NON-SENSITIVE DATA (d) for public interest (e) for promotion of the legitimate interests of the data controller or third party unless other fundamental rights exist34 Consent is required Section 10 of the Act provides for conditions of processing of what the Act calls non-sensitive data. This is personal information as defined above in Part I of the Act. The section 10 (1) starts off with consent as a condition of processing, for a data subject or consent of guardian of minor. Legitimate interests are different and wide. Using the guidance developed for the GDPR, data controller must therefore consider a test of what constitutes legitimate interest as this can be subjective. This test has been used in courts35 and the three aspects must be satisfied: • Purpose test: are you pursuing a legitimate interest? • Necessity test: is the processing necessary for that purpose? Consent is required but can be implied Section 10 (2) of the Act allows for consent not to be specific or explicit, but it can be implied, if data subject is an adult. The implied, does not mean that there are no other grounds to process the data which the adult subject is aware of. This Section introduces a ‘legal persona’. This term is not defined in the Act, nor are there any indications of what this means in relation to data processing. This means that other than a natural identifiable data subject consenting, other forms of legal existence such as companies, or trusts can consent to data processing33. If Chad Gore (natural person) registers a company Gore Technologies (legal persona, juristic person) the information of Gore Technologies on credit rating is then processed by Credit Rating Bureau, then such information constitutes juristic-personal information. It is not possible to separate Gore Technologies from Chad Gore. • Balancing test: do the individual’s interests override the legitimate interest? i ILLUSTRATION Chad Gore Medical Scheme wants to process personal data to remove fraudulent medical aid claims on grounds of legitimate interests. First is this in the interests of Chad Gore Medical business interests to ensure that medical aid claims are genuine. Second, if legitimate interest is satisfied, then consider whether processing of that specific personal information is necessary. Necessity asks whether there are other means to achieve the same objective which are less invasive to privacy, for instance, the level of data collected, do you need to know the medical conditions claimed for or you will only need to know the claimed amounts? Consent is not necessary Section 10 (3) (a)-(e) of the Act lists instances were consent, even implied consent is not required of the data subject, natural or legal persona if the information is: (a) required for criminal offence proof 33 (b) for compliance with law or controller requirement 34 See GDPR article 6(1)(f) 35 Rigas case (C-13/16, 4 May 2017 (c) for protecting interests of data subject 18 M I S A Z I M B A B W E • G U I D E POPIA section 1, includes identifiable juristic persons in definition of personal information. T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2