Q POINT TO REMEMBER The data controller or data processor must provide this information in a concise, clear and easily understood information, meaning that the forms must not have unclear statements or be ambiguous. Simple and clear language is expected, otherwise this will be inaccessible and not compliant with the Act. DATA NOT COLLECTED FROM DATA SUBJECT The data controller or data processor or their representative are required to communicate with the data subject if the data is not collected directly from the data subject unless if the data subject is already in receipt of that information in terms of Section 16 of the Act. To comply with this Section the data controller must provide: • the name and address of data controller or data processor or their representatives • the purposes of the processing • the lawful basis of processing, and implications of failure to comply • the rights of data subject that exist, including right to object if information is obtained for direct marketing purposes, the data subject shall be informed • the categories of data concerned Act provides in Section 16 (2), that if informing the data subject requires disproportionate effort especially for data collected for statistical, historical, scientific or public heath protecting and promotion, or if data is recorded or provided in terms of the law, then Section 16 (1) will not apply. The meaning of disproportionate in the Act means effort that is so labour intensive as to consume a lot of time, money and manpower resources. This exception should not be arbitrarily invoked. The data controller must take steps to satisfy themselves that there are no other less costly means to comply with informing data subject. Therefore, the data controller must consider all their duties under Section 13 of the Act: • The lawfulness, fairness and transparency. • Provide information on your privacy policy to allow individuals some knowledge that processing might be taking place. • Consider conducting a data privacy impact assessment to understand the risks45. P POINT TO REMEMBER While the data controller might have a legitimate interest or other reason to justify data processing or invoke exceptions, those exceptions might be overridden by the data subjects’ fundamental rights and any processing has taken account of the individual right to privacy and that the least invasive approach has been used. The data protection Authority is required to set guidelines or conditions for application of these exceptions, in terms of Section 16 (3) of the Act. • the recipients or categories of recipients of the personal data • the right to access or rectify the personal data Disproportionate Effort to Comply 45 This situation arises when compliance with providing the data subject with information when data is indirectly collected from the data subject might be impossible or difficult. The 24 M I S A Z I M B A B W E • G U I D E T O T H E This is required under the GDPR Article 35 (1) if processing is likely to result in a high risk to the rights and freedoms of individuals. The GDPR lists examples of what might constitute high rights under Article 35 (3). For instance, processing of information for public monitoring (surveillance) or large-scale data or automated data processing profiling. Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2