Eswatini Data Protection Authority

Regulatory Frameworks

Overview of Data Protection Act

Act No.5 of 2022

Object: An act to provide for the collection, processing, disclosure and protection of personal data; balancing competing values of personal information privacy an sector specific laws and other related matters.

Data Protection Agency: The Act designates Eswatini Communications Commission (ESCCOM) as Data protection Authority (S.5). Application: the act applies to data processors and data controllers.



Guidelines on the appointment of data protection officers.


Guidelines on Children's data protection in an education setting.

Coming Soon

Guidelines on artificial intelligence and data protection.

Coming Soon

  1. The right to be informed: The right to be informed means businesses as data controllers must give individuals clear, succinct and easily understandable information on what they want to do with the data. This fosters a level of trust.

  2. The right to access: The right of access gives individuals the legal right to a copy of their personal data and any other supplementary data. Individuals have a right to access regarding their personal data as held by a company. A subject access request can be made to the company concerned either verbally or in writing, and the company has 30 days to respond.

  3. The right to erasure: Also called 'the right to be forgotten', means individuals can request that their data is erased permanently from the controller's databases. The request can be made verbally or in writing and the company must respond within 30 days. This right only applies in certain circumstances and is not absolute.

  4. The right to rectification: Individual data subjects have the right to rectify or correct inaccurate personal data or have it fully completed if the information is not complete. They can request rectification in writing or verbally and the company has one calendar month to respond to a request for rectification.

  5. The right to object: Individuals have the absolute right to object to their personal data being used for marketing reasons. In other circumstances, they may also object to how their data is being processed.

  6. The right to data portability: This allows individuals to obtain and use their personal data for their own reasons. It means they can copy, transfer or move personal data from one online environment to another, safely and securely and in a frequently used machine readable format.

  7. Rights regarding automated profiling and decision making: Automated profiling refers to the use of technology to processing and analyse the individual's personal data. Automated individual decision-making means the resolutions taken by automation with no involvement from humans. The individual must be informed of the automated profiling and decision making, and there must be easy ways for them to challenge an automated decision or ask for a human being to check it.

  8. The right to restrict processing: Individuals have the right to suppress or block their personal data from being used. This is not absolute and applies to specific circumstances.
  1. Accuracy: The data controller or processor must ensure that any personal data that they hold is accurate and where necessary, up-to-date.

  2. Storage Limitation: Data controllers and processors must not keep personal data for longer than it is needed.

  3. Integrity and confidentiality: Data controllers and processors must keep personal data safe so that it does not get deleted or changed, or seen by anyone who is not allowed to see it.

  4. Lawfulness, fairness and transparency: There must be a valid legal reason for the processing of personal data. Data controllers and data processors must disclose fully the reasons for collecting the data, and how it will be used.

  5. Purpose limitation: Personal data must be used only for the purpose that it was collected for.

  6. Accountability: A data controller must be able to evidence their accountability by demonstrating how they take responsibility for how they use personal data.

  7. Minimization: Data collected from individuals or organization must be the minimum necessary.

              Privacy Statement               Copyright   ©   All rights reserved | Designed & Developed by ESCCOM IT