The Act does not specifically provide for BCR, however, comparative laws such as POPIA provide for such under data transfer provisions. POPIA defines BCRs as ‘personal information processing policies, within a group of undertakings, which are adhered to by a responsible party [controller] or operator [processor] within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country60. (b) transfer is for performance of a contract between data subject and controller in response to data subject (c) transfer is for conclusion of contract or to be concluded in the interest of data subject (d) transfer is necessary or legally required on public interest grounds (e) transfer is to protect vital interests of the data subject (f) transfer is made from public register and information is publicly available STANDARD CONTRACT CLAUSES These provisions are similar to the POPIA under Section 72(1). Code of Conduct SADC as a regional economic community adopts its data protection laws and requires all members that intend to send data from SADC to abide by set standard of rules. These rules will be applicable to all member states intending to send data to a non-SADC member state. Such BCR and SCC rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers and protection of data subject’s rights. They must be legally binding and enforced by every member concerned of the group. TRANSFER TO COUNTRY OUTSIDE ZIMBABWE WHICH DOES NOT ASSURE ADEQUATE LEVEL OF PROTECTION The transfer of data is intended to advance the data subject rights, or pursuit of legitimate controller interests or other basis provided at law. Therefore, even if there is no adequate protection offered in the recipient country or international organisation, data transfers can take place according to Section 29 (1) if the: (a) data subject has consent to the transfer M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N Part VIII of the Act provides for the adoption of codes of conduct. Section 30 (1) allows the Authority to adopt guidelines and approve codes of conduct and ethics governing data controllers conduct and the various categories of data controllers. WHAT IS A CODE OF CONDUCT? The Act defines a code of conduct as “data use charters drafted by the controller in order to institute rightful use of IT resources, the Internet, and electronic communications of the structure concerned, and which have been approved by the Data Protection Authority”. A code of conduct is a set of rules laid down by an association, or by an industry, or profession with the intention of regulating the conduct of the association members, industry members or professionals in respect of data processing. The codes of conduct can be classified according to different associations. The codes of conduct ordinarily include voluntary monitoring mechanisms to allow for members compliance, enforcement and supervision, though the final supervisory body is the Authority. Codes of conduct are helpful for data controllers to enforce good industry or profession wide data processing practices and challenges can be resolved through an industry wide approach. 60 C Y B E R POPIA section 72 (2). A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 33