Q QUESTION How does the data controller, their representative or data processes prove compliance with provisions of the Act? someone is of criminal disposition. Profiling can therefore be part of an automated decision-making process. The GDPR Article 4 (4) defines: Profiling is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. DECISION TAKEN ON BASIS OF AUTOMATIC DATA PROCESSING Part VI focuses on automated data processing broadly as well as for children or minors and other persons who are incapacitated to make decisions on processing of their personal data. In terms of Section 25 (1) of the Act, a data subject shall have the right not to be subjected to automated data processing, resulting in some legal decision or other impacts on their person, such as but not limited to profiling. What is automated data processing? This is personal information collected or processed automatically and a decision made without the involvement of any human or manual effort. For example, online loan applications not human mediated can deny an individual access to loans as not credit worthy or not reliable and economic unstable. What is profiling? This is an automated processing of personal information or data, including sensitive data to evaluate certain things about an individual and making a conclusion on that person with legal effects or implications. The implications of profiling culminate in conclusions about a person on for instance; their ability to perform a task such as use of algorithmic aptitude tests deployed during job interviews; or likely behaviour conducted through predictive analysis and concluding that M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N Is automated processing and decisions lawful? Yes, under the Act, Section 25 (2) approves, if any individual has consented to the decision being made based on automated data processing or the processing is pursuant to a provision established by law. The consent must be explicit and not implied. It can also be based on legally authorised requirements such as employment contract or investigation of fraud or tax related matters. There is limited clarity in the Act on how automated data processing of sensitive data must be handled. General practice, and under the GDPR55 , however, is that a data controller must obtain explicit consent from the data subject and that the processing is necessary for reasons of substantial public interest. Automated processing of sensitive personal data must be accompanied by appropriate safeguards and measures that reduces or eliminates inaccuracies that have potential impact on data subjects, and prevents the different harms from occurring. 55 C Y B E R GDPR Article 22 A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 29