TRANSFER OF PERSONAL INFORMATION OUTSIDE ZIMBABWE As data processing is happening on digital platforms or even manually, then stored on digital platforms, it means that data will move across borders. This is what has become known as cross border data transfers or data transfers. Part VII of the Act regulates the transborder flow of information. Remember that privacy is about protecting personal information while freedom of expression and access to information depend on the free movement of personal information across frontiers, and even for economic and trade purposes58. Data subject and data controller can be in the same country, and no transfer takes place as this is purely data collection. They can be in different countries, and still remains as data collection, but becomes cross border data collection if data controller is outside the country and authorising an in-country data processor. E EXERCISE In these scenarios identify if there is a data transfer or not. Scenario 1: Chad Gore Technologies posts on their website and social media platforms that as a company ZEC has approved them to support the voter registration taking place countrywide. Scenario 2: Chad Gore Technologies collects personal information in Zimbabwe and sends this to local storage in Harare industrial area and simultaneously sends the information on a cloud system located in a different country. What is data transfer? Scenario 3: Chad Gore Technologies collects personal information from their base in Zambia from data subjects in Zimbabwe. Transfer is the intentional sending of personal information by a data controller or data processor to a third-party recipient either through a data controller or data processor, in another country or an international organisation and the data is accessible and available. The third-party recipient in the other country or international organisation is not the data subject. Section 28 (1) of the Act provides for the transfer of personal information by a data controller to a foreign country or international organisation if there is adequate level of protection in the country or international organisation. The determination of adequate levels of protection are listed under Section 28 (2) of the Act. These circumstances for the data transfer must take into account: • nature of the data • purpose and duration of the processing Data transfer is not data transit. Data transit is where personal information or data is sent through an intermediary such as an internet host, internet service provider, and the intermediary have no access to the information for purposes of any action, decisions or otherwise during the transit period. This is not to suggest that there will be no unauthorised access, interception or collection during transit period. M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N • recipient country or international organisation 58 C Y B E R GDPR preamble 101. A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 31