Law: Data Protection Act, 2011 ('the Act')
Regulator: The Data Protection Commission (not yet established)
Summary: The Act sets out comprehensive requirements for data protection in Lesotho, including data subject rights, data processing notifications, legal bases for processing, and restrictions on data transfers. The Act sets out breach notification obligations and explicitly defines the right to object to direct marketing. However, even though the Act came into effect in 2011, the Data Protection Commission provided for in the Act is yet to be established. Lesotho is also active in international agreements, and particularly in various collective organisations within Africa such as the Southern African Customs Union and the African Union.