The meaning of established must be construed wider than being registered, legally incorporated or some physical, or virtual presence10. The EU case law and European Data Protection Board guidance on meaning of “in the context of the activities of an establishment” must not be interpreted restrictively 11 . On the other hand, the existence of an establishment within the meaning of the GDPR should not be interpreted too broadly12. WHAT DATA IS PROTECTED UNDER THE ACT? The data protected is of any person; a natural person, meaning that the person should be living, and identifiable or identified as a person. Information of deceased persons is personal data WHEN IS THE ACT ENFORCEABLE? but not considered as personal information for processing purposes and therefore not protected at the same levels as that of a living and identifiable individual. In South Africa for example, POPIA Section 6(1) provides that information collected for individual personal use or family use is not considered personal data for purposes of compliance with POPIA. Zimbabwe’s Act is silent. Further POPIA Section 7 excludes personal information that is being processed ‘solely for the purpose of journalistic, literary or artistic expression to the extent that such an exclusion is necessary to reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression.’ The EU GDPR article 2(c) on material scope provides that the GDPR provisions does not apply when the processing of The Act came into force the day it was gazetted. This means that compliance is immediate and therefore everyone concerned or conducting data processing must endeavour to comply with this law, within a reasonable period. This approach while intended to avoid gaps in regulatory enforcement of data protection, creates difficulties in compliance, oversight and implementation. The enforcement of POPIA was in stages, and had transitional provisions to allow individuals, companies and government sufficient time to put in place the required operational mechanisms13. Equally, under POPIA, the data protection Authority, the Information Regulator, required sufficient time to put in place necessary structures, funding and human resources14. 10 11 12 13 14 8 personal data is ‘by a natural person in the course of a purely personal or household activity’. In that regard, while the Act is not explicit, the trend has been that data for personal use or family use is not covered as that does not constitute processing. GDPR recital 22. The “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.” Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version for public consultation Adopted on 16 November 2018; WP 179 update - Update of Opinion 8/2010 on applicable law in light of the CJEU judgment in Google Spain, 16th December 2015 POPIA section 114. Zimbabwe, POTRAZ as data authority was already in existence, and functional at the time of gazetting of the Act. M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2