Q QUESTION What recourse exist for data subjects if they are subjected to automated data processing? • Data controller must be satisfied that parent or guardian has parental Authority. • Data controller then proceeds to process information. These steps are relevant for manual data processing. Q QUESTION REPRESENTATION OF DATA SUBJECT WHO IS CHILD Can the processing of data of minor be only based on consent of parents, or other exceptions can also apply? 56 Section 26 of the Act provides that processing of personal and sensitive information of minors requires parental or guardian consent or approval. This Section is very important as most children are now having access to digital or internet platforms which require that an individual indicate their age or at least that they are not under 18 years. The data controller must consider having tools that help to ascertain the age of the user and that they are not under 18 years. The GDPR recognises a child or minor is 16 years, however countries can reduce that but not below 13 years for purposes of data processing57. This is for purposes of assessing digital maturity and attaining digital consent. The Authority must develop additional guidance. CONSIDERATION FOR PROCESSING OF CHILDREN PERSONAL INFORMATION • Data subject or user must confirm whether they are under or over 18 years. • If data subject or user is below 18, then platform or data controller informs child that parental consent is need. • User shares email address or contact details of the guardian or parent. • Data controller contacts parent or guardian who shares consent or declines. 30 M I S A Z I M B A B W E • G U I D E T O T H E REPRESENTATION OF PHYSICALLY, MENTALLY OR LEGALLY INCAPACITATED DATA SUBJECTS Under Section 27, the Act protects the processing of data of individuals who are physically, mentally, or legally incapacitated. In other words, these individuals may not be capable of exercising their rights as provided in the Act. Individuals whose incapacity has been medically proven by a qualified physician may exercise such rights through parents or guardians as provided by law or designated by court. 56 This section would have benefitted from referencing of other sections as grounds for processing or alternatively framed as POPIA Section 35 providing for the General authorisation concerning personal information of children. 57 GDPR Article 8 (1)-(3). Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2