Eswatini’s data protection act, 2022

March 2022

View the original document

National Regulations

The Data Protection Act, 2022, is Eswatini’s comprehensive privacy law, closely aligned with international data protection standards. It empowers individuals with rights over their data, places strict duties on controllers and processors, and establishes a strong enforcement mechanism under the Communications Commission.

Purpose and scope

The Act establishes a legal framework for the collection, processing, disclosure, and protection of personal data in Eswatini. It balances the right to privacy with sector-specific laws and other competing interests. It applies to both public and private bodies, whether domiciled in Eswatini or abroad, if they use automated or non-automated means to process personal information in the country.

Exemptions include purely personal/household use, de-identified data, national security, public safety, and activities carried out for journalistic, artistic, or literary expression.

Key definitions

The Act provides detailed definitions, such as:

  • Personal data: Any information relating to an identifiable individual, including sensitive categories like race, religion, political views, health, sexual life, biometric data, and criminal records.
  • Data controller: Entity determining the purpose and means of processing personal information.
  • Data processor: Entity processing data on behalf of a controller.
  • Data subject: The individual whose data is being processed.

Institutional framework

The Eswatini Communications Commission is the regulatory authority responsible for enforcing the Act. Its duties include:

  • Monitoring compliance
  • Educating the public
  • Investigating complaints
  • Issuing codes of conduct
  • Cooperating with international data protection bodies

The Commission can impose sanctions, including warnings, notices, suspension of processing authorisation, or fines up to E5 million or 2% of annual turnover.

Principles of data processing

Processing is lawful only if it meets one of the following conditions:

  • Explicit consent of the data subject
  • Necessity for contract performance
  • Compliance with a legal obligation
  • Legitimate interests of the subject, controller, or public authority

Data must be collected for specific, explicit, and legitimate purposes, retained only as long as necessary, and secured against unauthorised access or loss. Controllers must notify the Commission and affected individuals of data breaches.

Rights of data subjects

Individuals are granted:

  • Right of access to their data and to know third parties who accessed it
  • Right to correction or deletion of inaccurate or unlawfully processed data
  • Right to object to processing on legitimate grounds
  • Protection against purely automated decisions with significant legal effects.

Sensitive personal data

Special restrictions apply to sensitive categories (religion, race, political views, health, etc.). Processing is generally prohibited unless explicitly allowed under certain exemptions, such as medical necessity, public interest, or with the Commission’s authorisation.

Trans-border data flows

Transfers within SADC are allowed if the recipient meets regional requirements. Transfers outside SADC are permitted only if the receiving country ensures an adequate level of protection, or under specific derogations (such as explicit consent, contract performance, or public interest).

Enforcement and penalties

  • Complaints can be lodged with the Commission.
  • The Commission can investigate, issue enforcement notices, or require remedies.
  • Data subjects may also pursue civil actions for damages in court.
  • Offences (like obstructing the Commission, breaching confidentiality, or non-compliance) carry penalties up to E100 million, 5% of annual turnover, or imprisonment up to 10 years.

Additional provisions

  • Regulation of unsolicited electronic communications (direct marketing)
  • Requirement for notifications to the Commission by controllers
  • Appointment of Data Protection Officers
  • Establishment of whistleblowing systems and rules for class actions
  • A transitional period of two years (extendable to three) for existing data processing to comply with the Act.