Record of Processing Activities

PA-001

Biometric Health Screening

Purpose

Collect facial-video-derived vital signs (heart rate, blood pressure, SpO₂, breathing rate, stress level) for occupational health risk triage.

Lawful Basis

GDPR Art.6(1)(a) + Art.9(2)(a) — Explicit consent for special category health data; Zim DPA § 30 — Consent.

Data Subjects

Employees of subscribing organizations

Personal Data Categories

Heart rate, blood pressure (systolic/diastolic), SpO₂, breathing rate, stress index, HRV (SDNN/RMSSD), PRQ, hemoglobin, wellness score, triage band, comorbidity flags.

Recipients

Clinical dashboard (authorized clinicians), HR dashboard (aggregate only, k-anonymized), Insurer dashboard (portfolio-level, no PII).

International Transfers

Binah.ai SDK (Israel/EU) — processing only, no storage. Resend (US) — transactional email delivery. Vercel (US) — hosting. All under Standard Contractual Clauses.

Retention Period

Raw scan data: per organization retention policy (default 730 days). Anonymized aggregates: 5 years. Audit logs: 7 years.

Security Measures (Art.32)

AES-256-GCM field-level encryption at rest, TLS 1.3 in transit, JWT session tokens (1h expiry), RBAC with 6 role tiers, k-anonymity suppression (cohort < 5), audit logging.

PA-002

Employee Identity Verification

Purpose

Authenticate employees via employee ID + date of birth for access to personal health screening results.

Lawful Basis

GDPR Art.6(1)(b) — Necessary for the performance of a contract; Zim DPA § 30(1)(a).

Data Subjects

Employees of subscribing organizations

Personal Data Categories

Employee ID, first name, SHA-256 hashed date of birth (plain-text DOB never stored).

Recipients

Internal authentication system only.

International Transfers

None — processed and stored locally.

Retention Period

Active employment period + 90 days post-deactivation. Hashed DOB retained with scan records per retention policy.

Security Measures (Art.32)

DOB hashed client-side (SHA-256) before transmission, bcrypt comparison server-side, rate-limited login (5 attempts/15min), JWT with org-scoped claims.

PA-003

Clinical Triage & Follow-Up

Purpose

Enable authorized clinicians to review RED/AMBER triage scans, initiate telehealth consultations, and record clinical outcomes.

Lawful Basis

GDPR Art.6(1)(d) + Art.9(2)(c) — Vital interests / occupational medicine; Zim DPA § 30(1)(d).

Data Subjects

Employees flagged for clinical review

Personal Data Categories

Scan results, triage classification, clinician notes, follow-up status, outcome codes, telehealth contact records.

Recipients

Assigned clinician (CLINICIAN role), Chief Medical Officer (CMO role).

International Transfers

None — all clinical data processed on-platform.

Retention Period

Clinical records: per organization retention policy. Clinician notes: same retention as parent scan.

Security Measures (Art.32)

Role-based access (CLINICIAN/CMO only), field-level encryption for clinician notes, full audit trail of data access, patient data isolation by organization.

PA-004

HR & Cost Analytics Reporting

Purpose

Generate department-level compliance rates, absenteeism estimates, and ROI calculations for employer HR teams.

Lawful Basis

GDPR Art.6(1)(f) — Legitimate interests (workforce health management); Zim DPA § 30(1)(c).

Data Subjects

Employees (aggregated, never individually identifiable)

Personal Data Categories

Aggregated department-level statistics only. Individual scans are k-anonymized (cohorts < 5 suppressed).

Recipients

HR Administrator (HR_ADMIN role) of the subscribing organization.

International Transfers

PDF reports may be emailed to authorized HR recipients via Resend.

Retention Period

Aggregated reports: 5 years. Source scan data: per organization retention policy.

Security Measures (Art.32)

k-anonymity enforcement (COHORT_SUPPRESSION_LIMIT = 5), department-level aggregation only, no drill-down to individual employees, RBAC enforcement.

PA-005

Insurer Portfolio Risk Assessment

Purpose

Provide actuarial risk summaries, claims forecasts, and comorbidity profiles to insurance underwriters.

Lawful Basis

GDPR Art.6(1)(b) — Contractual obligation with insurer; Zim DPA § 30(1)(a).

Data Subjects

Covered employee populations (portfolio-level only)

Personal Data Categories

No individual PII. Portfolio-level aggregates: risk distribution, coverage ratios, comorbidity prevalence rates, claims forecasts.

Recipients

Insurer dashboard (INSURER role) — authorized underwriters only.

International Transfers

PDF summaries may be emailed to authorized insurer recipients via Resend.

Retention Period

Actuarial reports: 7 years (regulatory requirement).

Security Measures (Art.32)

Portfolio-level aggregation only, no individual identification possible, RBAC with INSURER role restriction, watermarked confidential PDFs.

PA-006

Audit Logging & Compliance

Purpose

Maintain immutable audit trail of all data access, modifications, consent events, and security incidents for regulatory compliance.

Lawful Basis

GDPR Art.6(1)(c) — Legal obligation; Zim DPA § 12 — Record of processing activities.

Data Subjects

All system users (employees, clinicians, admins)

Personal Data Categories

Actor ID, action type, target resource, timestamp, IP address (anonymized after 90 days), metadata.

Recipients

Super Admin (MAZANO_CEO role) for compliance audits.

International Transfers

None — audit logs stored on-platform.

Retention Period

7 years (minimum regulatory requirement for health data audit trails).

Security Measures (Art.32)

Append-only audit log, tamper-evident timestamps, encrypted at rest, access restricted to MAZANO_CEO role.

PA-007

Data Subject Rights Management

Purpose

Process data portability exports (Art.20), rectification requests (Art.16), and erasure requests (Art.17).

Lawful Basis

GDPR Art.6(1)(c) — Legal obligation to facilitate data subject rights; Zim DPA § 14-18.

Data Subjects

Employees exercising their data protection rights

Personal Data Categories

All personal data associated with the requesting employee (for portability). Correction details (for rectification).

Recipients

The data subject themselves. DPO for rectification review.

International Transfers

Data export delivered directly to the authenticated user via HTTPS.

Retention Period

Rights exercise records: 3 years. Exported data: delivered once, not retained on server.

Security Measures (Art.32)

JWT authentication required, rate-limited (5 requests/hour for rectification), audit logged, exported data includes only the requesting patient’s records.

PA-008

Breach Detection & Notification

Purpose

Detect, classify, and notify relevant parties of personal data breaches within 72 hours as required by law.

Lawful Basis

GDPR Art.33-34 — Breach notification obligation; Zim DPA § 22 — Notification of security compromises.

Data Subjects

Potentially affected employees

Personal Data Categories

Breach scope assessment: number of records affected, data categories compromised, risk classification.

Recipients

POTRAZ (supervisory authority) within 72 hours, DPO immediately, affected data subjects without undue delay.

International Transfers

Breach notifications sent via secure email.

Retention Period

Breach records: 7 years.

Security Measures (Art.32)

Automated deadline tracking, severity classification (LOW/MEDIUM/HIGH/CRITICAL), structured notification templates, audit trail.

Supervisory Authority

Primary: Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)

Address: Block 1, Emerald Park, 30 The Chase (West), Mount Pleasant, Harare, Zimbabwe

Website: www.potraz.gov.zw