Botswana

DATA PROTECTION FACTSHEET

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY APPOINTED

Download the Act

Fast Facts
Domestic Law
Privacy enshrined in Constitution: Yes, Botswana’s Constitution also protects the right to privacy under Articles 3 and 9.

DPA legislation: The Data Protection Act 2018 (DPA) was assented to by the Botswanan Parliament in order to realise the right to privacy guaranteed in the Constitution. On 15 October 2021, the Act came into effect upon issuance of the Data Protection Act (Commencement Date) Order 2021 by the Minister of Presidential Affairs, Governance and Public Administration. The Act’s transition period is 12 months from the date of commencement, meaning compliance will be required from 15 October 2022.

The Information and Data Protection Commission (Commission), which has not yet been formed, is established under this law. It is not an independent body, but under the direction of the Minister, to whom the members of the Commission must swear an oath of secrecy.

Data subjects have the following rights under the DPA:
- the right to access personal data through subject access requests;
- the right to obtain a copy of the personal data held by a data processor or a data controller;
- the right to object, for legitimate reasons, to the processing of personal data concerning them;
- the right to oppose the processing of their personal data for direct marketing; and
- the right to correct, update, lock, or delete personal data where it is inaccurate or incomplete.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): Yes

Broad or vague exclusions: Yes

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes
Personal Data
Personal data is information related to an individual who can be identified directly or indirectly by reference to an identification number, or to one or more factors specific to his, her or their physical, physiological, mental, economic, cultural, or social identity.

Sensitive data processing is prohibited barring certain exceptions. It is defined as personal data relating to a data subject that reveals any of the following:
- racial or ethnic origin;
- political opinions;
- philosophical or religious beliefs;
- trade union membership;
- physical or mental health or condition;
- sexual life;
- filiation;
- personal financial information;
- health;
- any commission or alleged commission by him, her or they of an offence;
- judicial proceedings, or criminal or administrative sanctions; or
- genetic data, biometric data, and the personal data of minors.
Collection and Processing
Data controllers must ensure that personal data is:
- processed fairly, lawfully, and where appropriate, the data is obtained with the knowledge or consent of the data subject;
- adequate and relevant in relation to the purposes of its processing;
- accurate, complete, and updated to the extent necessary for processing;
- collected for specific, explicitly stated, and legitimate purposes;
- not processed for other purposes incompatible with those aforementioned;
- protected by reasonable security safeguards against risks such as loss, unauthorised access, destruction, use, modification, or disclosure;
- made complete, corrected, blocked, or deleted if it is incomplete or incorrect, taking into account the purposes of processing;
- kept for no longer than necessary regarding the purposes for which it is processed; and
- processed in accordance with good practice.
Personal data may be processed where:
- there is written consent from the data subject;
- processing is necessary to commence or perform of a contract in the data subject’s interests or to which he is a party;
- processing is necessary for compliance with a legal obligation to which the data controller is subject;
- processing is necessary for the performance of a public interest activity or the exercise of official authority vested in the data controller or in a third-party recipient of the data; or
- processing is necessary to advance the legitimate interest of the data controller or a third-party recipient of the data, unless this interest is overridden by the interest in protecting the fundamental rights and freedoms of the data subject, particularly the right to privacy.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: No

Timeframe for notification is specified: No

Exceptions exist to breach notifications: No

Requires a data processing register: Yes

Register is publicly available: Partial

Provides for terms of service icons: No

DPA must submit at least annual report: Unclear

DPA report is made public: Unclear
Accountability

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: No

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Unclear

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: Unclear

Number of members in DPA: Unclear

Maximum term length for members of the DPA (years): Unclear
Participation
Cross-border Transfer
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 23 May 2022