BOTSWANA
DATA PROTECTION FACTSHEET

-
Population: 2,351,625
Capital: Gaborone
President: Mokgweetsi Masisi
2021 Freedom House Score: 72/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, Botswana’s Constitution also protects the right to privacy under Articles 3 and 9.
DPA legislation: The Data Protection Act 2018 (DPA) was assented to by the Botswanan Parliament in order to realise the right to privacy guaranteed in the Constitution. On 15 October 2021, the Act came into effect upon issuance of the Data Protection Act (Commencement Date) Order 2021 by the Minister of Presidential Affairs, Governance and Public Administration. The Act’s transition period is 12 months from the date of commencement, meaning compliance will be required from 15 October 2022.
The Information and Data Protection Commission (Commission), which has not yet been formed, is established under this law. It is not an independent body, but under the direction of the Minister, to whom the members of the Commission must swear an oath of secrecy.
Data subjects have the following rights under the DPA:
- the right to access personal data through subject access requests;
- the right to obtain a copy of the personal data held by a data processor or a data controller;
- the right to object, for legitimate reasons, to the processing of personal data concerning them;
- the right to oppose the processing of their personal data for direct marketing; and
- the right to correct, update, lock, or delete personal data where it is inaccurate or incomplete.
-
ICCPR: Ratified
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: Yes
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: Yes
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): Yes
Broad or vague exclusions: Yes
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
-
Personal data is information related to an individual who can be identified directly or indirectly by reference to an identification number, or to one or more factors specific to his, her or their physical, physiological, mental, economic, cultural, or social identity.
Sensitive data processing is prohibited barring certain exceptions. It is defined as personal data relating to a data subject that reveals any of the following:
- racial or ethnic origin;
- political opinions;
- philosophical or religious beliefs;
- trade union membership;
- physical or mental health or condition;
- sexual life;
- filiation;
- personal financial information;
- health;
- any commission or alleged commission by him, her or they of an offence;
- judicial proceedings, or criminal or administrative sanctions; or
- genetic data, biometric data, and the personal data of minors.
-
Data controllers must ensure that personal data is:
- processed fairly, lawfully, and where appropriate, the data is obtained with the knowledge or consent of the data subject;
- adequate and relevant in relation to the purposes of its processing;
- accurate, complete, and updated to the extent necessary for processing;
- collected for specific, explicitly stated, and legitimate purposes;
- not processed for other purposes incompatible with those aforementioned;
- protected by reasonable security safeguards against risks such as loss, unauthorised access, destruction, use, modification, or disclosure;
- made complete, corrected, blocked, or deleted if it is incomplete or incorrect, taking into account the purposes of processing;
- kept for no longer than necessary regarding the purposes for which it is processed; and
- processed in accordance with good practice.
Personal data may be processed where:
- there is written consent from the data subject;
- processing is necessary to commence or perform of a contract in the data subject’s interests or to which he is a party;
- processing is necessary for compliance with a legal obligation to which the data controller is subject;
- processing is necessary for the performance of a public interest activity or the exercise of official authority vested in the data controller or in a third-party recipient of the data; or
- processing is necessary to advance the legitimate interest of the data controller or a third-party recipient of the data, unless this interest is overridden by the interest in protecting the fundamental rights and freedoms of the data subject, particularly the right to privacy.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: No
Timeframe for notification is specified: No
Exceptions exist to breach notifications: No
Requires a data processing register: Yes
Register is publicly available: Partial
Provides for terms of service icons: No
DPA must submit at least annual report: Unclear
DPA report is made public: Unclear
-
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: No
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Unclear
DPA may receive some forms of external funding/own revenue: Unclear
Adequate protections against undue removal: Unclear
Number of members in DPA: Unclear
Maximum term length for members of the DPA (years): Unclear
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: No
-
Transfer of personal data to another country is prohibited unless that country provides an adequate level of protection, which will be determined by the Commissioner.
-
Provides a right not to be subject to automated decision-making: Partial
Page last updated: 23 May 2022