REGULATIONS, OFFENCES, PENALTIES AND APPEALS representative are liable for any fines that are imposed on their agents. E EXERCISE Part X of the Act which constitutes general provisions has a section on regulations, offences and penalties and appeals in terms of the Act. Regulations Section 32 of the Act gives powers to the Minister in consultation with Authority to make regulations for matters related to the Act. These regulations can also cover some of the specified areas such as Sections 25 to 27 which deal with decisions on automated data processing, representation of the data subject who is a child; and representation of physically, mentally or legally incapacitated. Chad Gore Technologies have completed the collection of voter registration biometric information for ZEC. To achieve a quick turnaround exercise Chad Gore Technologies sub-contracted Chigs Technologies to provide additional collection and storage support. Chigs Technologies creates a backdoor access to the data servers for Asphalt Marketing to collect numbers, biometrics and all personal data, which they are using for marketing and screening for employment. Chigs Technologies, further shares biometrics (eye and fingerprints) to Catch Them All private investigators. ZEC proves no knowledge of all these transactions and fails to confirm that Chad Gore Technologies had implemented appropriate technical and organisational measures. Further, several political parties have started sending messages to registered voters urging them to vote in the coming 2028 elections. 1. Identify the data breaches and violations? 2. Who is liable for the various data breaches? 3. Who should notify the DPA? Offences and Penalties 4. Should the data subjects be notified, if not why? There are various offences and penalties under the Act. Section 33 (1) penalises any member of the Authority including an expert or contractor who violates provisions of the Act. In addition, Section 33 (2) criminalises violation of several sections by data controller or representative. These sections are: • Section 11 on sensitive data • Section 13 on duties of the controller • Section 18 (4) on appropriate technical and organisational measures to safeguard data security, integrity and confidentiality • Section 24 on accountability • Section 28 on transfer of personal information. In the event of data that is unlawfully acquired, the courts are authorised to order seizure of the materials or deletion under Section 33 (3), 33 (4) and 33 (5). Data controller or their M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 35