Skip to main content

The Data Protection Act 5 of 2022, enacted by the Kingdom of Eswatini, governs collecting, processing, storing, and disclosing personal information. Effective from 4 March 2022, this legislation aims to balance privacy, data security, and the need for information in a modern digital economy. The Act also aligns Eswatini with global and regional data protection standards, such as those set by the Southern African Development Community (SADC).

Who needs to comply?

The Data Protection Act 5 of 2022 applies to a wide range of entities and individuals involved in collecting, processing, or storing personal data within Eswatini or using its infrastructure. Understanding who falls within the scope of this law is critical for ensuring compliance.

Entities and individuals subject to the Act

Category Description
Data controllers Entities or individuals determining the purpose and means of data processing.
Includes public and private organisations, such as businesses and government.
Data processors Entities processing data on behalf of a data controller.
Examples: cloud service providers, marketing agencies, IT vendors.
Entities operating in Eswatini Organisations domiciled in Eswatini, regardless of their primary focus.
Cross-border data processors Entities transferring data in or out of Eswatini, including SADC and non-SADC countries.
Must adhere to secure and lawful data transfer protocols.
Businesses targeting Eswatini residents Entities outside Eswatini processing data of its residents. Examples: e-commerce platforms, digital services.
Data protection officers (DPOs) Organisations appointing DPOs for compliance with the Act.

Exemptions

The Act does not apply to:

  1. Personal or household activities that do not involve public disclosure of personal information.
  2. Information that has been fully de-identified and cannot be re-identified.
  3. Processing by state authorities related to national security, defence, or public safety.
  4. Purely journalistic, artistic, or literary activities that balance privacy with freedom of expression.

Why compliance matters

Failing to comply with the the Act can lead to significant penalties, including fines up to E5,000,000 or 2% of an organisation’s annual turnover. In severe cases, non-compliance may result in imprisonment for individuals or reputational damage for businesses.

Key provisions

Scope and applicability

  • Applies to data controllers and processors operating within Eswatini or using its infrastructure to process personal data.
  • Covers both automated and non-automated data processing.

Data subject rights

  • Access to personal data and the right to challenge its accuracy.
  • Right to correction or deletion of outdated, irrelevant, or unlawfully processed data.
  • Protection against decisions based solely on automated processing.

Obligations of data controllers

  • Ensure transparency in data collection and processing purposes.
  • Implement security measures to prevent unauthorised access, loss, or misuse of data.
  • Notify the Eswatini Communications Commission and affected parties of any data breaches.

Sensitive data handling

Prohibits processing sensitive personal data, such as information about health, race, religion, or political beliefs, unless explicitly authorised.

Trans-border data flows

  • Permits data transfers within SADC Member States under certain conditions.
  • Requires adequate data protection measures for transfers to non-SADC countries.

Enforcement and sanctions

  • The Eswatini Communications Commission is empowered to monitor compliance, investigate violations, and impose penalties, including fines up to E5,000,000 or 2% of annual turnover.
  • Violations can lead to civil remedies or criminal penalties, including imprisonment.

Appointment of data protection officers

Organisations must designate officers to ensure compliance and act as liaisons with the Commission.

General provisions

  • Regulations for unsolicited electronic communications and whistleblowing.
  • Support for class actions and transitional provisions for ongoing data processing to align with the Act.

How ITLawCo can help

Navigating the complexities of the Data Protection Act 5 of 2022 requires expertise in law, technology, and compliance. ITLawCo is uniquely positioned to assist organisations in Eswatini and beyond with:

  1. Compliance assessments tailored to your organisation’s needs.
  2. Drafting and reviewing data protection policies, contracts, and processes.
  3. Appointing and training data protection officers.
  4. Handling cross-border data transfers and ensuring compliance with international standards.
  5. Responding to data breaches and engaging with the Eswatini Communications Commission.

Our team combines deep legal knowledge with cutting-edge technical insight to deliver practical, actionable advice. Whether you’re building a privacy programme from scratch or need to refine existing practices, ITLawCo ensures you’re equipped to meet your obligations under the Act.

Contact us today to learn how we can protect your organisation and uphold the trust of your stakeholders.