Population: 1,121,761 (2022 est.)

Capital: Mbabane

Ruler: King Mswati III & Prime Minister Cleopas Dlamini

2021 Freedom House Score: 19/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the Constitution of Eswatini protects the right to privacy under Article 14.

DPA legislation:

In March 2022, Eswatini published the Data Protection Act, 2022 (the Law) in the government gazette, finally bringing a long-awaited draft into force.

Under the Law, data subjects have the right to request:

• A data controller to confirm, free of charge, whether or not the data controller holds personal information about the data subject; and
• from a data controller, personal information about the data subject held by the data controller, including information about the identity of all third parties who have or have had, access to the information –
• within a prescribed time;
• at a prescribed fee;
• in a reasonable manner and format; and
• in a form that is generally understandable

The Computer Crime and Cybercrime Act 2020 was also brought into force in March 2022, which regulates the usage of computer systems and electronic communications networks as well as cybersecurity matters.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No

Personal data is defined as information about an identifiable individual that is recorded in any form, including, without restricting information the generality of the foregoing:

• information relating to the race, national or ethnic origin, religion, age, or marital status of the individual;
• information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
• any unique identifying number, symbol, or other particular assigned to the individual;
• the address, fingerprints, or blood type of the individual; (e) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
• the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
• correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; and
• the views or opinions of any other person about the individual.

Sensitive personal data is personal data related to:

• genetic data, data related to children, data related to offences, criminal sentences or security measure, biometric data as well as, if it is processed for what it reveals, personal information revealing racial or ethnic origin, political opinions or affiliations, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; or
• any personal information otherwise considered by the laws of Eswatini as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination.

Data controller is a public or private body which or any other persons designated by law, who alone or together with others, determines the purpose of and means for processing personal information, regardless of whether or not such data is processed by that party or by a data processor on its behalf, where the purpose and means of processing are determined by law.

Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

Personal information shall be processed if:

• the data subject provides explicit consent to the processing;
• processing is necessary for the conclusion or performance of a contract to which the data subject is a party;
• processing is necessary for compliance with a legal obligation to which the data controller is subject;
• processing is necessary to protect the legitimate interests of the data subject;
• processing is necessary for the proper performance of public law duty by a public body; or
• Processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the information is supplied.

Data processing must be limited to the purpose for which the data is collected, and personal data must not be held for longer than is necessary for that purpose.

Unless specifically permitted by the law, a data controller shall not process sensitive personal information. The prohibition on processing sensitive personal information shall not apply where:

• processing is carried out with prior parental consent where the data subject is a child and is subject to parental control in terms of the law;
• the processing is necessary for the establishment, exercise or defence of a right or obligation in law;
• processing is necessary to comply with an obligation of international public law;
• the Commission has granted authority in terms of section 30 for processing in the public interest, and appropriate guarantees have been put in place in law to protect the data subject’s privacy;
• processing is carried out with the consent of the data subject; or
• the information has deliberately been made public by the data subject.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: No

Exceptions exist to breach notifications: No

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: NA

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Unclear

DPA may receive some forms of external funding/own revenue: Unclear

Adequate protections against undue removal: Unclear

Number of members in DPA: Unclear

Maximum term length for members of the DPA (years): Unclear

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

The Act differentiates between trans-border flow of personal information within SADC member states and to non-SADC member states.

Personal information may only be transferred to recipients in a SADC member state:

• where the recipient establishes that the data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of a data controller, or
• where the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject’s legitimate interests might be prejudiced by the transfer or the processing in the Member State.

Personal information may only be transferred to non-SADC Member States if the country has an adequate level of data protection. The Commission shall establish the categories of processing for which and the circumstances in which the transfer of personal information to countries outside Eswatini and SADC is permissible.

The Commission may authorize a transfer or a set of transfers of personal information to a recipient country outside Eswatini or SADC which does not in its laws ensure an adequate level of protection, if the controller satisfies the Commission that it shall ensure adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of the data subjects concerned, and regarding the exercise of the rights of the data subject such safeguards can be appropriated through adequate legal and security measures and contractual clauses in particular.

Provides a right not to be subject to automated decision-making: Yes