Third, if prevention of fraud is a legitimate interest for Chad Gore Medical Scheme, and even other end users, do the individual interests override the legitimate interest. At this stage, the data controller is asking whether the decision is proportionate, or the interests of the data subject, which is the protection of fundamental rights and freedoms, override the data controller’s legitimate interests. SENSITIVE INFORMATION Considerations on Legitimate Interest While these are not exhaustive, a data subject can inquire if these have been met, while data controller must ensure these are satisfied. • There are no other grounds for processing and legitimate basis is the most relevant. • There is a record of assessing that legitimate interest is the only relevant. • The controller or processor has identified the interest and not just vaguely stated. • The controller has checked that processing is: o Necessary and no other way of achieving the result o Balancing of interests and that data subject interests are protected but they do not override legitimate interests o Proportionate means were used and not to invade into data subject privacy This provision refers to sensitive data under Part I of the Act. Sensitive information requires safeguards as its unlawful collection or processing might result in grave violations for the data subject. There are several options for the processing of sensitive information. Consent is required P POINTS TO REMEMBER From this section, what is important to note that processing of personal information can occur without the consent of the data subject if any other lawful or legitimate ground exists, unless if the other fundamental rights override these provisions. Further, the data controller stating that there are legitimate interests without stating what those are is not enough to constitute a lawful processing. First, consent is required, and it must be explicit, and in writing from the data subject. The data controller cannot process sensitive data without explicit consent under Section 11 (1) of the Act. Consent can be withdrawn Further, Section 11 (2) of the Act allows for consent to be withdrawn, at any time free of charge. Even in instances of consent, the Authority is permitted under Section 11 (3) of the Act to refuse the consent to processing of sensitive information. M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 19