The Data Protection Act was passed in March 2022 to provide for the collection, processing, disclosure, and protection of personal information. The Act designates the Eswatini Communications Commission as the Eswatini Data Protection Authority (EDPA) charged with the mandate to administer and foster compliance with the Act.
Section 5 of the Act enjoins the EDPA to maintain a register of all data processors and data processors. Pursuant to this provision, the EDPA shall establish a data protection register and register every organization, business, institution, government department, NGOs, public bodies collecting or processing personal information. By registering with the EDPA, the data processors and data processors inform the Commission about the following:
- Who they are
- The type(s) of personal data they hold
- The nature of processing of personal information they engage in
- Who they share the personal information with
- Whether or not they transfer personal information outside Eswatini
- How they ensure the protection of the personal information they collect or process
- Who their contact person is for data protection issues
Any organization or entity that processes personal information without having registered with the EDPA commits a breach of the Act.