www.misa.org 3.5. Rights of Data Subjects Section 14 (a) of the Cyber and Data Protection Act enshrines the right to information of data subjects. However, it does not prescribe how the data controller should exercise the right. Accordingly, it is submitted that the right to information as provided for in Section 14 (a) should be enhanced by expressly imposing an obligation on the data controller to communicate the information to the data subject in a concise, transparent, intelligible and easily accessible manner; using clear and plain language.16 Further, the scope of the right to rectification enshrined in Section 14 (d) of the Act needs to be more comprehensive. It confines itself to correcting false or misleading information to the exclusion of completion of inadequate information. Accordingly, the scope of the right should be broadened to include the data subject’s entitlement to completion of inadequate data, including the entitlement to provide a supplementary statement17. By the same token, the scope of the right to erasure (the right to be forgotten) enshrined in Section 14 (e) of the Act is not broad enough. It limits itself to the erasure of false or misleading personal information. It is submitted that the scope of the right to erasure should be broadened to include the erasure of all personal information, particularly where the personal information is no longer necessary in relation to the purpose for which it was collected; the data subject withdraws consent and the personal information has been unlawfully processed18. In addition, the right to object enshrined in Section 14 (c) of the Act should be enlarged to include the entitlement by the data subject to object at any time to the processing of personal data for direct marketing or campaigning19 and to object to be subjected to a decision based solely on automated processing20. The express provision for the right to object to be subjected to a decision based solely on automated processing is particularly important considering the proliferation of artificial intelligence. Further, the scope of data subject rights should be broadened by including additional rights. In that regard, there is a need to expressly enshrine the right to restriction of data processing in appropriate circumstances, including where the data subject contests the accuracy of the data; the processing is unlawful; the data controller no longer needs the personal information21. By the same token, there is need to enshrine the right to data portability expressly. Article 20 of the EU GDPR defines the right to data portability as the entitlement by a data subject “to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”. In addition, a provision expressly requiring the data controllers to perform the obligations imposed on them by the data subject rights is needed. 16. See Article 12 (1) of the EU GDPR. 17. See Article 16 of the EU GDPR. 18. See Article 17 (1) of the EU GDPR. 19. See Article 21 (2) of the EU GDPR. 20. See Article 22 (1) of the EU GDPR. 21. See Article 18 of the EU GDPR. Misa Zimbabwe Policy Brief 9