any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements. Section 62(1) of Zambia Data Protection Act and Mauritius Data Protection Act section 38(1) prohibits automated data processing which includes profiling that produces legal effects concerning data subject or significantly affects him or her. The South African Law Reform Commission in its seminal report on Privacy and Data Protection described profiling in more helpful terms as where information which relates to an individual is structured in such a way that it can begin to answer questions about that person, so as to put his or her private behaviour under surveillance'. Further, profiling has two process components 1) profile generation and 2) profile application.49 In most instances, profile generation is not harmful, as this is the case with most automated data processing systems. Profile generation becomes harmful when profile applied. Every bank has a customer profile, as part of Know Your Customer (KYC) based on personal data collected on a contractual basis for opening of bank accounts; customer banker relationship, but if the bank then uses that information to determine and decide the interests rates of a loan or to reject a loan application, this significantly affects the data subject. The bank must provide an explanation to the data subject, to remove concerns of bias. If the decision to reject a loan or high interest is communicated to a customer from an automated call centre, even with a human agent, this engagement might again be dictated by data produced assessment limiting the human agent to referencing computer generated responses. This human involvement is therefore immaterial and insufficient to provide justification and explanation. These risks compels data controllers to seek authorisation or inform DPAs on automated data processing unless if exceptions applies. Under section 20(1) of Zimbabwe CDPA authorisation is especially required if there is a high risk of infringement of data subject rights and freedoms. Further, Zimbabwe CDPA section 23(1) mandates the DPA [Authority] to keep a register of all automatic processing operations. This register must be available for public inspection. The responsibility of the data controller in respect of automated data processing is to ensure that appropriate procedures for the profiling as well sufficient technical and organisational measures that reduce data inaccuracies, secure personal data, reduce and prevent, any bias or discrimination are in place. South African Law Reform Commission Project on Privacy and Data Protection PAGE