Support Centre



Law: The Data Protection Act No.5 of 2022 ('the Act')

Regulator: Eswatini Communications Commission ('the Commission')

Summary: The Act is Eswatini's first comprehensive privacy legislation governing the collection, processing, and disclosure of personal data. Moreover, the Act outlines the responsibilities of the Commission, as well as the requirements for processing personal information, including in relation to retention periods and data security requirements. In addition, the Act provides for several data subject rights, such as the right to access and correct personal information, and includes general provisions on unsolicited electronic communications, as well as automated decision making.

The Act came into operation on 4 March 2022, on the date of its publication in the Official Gazette, and provides that any processing of personal information should be notified to the Commission and brought into conformity with the Act within two years of the Act's commencement date. However, the Act also outlines that this period may be extended by a maximum of three years by a notice published in the Official Gazette.

Further to this, related issues such as cybercrime and electronic communications are governed by the Computer Crime and Cybercrime Act No.6 of 2022 and the Electronic Communications and Transactions Act No. 3 of 2022, which also came into effect on 4 March 2022.

In addition, there are several other laws and regulations that address aspects of data privacy. These include the Constitution of Swaziland Act No. 1 of 2015, the Swaziland which establishes a right to privacy, the Communications Commission (Consumer Protection) Regulations, 2016 issued pursuant to the Swaziland Communications Commissions Act of 2013, and the Consumer Credit Act No. 7 of 2016.


On 4 March 2022, King Mswati III signed the Data Protection Act No. 5 of 2022 ('the Act') into law. In this article, Melody Musoni, an independent privacy professional, breaks down the key provisions of the Act, touching on topics such as legitimate bases and data processing principles, data subject rights, and data transfers.