The one thing you can be certain of is that whenever you visit the internet, someone is busy collecting your data. We consent to this collection because we want the free stuff, like seriously, who’s going to tell WhatsApp ‘no’? Do that and you won’t get to use WhatsApp.

It’s not just WhatsApp that collects data, right here in Zimbabwe, your data is on plenty of servers. You are not completely powerless, you do have rights as enshrined in the Cyber Security & Data Protection Act.

Reading through Acts is just not something most of us do. So the Postal and Regulatory Authority of Zimbabwe is on a campaign to educate us all on the contents of the Act we are talking about.

Read on to learn more about your rights.

Key Definitions
A data subject is a person whose personal information can be collected by a Data Controller. Anyone can be a data subject, including a child or an adult. This means anyone who gives out their personal information becomes a data subject.

Personal information includes; name, address, telephone number, race, national or ethnic origin, colour, religious or political beliefs or associations, age, sexual orientation, gender, marital or family status, fingerprints, blood type, health care history, educational, financial, criminal or employment history, opinions or views expressed, personal correspondence pertaining to home and family life.

A data controller is a person or company that processes the personal information of data subjects.

Objective
In December 2021, the President of the Republic of Zimbabwe signed into law the Cyber and Data Protection Act [Chapter: 12:07].

This law ushered in a new era where citizens have better control over their personal information by outlining the rights of data subjects. It also created obligations and responsibilities for data controllers to ensure the realisation of the right to privacy in Zimbabwe.

The law also created a Data Protection Authority (DPA) which is responsible for supervising the lawful processing of personal information in Zimbabwe. The Postal and Telecommunications Regulatory Authority is the designated Data Protection Authority.

Right to be informed
It is your right to be told before your information is taken from you or before it’s processed. You must be told why they need the information and what will they use the information for.

The purpose for processing.
Period for which data will be stored.
Third parties to whom the personal data will be disclosed.
Rights of the data subject.
Right of Consent
This means you must voluntarily give out your personal information and you must approve how it will be used.

Consent must be written, clear, available, easily accessible, and transparent. The right is not absolute as there are exceptions to the right to consent.

Right to withdraw Consent
You have a right to withdraw given consent to the processing of your personal information at any time and without any explanation and free of charge.
Right of Access

You have a right to gain access to your personal information that the data controller processes.

Right of Correction
You have a right to have incorrect and misleading personal information about you rectified or corrected.

Right to deletion
You have the right to have personal information about you where:
Personal information about you is misleading or is false. The data are no longer necessary in relation to the purpose for which it was collected.
You have withdrawn your consent
Your personal data was unlawfully processed.
Right to restriction of processing (limitation)
You enjoy the right to restrict the processing of your personal information.

Right to objection
In certain cases, you have a right to object to the processing of your personal information by the data controller, especially the right to object to automated decision-making, that is, the processing of data for direct marketing or profiling without your consent.

Right to fair, lawful and transparent processing of personal information
You have a right to have your personal information processed in a fair, lawful and transparent manner. This includes having your data processed under the legal basis provided by the law, processed only for the specific purposes for which it was collected and kept for a period that is necessary for the purposes for which it was collected.

Right to complain
You have a right to complain to either the data controller or the Data Protection Authority.

The data subject is to write or complete a complaints notification form to the data controller or Data Protection Authority.

Data subject must get a response or decision and evidence to support the response or decision.-techzim