZ authorisation before you continue using it. Complai Africa provides the templates, guidance, and DPO matching support for that process, but the filing remains the school's responsibility.
What is the POTRAZ licensing fee for a school? +
Most schools are Tier 1 (up to 1,000 total data subjects) — the POTRAZ fee is USD $50 paid directly to POTRAZ. If you exceed 1,000 total data subjects, you may be Tier 2 at $300.
What happens if we have a data breach — for example a lost USB with student records? +
You must notify POTRAZ within 72 hours of discovering the breach, then notify affected parents. The SafeSchool toolkit includes a pre-filled Form DP3 template and step-by-step protocol.

Need help interpreting the school requirements?

⚖ Ask AskDPO AI — Free, instant guidance

Choose Your SafeSchool Path

Start with Comply Essentials, then select the EduProtect add-on in the next checkout step. Add DPO Shield Essential afterward if you need support matching with a named school-facing DPO and recurring oversight. The school remains responsible for formal appointment and regulatory filing.

Start Your Compliance
Please enter your organisation name, your name, and a valid email.

🔒 Secure payment via the Complai Africa client portal