Exception to the Data Subject Rights There are exceptions to enforcement of these rights. For instance, on the right to be informed, the data controller or representative might be unable to comply or it is not necessary. These are some of the possible situations: • The data subject is already aware of the information and therefore needs to provide it, only provide what they do not know. • If information is obtained from another source, then data controller can demonstrate that they already had the information. • When providing the information is impossible especially when you have no contact details of the data subject. • When providing the information to the data subject would constitute disproportionate effort. • If providing the data subject with the information might hinder ongoing processes such as public health responses or in investigations. • If the information is required by law, and the third-party holder of such information must disclose such information. • If you are compelled by virtue of professional and confidentiality requirements under the law for instance with health or financial or taxation information. For each of these circumstances, the data controller must clearly provide enough explanation for accountability purposes. If reliance on existing law, that law must clearly state the obligation to process, and the data controller must reference the specific law. The data controller must document all these decisions and include additional information in a privacy statement or policy that might stipulate the conditions for when exceptions apply. E EXERCISE Looking at the data subject rights, what other exceptions do you see as justifiable and permissible? M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N DATA COLLECTED FROM DATA SUBJECT When collecting data from the data subject, the data controller or data processor must provide certain information which makes it possible for the data subject to exercise their rights. Section 15 of the Act provides for these as necessary requirements for processing. A data controller must develop a set of questions to satisfy themselves of compliance with these provisions as part of their duties. This information must be provided on collection, unless if there is proof that the information has been provided. The data controller must satisfy themselves that the data subject has this information, and this includes: • the name and address of data controller or data processor or their representatives • the purposes of the processing • the rights of data subject that exist, including right to object • the lawful basis of processing, and implications of failure to comply • the recipients or categories of recipients of the personal data C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 23