April 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

Data Protection Act, No. 32 of 2018 ('the Act')

The Act governs the protection and processing of personal and sensitive personal data of individuals, cross-border transfer of personal and sensitive personal data, and establishes the Information and Data Protection Commission ('the Commission'). It sets out requirements for lawful processing of personal and sensitive personal data, establishes procedures for data subjects to lodge complaints, and outlines sanctions for violations of the Act.

The Act entered into force in October 2021, with the latest amendment, the Data Protection (Amendment) Act (Transitional Period) Order, 2023, having come into force on October 13, 2023.

The Commission has not yet been fully constituted.

The Constitution of the Republic of Botswana ('the Constitution')

There is no specific provision that deals with data protection in the Constitution. However, Section 9 of the Constitution bestows upon every person the right to privacy, which extends to property. Section 9(1) of the Constitution provides that no person shall be subjected to the search of their person, their property, or the entry by others on their premises except with their consent. This right by extension covers personal data which qualifies as incorporeal property.

In addition to the above, Section 3 of the Constitution provides that every person in Botswana is entitled to the fundamental rights and freedoms of the individual, including the right to protection for the privacy of their home and other property, whatever their race, place of origin, political opinions, color, creed, or sex, subject to respect for the rights and freedoms of others and public interest.

Other statutes

The Cybercrime and Computer Related Crimes Act, 2018 governs the interception of non-public transmission of communications on a computer or computer system, disclosure of passwords, and cyber offenses.

Section 15(2)(a) and (c) of the Financial Intelligence Act No. 2 of 2022 ('FIA') (2) provides that a specified party shall maintain throughout its group controls and procedures for the protection of personal data in accordance with the Act and safeguarding the confidentiality and use of information exchanged.

1.2. Guidelines

In terms of the Act, the Minister of State President ('the Minister') establishes the Commission and appoints the Commissioner who is responsible for the publication of regulations to guide the processing of personal and sensitive personal data. The regulations have not yet been published.

1.3. Case law

The Act is a fairly new piece of legislation, and therefore the courts of Botswana have not decided on cases that deal with data protection. Secondly, the courts cannot enforce the provisions of the Act yet due to the grace period provided to data controllers and data processors allowing them to align their internal systems with the requirements of the Act. The grace period will come to an end on October 13, 2024.

2. Scope of Application

2.1. Personal scope

The Act applies to natural persons, data controllers, and processors. It seeks to protect natural persons with respect to the processing of their personal and sensitive personal data and further regulates processing activities carried out by data processors and controllers.

The Act does not apply to juristic persons or deceased individuals.

2.2. Territorial scope

Section 3(1) of the Act applies to the processing of both personal and sensitive personal data within Botswana and the transfer of personal and sensitive personal data outside Botswana. If the data controller is not in Botswana, the Act shall apply to the processing of personal data where the automated or non-automated means used to process data are situated in Botswana. The Act will not apply if automated means are used only to transmit personal data.

2.3. Material scope

The Act applies to the processing of personal and sensitive personal data of natural persons in Botswana.

However, its application is limited as Section 3(2) of the Act states that it does not apply to the processing of personal data in the course of purely personal or household activities, in instances where the data subject has made the personal data public, where data is processed by or on behalf of the State and involves national security, defense, or public safety, is for the prevention, investigation, or proof of offenses, is for the prosecution of offenders or the execution of sentences or security measures, is for economic and financial national interest, or is connected to the exercise of regulatory or investigative powers by a public body for the reasons highlighted above.

In respect of sensitive personal data, the Act governs the processing of sensitive personal data, subject to certain conditions, for the following reasons:

• health or medical purposes;
• research, scientific, and statistics purposes;
• genetic and biometric data;
• legal purposes or by the Government; and
• for identity cards.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Commission is the main regulator of the Act.

3.2. Main powers, duties and responsibilities

Section 5(1) of the Act provides that the Commission must do all such things as are necessary to protect the personal rights of individuals with regard to their personal data and must ensure the effective application of and compliance with the Act, in particular the right to the protection of personal data, access, rectification, objection, and cancellation of such data.

The duties of the Commission are as follows:

• ensure compliance with the Statistics Act, 2009 with regard to the collection of statistical data and statistical secrecy and to issue instructions for safeguarding personal data that is kept for statistical purposes;
• instruct data controllers to ensure that the processing of personal and sensitive personal data is performed in accordance with the Act;
• provide guidance and instructions on the appropriate measures to ensure the security of personal and sensitive personal data;
• conduct research and studies and promote educational activities relating to the protection of personal data;
• inform data subjects on their rights with respect to the processing of personal and sensitive personal data;
• receive reports and claims of violations of personal and sensitive personal data and take remedial action as is necessary or prescribed;
• investigate complaints from data subjects and respond to the same;
• monitor and adopt authorization of cross-border flow of personal and sensitive personal data and facilitate international cooperation on the protection of personal and sensitive personal data;
• create and maintain a register of all data controllers;
• obtain information from data controllers connected to the exercise of the Commission's functions;
• prepare and disseminate a code of practice for data controllers;
• issue, where applicable, instructions required to bring processing operations in line with the principles of the Act;
• publicize the existence of personal data files and any other information that the Commission deems necessary;
• record all directions received from the Minister; and
• perform any other functions conferred on the Commission by the Minister.

4. Key Definitions

Section 2 of the Act defines the following terms:

Data controller: A person who, alone or jointly with others, determines the purpose and means by which personal and sensitive personal data is to be processed.

Data processor: A person who processes personal and sensitive personal data on behalf of the data controller.

Personal data: Personal data means information relating to an identified or identifiable individual with reference to an identification number or specific reference to the individual's physical, physiological, mental, economic, cultural, or social identity.

Sensitive data: Personal data relating to a data subject which reveals their racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, physical or mental health or condition, sexual life, family relations, personal financial information, data related to the Commission or an alleged offense, proceedings relating to the Commission of an offense, genetic data, biometric data, and the personal data of minors.

Health data: Not applicable. There is no definition of 'health data' in the Act.

Biometric data: Any information stemming from the statistical analysis of biological data.

Pseudonymization: Not applicable. There is no definition of 'pseudonymization' in the Act.

5. Legal Bases

5.1. Consent

Consent means any freely given, specific, and informed expression of the wishes of the data subject, by which the data subject agrees to the processing of personal data relating to them. Lawful data processing requires a positive action on the part of the data subject after being provided with sufficient information to let them decide whether to continue with the processing. This means that consent must not be inferred from the data subject's silence or inaction.

Further, in terms of the Act, consent must be revocable and current. The data subject must be given the opportunity to revoke their consent, provided it does not result in a breach of contract. Consent must not necessarily be in writing, but for evidential purposes and for the protection of the data controller, written consent may be required of the data subject. Finally, consent must be valid and not obtained under duress or on the basis of misleading information. The circumstances below describe when  consent may be obtained for lawful processing:

• Section 14 of the Act provides that a data controller shall ensure that personal data is processed fairly and lawfully, and, where appropriate, the data is obtained with the knowledge or consent of the data subject;
• Section 18 of the Act relates to the consent of the data subject for purposes of direct marketing. The data subject has the right to object by way of a notice of objection to the processing of their personal data for purposes of direct marketing; and
• Section 19 of the Act confers upon the data subject the right to revoke their consent to the processing of their personal data on legitimate and compelling grounds.

So far as it relates to sensitive personal data, the processing of a data subject's sensitive personal data is prohibited unless the written consent of the data subject in question is obtained.

Section 22 of the Act provides that the consent of the data subject is required when a non-commercial organization that has political, philosophical, religious, or trade union objectives wants to share the data subject's sensitive personal data with a third party.

Further, under Section 49 of the Act, the cross-border transfer of personal data to a country that does not have adequate safeguards may be transferred with the consent of the data subject.  

5.2. Contract with the data subject

Under Section 16(b) of the Act, personal data may be processed where processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract. This legal basis is not sufficient for purposes of processing sensitive personal data.

5.3. Legal obligations

According to Section 16(c) of the Act, the personal data of a data subject may be processed for the fulfillment of a legal obligation to which the data controller is subject.

5.4. Interests of the data subject

Under Section 16(d) of the Act, the protection of the vital interests of the data subject suffices as a legal basis upon which a data controller may process the personal data of a data subject.

In addition to the above, a data controller may process the sensitive personal data of a data subject on the basis of protecting the vital interests of the data subject or another person where:

• the consent of the data subject cannot be given by or on behalf of the data subject;
• the data controller cannot be reasonably expected to obtain the consent of the data subject; or
• the consent by and on behalf of the data subject has been unreasonably withheld.

5.5. Public interest

Under Section 16(e) of the Act, processing of personal data may be carried out where the processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise of an official authorization vested in the data controller or in a third party to whom the data is disclosed.

5.6. Legitimate interests of the data controller

Section 16(f) of the Act provides that personal data may be processed where processing is necessary for a purpose that concerns a legitimate interest of the data controller, or of a third party to whom personal data is provided. However, this legal basis cannot be relied upon where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and, in particular, the right to privacy.

This legal basis therefore requires a comparison of the relative interests of the data subject and that of the data controller on a case-by-case basis. If the rights and/or interests of the data subject outweigh the interests of the data controller for purposes of processing their personal data in a specific circumstance, the data controller is prohibited by the Act from processing the same. If the interests of the data controller outweigh those of the data subject, the Act allows for the processing of the data subject's personal data. With respect to sensitive personal data, the interests of the data subject take precedence, and therefore the interests of the data controller may not suffice as a basis upon which to process the same.

5.7. Legal bases in other instances

Further processing

Section 15 of the Act provides that personal data shall not be disclosed, made available, or otherwise used for purposes other than those specified, except with the consent of the data subject or as may be authorized by any written law.

Processing of personal data for historical, statistical, or scientific purposes

Under Section 17 of the Act, personal data may be processed for other purposes such as historical, statistical, or scientific purposes, provided the data controller puts in place appropriate security safeguards where the personal data may be kept for a period longer than is necessary, having regard to the purposes for which it is processed and does not use the personal data kept for historical, statistical, or scientific purposes for any decision concerning the data subject.

Processing of personal data for direct marketing purposes

Where personal data is processed for purposes of direct marketing, the data controller is required to inform the data subject of their right to oppose the processing at no cost, pursuant to Section 18 of the Act. The data subject has the right to object to the processing of their personal data for purposes of direct marketing by giving a notice of objection to the processing.

Processing of sensitive personal data for health and medical purposes

Section 23 of the Act provides that a health professional recognized by the Botswana Health Professions Act or the Nurses and Midwives Act may process the sensitive personal data of a data subject where such processing is necessary for preventive medicine and protection of public health, medical diagnosis, health care, or management of health and hospital care services.

Processing of sensitive personal data for research, scientific and statistics purposes

Sensitive personal data may be processed for research, scientific, and statistics purposes provided that the processing is compatible with specified, explicitly stated, and legitimate purposes (Section 24 of the Act).

To determine whether the processing of sensitive personal data is necessary, the following shall be satisfied:

• in the case of research and scientific purposes, the Commissioner has approved the processing on the advice of a committee responsible for research and scientific ethics in an institution recognized by the Commissioner; and
• in the case of statistics, the processing is necessary for the purposes provided under the Statistics Act.

Processing of sensitive personal data for legal purposes or by Government

According to Section 26 of the Act, sensitive personal data may be processed for legal purposes where it is necessary in connection with legal proceedings, obtaining legal advice, or purposes of establishing, exercising, or defending legal rights or for the administration of justice.

Sensitive personal data may be processed by the National Assembly, any Government Department, or the Ministry if it is necessary for the exercise of any function of the National Assembly, the Government Department, or Ministry, and such processing is compatible with specified, explicitly stated, and legitimate purposes.

6. Principles

Personal data must be processed in line with the following principles outlined in Section 14 of the Act:

• personal data is processed fairly and lawfully and, where appropriate, the data is obtained with the knowledge or consent of the data subject;
• personal data that is collected is adequate and relevant in relation to the purposes of its processing;
• to the extent necessary for processing, personal data is accurate, complete, and kept up to date;
• personal data is collected for specific, explicitly stated, and legitimate purposes;
• personal data is not processed for any purpose that is incompatible with the specified, explicitly stated, and legitimate purposes;
• personal data is protected by reasonable security safeguards against risks such as loss, unauthorized access, destruction, use, modification, or disclosure;
• where data is incomplete or incorrect, all reasonable measures are taken to complete, correct, block, or delete the personal data, having regard to the purposes for which it is processed;
• personal data is not kept for a period longer than is necessary, having regard to the purposes for which it is processed (other Botswana statutes such as the FIA, the Banking Act, 2023, the Income Tax Act, and the Employment Act, amongst others, impose time limits on the retention of personal data in the records of corporations, statutory bodies and businesses in Botswana); and
• personal data is processed in accordance with good practice.

7. Controller and Processor Obligations

7.1. Data processing notification

Section 5(2)(i) of the Act mandates the Commissioner to create and maintain a public register of all data controllers.

Under Section 39 of the Act, the Commissioner shall maintain a register of processing operations notified under Section 34(1) and the register shall contain the information listed under Section 34(3).

Section 34(1) of the Act provides that the data controller shall notify the Commissioner before carrying out any wholly or partially automated processing operation or set of such operations intended to serve a single purpose or several related purposes. According to Section 34(3) of the Act, the notification may specify:

• the name and address of the data controller or data processor;
• the purpose of the processing;
• a description of the category or categories of a data subject and of the personal data or categories of personal data relating to the data subject;
• the recipient or categories of recipients to whom personal data can be disclosed;
• proposed transfers of personal data to a third country; and
• a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken under Section 32 to ensure the security of processing.

Section 35(1) of the Act states that the Commissioner may exempt a notification required under Section 34(1) of the Act, where the Commissioner is satisfied that:

• the personal data being processed poses no apparent risk of infringement on the rights of the data subject;
• the purposes of the processing, the category of processing, the category of a data subject, the category of a recipient, and the data retention period are specified; and
• the data controller has appointed a data protection representative ('DPR') and the data controller has notified the Commissioner of such appointment.

Where an exemption is granted, the data controller is required to disclose any information required for processing under Section 28 (Section 35(2) of the Act).

It must be noted that a public body shall not be exempted from notification under Section 34(1) of the Act for any processing undertaken by that body (Section 35(3) of the Act).

Section 38(1) of the Act states that an exemption for notification under Section 35(1) does not apply to processing of personal data that involves a particular risk of improper interference with the rights and freedoms of the data subject. It is mandatory to submit to the Commissioner notification of such processing prior to processing such personal data.

7.2. Data transfers

The general rule under Section 48 of the Act is that transfer of personal data from Botswana to another country is prohibited. Notwithstanding the general rule, the Minister has since published a list of countries to which personal data may be transferred.

Without prejudice to Section 48, the transfer of personal data that is undergoing processing or intended processing to a third country may only take place if the third country ensures an adequate level of protection of the personal data (Section 49 of the Act).

The adequacy of the level of protection of data by a third country shall be assessed by the Commissioner in light of all the circumstances surrounding a data transfer operation, and particular consideration shall be given to:

• the nature of the data;
• the purpose and duration of the proposed data processing operation;
• the country of origin and the country to which the data is being transferred;
• the rule of law, both general and sectoral, in force in the third country; and
• the professional rules and security safeguards in such country.

Section 49(4) of the Act prohibits the transfer of personal data to a third country that does not ensure adequate security safeguards. Notwithstanding the prohibition, Section 49(5) of the Act allows transfer of personal data to a third country that does not ensure adequate security safeguards if the data subject has given their consent to the proposed transfer or if the transfer:

• is necessary for the performance of a contract between the data subject and the data controller, or for the implementation of precontractual measures taken in response to the data subject's request;
• is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the data controller and a third party;
• is necessary or legally required for the public interest or for the establishment, exercise, or defense of a legal claim;
• is necessary to protect the vital interests of the data subject; or
• is made from a register that according to any law, is intended to provide information to the public and which is open for public inspection.

7.3. Data processing records

The Act does not have a specific requirement for data controllers or data processors to maintain data processing records. However, Section 37(1) of the Act provides that the DPR is mandated to maintain a register of the processing conducted on behalf of the data controller.

7.4. Data protection impact assessment

Not provided for by the Act.

7.5. Data protection officer appointment

Section 36 of the Act provides for the appointment of the DPR. A data controller may appoint a DPR and shall notify the Commissioner of such appointment. The Act does not require a data controller to hire an employee for the DPR role as they may designate an existing employee to this role.

A DPR shall be a person who holds the requisite qualifications and shall keep a list of the processing carried out, which shall be immediately accessible to any person.

The functions of the DPR as outlined in the Act include the following:

• ensuring that the data controller processes personal data correctly, lawfully, and in accordance with good practice. Where the DPR identifies any inadequacies, they shall bring these to the attention of the data controller (Section 36(4) of the Act);
• assisting data subjects to ensure that their rights under the Act are protected Section 36(4) of the Act);
• notifying the Commissioner where there is reason to suspect that the data controller is contravening the rules applicable for processing personal data, and if rectification is not implemented as soon as practicable after such contravention is pointed out (Section 36(5) of the Act);
• consulting with the Commissioner where there is doubt on how the rules applicable to processing of both personal and sensitive personal data are to be applied (Section 36(6) of the Act); and
• maintaining a register of the processing conducted on behalf of the data controller (Section 37(1) of the Act).

In addition to the above, Section 37(2) of the Act provides that a DPR shall, at the instruction of a data controller, provide the information below to any person who requests it, if that information has not been notified to the Commissioner pursuant to Section 34 of the Act:

• the name and address of the data controller or data processor;
• the purpose of the processing;
• a description of the category or categories of a data subject and of the personal data or categories of personal data relating to the data subject;
• the recipient or categories of recipients to whom personal data can be disclosed; and
• proposed transfers of personal data to a third country.

Section 40 of the Act provides that a DPR, if instructed by the data controller, shall provide the following to any person who requests it:

• any information required under Section 34(3) of the Act; or
• any information relating to the processing of personal data that is not notified to the Commissioner under Section 34(3) of the Act.

Section 36(3) of the Act states that where a DPR has been appointed, the data controller shall not be required to notify the Commissioner before carrying out any wholly or partially automated processing operation or set of operations which are intended to serve a single purpose or several related purposes as required by Section 34(1) of the Act.

7.6. Data breach notification

Section 33(1) of the Act requires that data controllers notify the Commissioner without delay of any breach of security safeguards of personal data in its custody. Similarly, a data processor contracted by a data controller is required to notify the data controller without delay of any breach of security safeguards protecting the data held on behalf of the data controller.

The Act does not define what constitutes a data breach nor does it set out the process to be followed by data controllers and processors in such instances.

7.7. Data retention

The Act does not specifically stipulate time frames for data retention. However, Section 14(h) of the Act provides that data controllers must not keep personal data for a period longer than is necessary for the purposes for which the data was obtained.

Data controllers must therefore assess data records and delete any data that no longer requires processing, while observing the data retention provisions in relevant legislations such as the FIA, the Employment Act, the Income Tax Act, and the Banking Act. In this respect, it is advisable for data controllers  to adopt internal data retention policies that indicate the length of time in which certain categories of data must be retained.

7.8. Children's data

The Act classifies personal data relating to minors as sensitive personal data, which requires additional protections than personal data. Accordingly, children's data must be processed in accordance with the provisions applicable to the processing of sensitive data laid out below.

According to the Constitution, one attains the age of majority at 18 years old. Accordingly, the age of consent in Botswana is 18 years.

7.9. Special categories of personal data

As a general rule, the processing of sensitive personal data is prohibited. However, Section 20 of the Act provides that sensitive personal data may be processed on the following grounds:

• the processing is specifically provided for under the Act;
• the data subject has given their written consent to the processing;
• the data subject has made the personal data public;
• the processing is necessary for national security or for the exercise or performance of a legal obligation in connection with employment;
• the data controller is authorized by any other written law for any reason of substantial interest to the public;
• the processing is necessary to protect the vital interests of a data subject or another person in the event that consent cannot be given by or on behalf of the data subject;
• the data controller cannot be reasonably expected to obtain the consent of the data subject; or
• the consent by or on behalf of the data subject has been unreasonably withheld.

The definition of sensitive personal data includes any commission or alleged commission by a data subject of any offense and any proceedings for any offense committed or alleged to have been committed by the data subject, the disposal of such proceedings, or the sentence of any court in such proceedings. Therefore, criminal conviction data can only be processed on the grounds laid down in Section 20 of the Act.

7.10. Controller and processor contracts

No, the Act does not provide for any requirements for a contract to be in place between a data controller and a processor.

Despite the above, Section 31(1) of the Act provides that a person who has access to personal data and is acting under the authorization of the data controller or the data processor, including the data processor, shall process personal data only as instructed by the data controller or the data processor. In addition, Section 32(3) of the Act provides that where the data controller or data processor outsources the processing of personal data, the data controller or data processor shall choose a data processor who gives sufficient guarantees regarding the technical and organizational security measures in place for the processing to be done and shall ensure that the measures are complied with.

8. Data Subject Rights

8.1. Right to be informed

Under Section 28 of the Act, a data subject has the right to be provided with the following information where personal data is obtained directly from them, except where the data subject already has the information:

• the identity and habitual residence or principal place of business of the data controller or data processor;
• the purpose of the processing for which the personal data is intended;
• the existence of the right to object to the intended processing if the processing of the personal data is obtained for the purposes of direct marketing;
• taking into account the specific circumstances under which the data is processed, any other additional information if necessary to ensure fair processing for the data subject, which may include:
• the recipient or category of recipients of the data;
• whether the reply to any question made to the data subject is obligatory or voluntary, as well as the possible consequence of failure to reply; and
• the existence of the right to access, rectify, and where applicable, to delete the data concerning the data subject; and
• any other information necessary for the specific nature of the processing to guarantee fair processing in respect of the data subject.

Section 29(1) of the Act provides that where personal data is not obtained directly from the data subject, the data controller or data processor is required to provide at least the information listed above, except where the data subject already has the information.

8.2. Right to access

Under Section 30(1)(a) and (b) of the Act, a data subject has a right to obtain from a data controller or data processor confirmation of whether or not they have personal data relating to the data subject. Such confirmation must be communicated to the data subject within a reasonable time frame from the time of request and at a reasonable charge, if any.

8.3. Right to rectification

Section 28(d)(iii) of the Act indicates that a data subject has a right to rectify the data concerning them.

In addition, Section 30(1)(e) provides that a data subject has the right to challenge personal data relating to them by submitting a complaint in writing to the Commissioner, in accordance with Section 42(1). If the challenge is successful, the data subject has the right to have the personal data rectified, amongst other reliefs.

8.4. Right to erasure

Section 28(d)(iii) of the Act indicates that a data subject has a right to delete the data concerning them.

In addition, Section 30(1)(e) provides that a data subject has the right to challenge personal data relating to them by submitting a complaint in writing to the Commissioner, in accordance with Section 42(1). If the challenge is successful, the data subject has the right to have the personal data deleted, amongst other reliefs.

8.5. Right to object/opt-out

A data subject has the right to object to the processing of their personal data for direct marketing purposes. Section 18(2) of the Act provides that where the data subject gives a notice of objection to the processing of their personal data for direct marketing, the personal data of the data subject shall not be processed for such purpose.

Where the processing of personal data takes place with the consent of the data subject, they may at any time in writing revoke their consent, provided that the revocation is based on legitimate, reasonable, and compelling grounds at that particular time (Section 19(1) and (2) of the Act).

8.6. Right to data portability

This is not provided for in the Act.

8.7. Right not to be subject to automated decision-making

The Act does not specify that a data subject has the right to refuse being subjected to automated decision-making. The Act merely mandates data controllers to notify the Commissioner before carrying out any wholly or partially automated processing operation or set of operations intended to serve a single purpose or several related purposes, except where the processing relates to operations solely intended for keeping a public register open for inspection in accordance with any written law.

8.8. Other rights

A data subject has the right to:

• be given a reason if a data controller or data processor refuses to issue a confirmation of whether or not the data controller or data processor has personal data relating to them, and to challenge, before the Commissioner, the refusal by a data controller to issue the confirmation; and
• take legal action and seek damages against the data controller if personal data is processed in violation of their rights.

9. Penalties

Section 51 of the Act provides for offenses and penalties under the Act. It details that:

• A person who processes personal data in contravention of the Act is liable to a fine not exceeding BWP 300,000 (approx. $22,000) or to imprisonment for a term not exceeding seven years, or to both.
• A person who processes sensitive personal data in contravention of the Act is liable to a fine not exceeding BWP 500,000 (approx. $36,740) or to imprisonment for a term not exceeding nine years, or to both.
• A data controller who processes personal data in contravention of the Act is liable to a fine not exceeding BWP 500,000 (approx. $36,740) or to imprisonment for a term not exceeding nine years, or to both.
• A data controller who processes sensitive personal data in contravention of the Act is liable to a fine not exceeding BWP 1 million (approx. $73,500) or to imprisonment for a term not exceeding 12 years, or to both.
• A data controller who does not inform a data subject of the rights conferred on the data subject under the Act is liable to a fine not exceeding BWP 100,000 (approx. $7,350) or to imprisonment for a term not exceeding three years, or to both.
• A data controller who does not implement the security safeguards under Section 32 of the Act is liable to a fine of BWP 500,000 (approx. $36,740) or to imprisonment for a term not exceeding nine years, or to both.

In addition to the above, Section 18(3) of the Act provides that a data controller who processes data despite the objection of the data subject for direct marketing purposes is liable to a fine not exceeding BWP 500,000 (approx. $36,740) or to imprisonment for a term not exceeding nine years, or to both.

Furthermore, Section 10(3) of the Act provides that any person who does not comply with a request made by the Commissioner under Section 10 of the Act is liable to a fine not exceeding BWP 100,000 (approx. $7,350) or to imprisonment for a term not exceeding three years, or to both.

9.1 Enforcement decisions

The Commission has not yet been fully constituted, and therefore there has not yet been any enforcement decision to report.