of Personal Information Act in Zimbabwe, and this might be a drafting error or demonstration of intent to pass the Act. 6 Therefore, in interpretating the provisions of the Act, one must always take an approach that advances a higher level of data protection consistent with the Constitution and any other relevant international treaties and conventions. However, one might suggest that if any other laws are inconsistent with the provisions of the Act, then the Act prevails if it provides better and higher protection as long as that is not inconsistent with the Constitution. South Africa’s POPIA provides under Section2 (a) and (b) respectively that: This Act applies, subject to paragraph (b), to the exclusion of any provision of any other legislation that regulates the processing of personal information and that is materially inconsistent with an object, or a specific provision, of this Act…If any other legislation provides for conditions for the lawful processing of personal information that are more extensive than those set out in Chapter 3, the extensive conditions prevail 7. WHERE IS THE DATA PROCESSING TAKING PLACE? Territorial Principle The Act under Section 4 introduces a territorial scope of application of the Act. The Act is applicable if data processing is ‘carried out in the context of the effective and actual activities of any data controller’. The Act requires that if data controller is not established in Zimbabwe, then a representative must be appointed in Zimbabwe 8. This mean that any entity that processes Zimbabweans’ personal data must designate a representative in Zimbabwe. The meaning of effective and actual activities of the data controller requires additional guidance. Actual activities of the data controller might be defined to mean an activity that is connected between the reason for existence of the data controller and the data processing in question. The two must be related. The GDPR territorial scope applies if the data controller has an establishment that economically supports the data processing carried out by the main company 9. Establishment Principle The Act in Section 4 (2) introduces the establishment principle allowing for the real exercise of data processing activity through some arrangements either of a temporary or permanent nature of the data controller. This principle also provides for choice of law depending on where the data controller is established. For the Act to apply, the data controller need not be permanently established in Zimbabwe. 6 7 8 9 Even it was not an error, then the Cyber and Data Protection Act provisions might have to change to incorporate this proposed law. POPIA section 3(2)(b). This provision if widely interpretated sets the stage for legal liabilities for internet-based platforms. European Court of Justice, Google Spain C-131/12. M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 7