Aegis-Pulse Zim

Aegis-Pulse Zim Aegis-Pulse keeps you ahead in Zimbabwe’s evolving tech landscape. Need insights, security, or digital strategy? We’re here to help.

From cybersecurity and privacy to software and social media trends, we decode the digital world so you don’t have to.

12/09/2025

Day 12: Your Explicit Right to Correct Wrong Data

Under the CDPA, if your data is wrong, you have a clear right to get it corrected. Section 14(d) explicitly states that a data subject has a right to... "correction of false or misleading personal information." Furthermore, Section 14(e) grants the right to "deletion of false or misleading data" about you

10/09/2025

Day 11: Section 14(d) of the CDPA directly establishes the fundamental "Right to Rectification" or "correction" of personal data. This means individuals have a legal entitlement to ensure the accuracy of their information held by data controllers.

Day 10: What Companies Should Provide (Transparency)While the Zimbabwe Cyber and Data Protection Act Section 14(b) grant...
25/08/2025

Day 10: What Companies Should Provide (Transparency)

While the Zimbabwe Cyber and Data Protection Act Section 14(b) grants the right to access personal information, it does not explicitly list what information a company must provide in response to an access request. Related sections on transparency (Sections 15 and 16) indicate what information a data controller must disclose when collecting data, which suggests a baseline for transparency:
• The name and address of the controller (and representative, if any).
• The purposes of the processing.
• Information on the right to object to processing for direct marketing.
• Recipients or categories of recipients of the data.
• Whether providing information is compulsory and the consequences of failure to comply.
• The right to access and rectify the data

Photo by Maria Orlova:

23/08/2025

Day 9: How to Ask for Your Personal Data
Want to see what data a company holds about you?
• Under the Zimbabwe Cyber and Data Protection Act, you have a right to access your personal information in the custody of a data controller or data processor. While the Act doesn't detail the "how-to," you would typically make a direct request to the entity holding your data.

(The recommendation is to make sure your request is in written form, current settings mean to send yourself a copy of the email to later share with the Authority aka POTRAZ to basically keep a digital paper trail or just have "proof" that cannot be faked that you have tried to engage your controller )

• The EU GDPR states you have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data. This means a simple request should suffice, and the controller must respond.

23/08/2025

Day 8: Understanding Your Right to Access Your Data
Your right to access personal data is fundamental! It allows you to know if your data is being processed and to get a copy of it.
• The Zimbabwe Cyber and Data Protection Act includes the "right to access their personal information" as a key data subject right.
• The EU GDPR explicitly grants data subjects the right to obtain confirmation of processing and access to their personal data from the controller

21/08/2025

Day 7: CDPA vs. GDPR: Key Similarities and Differences in the Right to Be Informed

Both the Zimbabwean CDPA and the GDPR aim to ensure that data subjects are adequately informed about the processing of their personal data.

Similarities:

• Both frameworks require disclosure of the identity of the data controller, the purposes of processing, and the rights of the data subject (e.g., right to object, access, rectify, delete)

• Both emphasise that consent, where required, must be informed and the request for it must be clear and easy to understand

• Both recognise that the right to be informed may be subject to exceptions, such as when informing the data subject proves impossible or involves disproportionate effort

Differences:

• The scope of required information is more explicitly detailed and extensive in the GDPR (via Articles 13 and 14) than in the CDPA (Sections 15 and 16). For example, GDPR explicitly lists criteria for data storage periods, statutory/contractual requirements for providing data, and detailed information about automated decision-making and profiling, even when collecting directly. The CDPA provides a more general framework, though it strengthens this with principles that aim for fair processing

• GDPR specifies that information should be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child," and even allows for standardised icons. The CDPA states consent requests must be "clear and easy to understand and must be in an age-appropriate manner”(via processing of children’s personal information guidelines).

• CDPA Section 7, "Quality of Data," primarily focuses on data quality principles (adequacy, relevance, accuracy, retention limits) rather than direct information disclosure requirements to the data subject. However, these quality principles underpin the data controller's overall responsibility to ensure transparent and fair processing, which indirectly supports the right to be informed.

Day 6: What a Company Must Tell You (GDPR - Indirect Collection)When personal data has not been obtained directly from t...
21/08/2025

Day 6: What a Company Must Tell You (GDPR - Indirect Collection)
When personal data has not been obtained directly from the data subject, GDPR requires the controller to provide the following information:
• The identity and contact details of the controller and, if applicable, their representative and DPO.
• The purposes and legal basis for processing.
• The categories of personal data concerned.
• The recipients or categories of recipients.
• Information on transfers to third countries or international organisations, including adequacy decisions or safeguards.
• The period for which data will be stored or criteria for determining it.
• The legitimate interests pursued by the controller or a third party, if applicable.
• The existence of data subject rights, including rectification, erasure, restriction, objection, and data portability.
• The right to withdraw consent.
• The right to lodge a complaint with a supervisory authority.
• The source of the personal data, and whether it came from publicly accessible sources.
• The existence of automated decision-making, including profiling, with meaningful information.
• This information must be provided within a reasonable period (at latest one month), at the time of the first communication with the data subject, or at the latest when data is first disclosed to another recipient.
• Exemptions apply if the data subject already has the information, provision is impossible or disproportionate, or obtaining/disclosure is expressly laid down by law with appropriate safeguards, or where professional secrecy applies

Photo by Keira Burton:

Day 4: What a Company Must Tell You (GDPR - Direct Collection)Under GDPR, when personal data is collected directly from ...
19/08/2025

Day 4: What a Company Must Tell You (GDPR - Direct Collection)

Under GDPR, when personal data is collected directly from the data subject, the controller must provide comprehensive information at the time of collection:

• The identity and contact details of the controller and, if applicable, their representative and Data Protection Officer (DPO) .
• The purposes and legal basis for processing the personal data.
• The legitimate interests pursued by the controller or a third party, if processing is based on such interests.
• The recipients or categories of recipients of the personal data.
• Information about transfers to third countries or international organisations, including adequacy decisions or appropriate safeguards .
• The period for which data will be stored or criteria for determining that period .
• The existence of data subject rights, including rectification, erasure, restriction, objection, and data portability .
• The right to withdraw consent at any time.
• The right to lodge a complaint with a supervisory authority.
• Whether providing personal data is a statutory or contractual requirement, or necessary for a contract, and the consequences of not providing it.
• The existence of automated decision-making, including profiling, with meaningful information about the logic, significance, and consequences.
• If the controller intends to further process data for a different purpose, this must be communicated before such processing.

Day 5 on the Right to be Informed: What a Company Must Tell You (Zimbabwean CDPA - Indirect Collection)If a data control...
19/08/2025

Day 5 on the Right to be Informed: What a Company Must Tell You (Zimbabwean CDPA - Indirect Collection)
If a data controller in Zimbabwe obtains your data from a source other than directly from you, they must provide similar information when recording the data or before communicating it to a third party, unless you already know it. This includes:
• The name and address of the controller and their representative, if any [16(1)(a)].
• The purposes of the processing [16(1)(b)].
• Whether compliance with the information request is compulsory, and its consequences [16(1)(c)].
• Your right to object to processing for direct marketing, which must be communicated before the data is first disclosed for direct marketing purposes [16(1)(d)].
• Supporting information for fair processing, such as the categories of data concerned, recipients, and your right to access and rectify data [16(1)(e)].
• Other information specified by the Authority based on the processing's nature [16(1)(f)].
• This requirement may not apply if informing you is impossible or involves disproportionate effort, or if data is recorded or provided by law

Photo by RDNE Stock project:

16/08/2025

Day 3: What a Company Must Tell You (Zimbabwean CDPA - Direct Collection)

When a data controller in Zimbabwe collects data directly from you, they must provide specific information, unless you already have it. This includes:
• The name and address of the data controller and their representative, if any [CDPA S15 (1)(a)].
• The purposes of the processing (b).
• The existence of your right to object to direct marketing [S15(1)(c)].
• Whether providing the information is compulsory, and the consequences of not complying [S15(1)(d)].
• Any supporting information necessary for fair processing, such as the recipients of the data, whether replying is compulsory and its consequences, and the right to access and rectify data [S15((1)e)].
• Other information specified by the Authority, depending on the nature of processing [S16(1)(f)].

Day 2 on the Right to be Informed: Why is the Right to Be Informed Important?For data subjects, the right to be informed...
14/08/2025

Day 2 on the Right to be Informed: Why is the Right to Be Informed Important?

For data subjects, the right to be informed puts individuals in control, builds trust and engagement, and enhances the data controller's reputation. It also them to understand the reasons for data processing, including any further processing, and their rights.
From a data controller's perspective, providing informed consent is a lawful basis for processing personal information and is crucial for maintaining trust and avoiding significant fines. It also ensures that where children and vulnerable individuals are involved, their parents/guardians understand what they are consenting to when their data is processed.

Photo by Pavel Danilyuk:

Today we begin our first 100 day privacy journey: Week 1 the right to be informedThe Right to Be Informed: What Is It?Th...
13/08/2025

Today we begin our first 100 day privacy journey: Week 1 the right to be informed

The Right to Be Informed: What Is It?
The right to be informed is a fundamental right of data subjects, including children, which ensures they are aware of how their personal information is being processed. It means that individuals have a right to be told about the use to which their personal information is to be put. This right ensures transparency in how data controllers and processors handle personal data.

(data controllers and processors are organisations and/or people dealing with data of individuals)



Photo by Antoni Shkraba Studio:

Address

Harare
0000

Website

Alerts

Be the first to know and let us send you an email when Aegis-Pulse Zim posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Share

Category