Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Eswatini - Data Protection Overview
Back

Eswatini - Data Protection Overview

July 2022

1. Governing Texts

Eswatini has since promulgated legislation which collates and deals specifically with privacy and data protection, which is the Data Protection Act No. 41 of 2022 ('the Act'). The Act purports to deal extensively on the protection of data and data subjects. It is important to note that despite the above, the region is cognisant of and recognises the rights of all persons (whether artificial or natural) to their information which will be expanded on further below.

1.1. Key acts, regulations, directives, bills

The Laws of Swaziland are based on the Roman-Dutch Common Law. The Constitution of Swaziland Act No. 1 of 2015 ('the Constitution') is the primary legislation from which all privacy laws flow and in the absence of specific legislation the Common Law applies. The basic laws on data protection are the following:

The Act provides for the collection, processing, disclosure, and protection of personal data; balancing competing values of personal information privacy and sector-specific laws and other related matters.

Generally speaking, and in line with most modern jurisdictions, Eswatini recognises and protects the right of a data subject to their personal information. Consequently, the processing (collection, use, and disclosure) of information concerning a legal person whether by means of computer processing or other processing can only be done with the specific consent of the data subject. The unauthorised collection and processing of personal data and the disclosure thereof to third parties is prohibited and can only be done in specific instances.

As such, Regulation 14 of the Consumer Protection Regulation provides that a supplier must respect the privacy of a consumer in the collection and handling of personal data.

A supplier may only collect, collate, process, or disclose any personal data pertaining to a consumer if:

  • the consumer consents;
  • it is necessary for the conclusion or performance of a contract to which the consumer is a party;
  • the supplier is obliged by law to collect, collate, process, or disclose the personal data;
  • doing so protects a legitimate interest of the consumer;
  • it is necessary for the proper performance of a public law duty to a public body; or
  • it is necessary for pursuing the legitimate interest of the supplier of a third party to whom the information is supplied.

A supplier in legitimate possession of a data subject personal information is required to keep that data in a manner which is safe, for as long as the personal data is used, and for a period of at least one year thereafter.

A supplier is prohibited from disclosing any personal data of a data subject to a third party unless required, permitted by law, or specifically authorised to do so in writing by the consumer.

Constitution

Section 14(1)(c) of the Constitution recognises the fundamental right to privacy, specifically it states that the fundamental human rights to the protection of the privacy of the home and other property rights of the individual is declared and guaranteed.

Section 22(1) in particular provides that a person shall not be subjected:

  • to the search of the person or the property of that person;
  • to the entry by others on the premises of that person; and
  • to the search of the private communications of that person, except with the free consent of that person first obtained.

Sections 14 and 22 are enshrined provisions of the Constitution and are guaranteed human rights.

Consumer Protection Regulation

The collection, storage, and processing of personal data is regulated by the Consumer Protection Regulations. Those regulations have been issued pursuant to the CCA.

The Consumer Protection Regulations, particularly Regulation 14 deals with issues of privacy and provides that a supplier must respect consumers' privacy in collecting and handling consumers' personal data (Regulation 14(1) of the Consumer Protection Regulations).

In addition, Regulation 14(2) of the Consumer Protection Regulations provides that a supplier may collect, collate, process, or disclose any personal data pertaining to a consumer if:

  • the consumer consents;
  • it is necessary for the conclusion or performance of a contract to which the consumer is a party;
  • the supplier is obliged by law to collect, collate, process or disclose the personal data;
  • doing so protects a legitimate interest of the consumer;
  • it is necessary for the proper performance of a public law duty to a public body; or
  • it is necessary for pursuing the legitimate interest of the supplier of a third party to whom the information is supplied.

Moreover, Regulation 14(3) to 14(11) of the Consumer Protection Regulations outlines additional requirements for suppliers including:

  • suppliers may not electronically request, collect, collate, process, or store personal data which is not necessary for the lawful purpose for which the information is required;
  • suppliers must disclose in writing to the consumer the specific purpose for which any personal data is being requested collected, collated, processed, or stored;
  • suppliers may not use personal information for any other purpose than the disclosed purpose without the express written permission of the consumer, unless the supplier is permitted to do so by law;
  • suppliers must, for as long as the personal data is used and for a period of at least one year thereafter, keep a record of the personal data and the specific purpose for which the personal data was collected;
  • suppliers may not disclose any of the personal data held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the consumer;
  • suppliers must, for as long as the personal data is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal data was disclosed and of the date on which and the purpose for which it was disclosed;
  • suppliers must delete or destroy all personal data which is no longer in use in terms of sub-regulation (6) unless the supplier is committed or obliged by law to obtain the personal data; and
  • suppliers must provide a consumer with clear and easily accessible information online about the way in which they retain and use personal information and personal data.

In addition, a party may use personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data does not constitute personal data.

The CCA

Section 73 of the CCA provides that a person who, in terms of the Act receives, compiles, retains, or reports any confidential information pertaining to a consumer or prospective consumer shall protect the confidentiality of that confidential information, and in particular, shall:

  • use that confidential information for a purpose permitted or required in terms of the CCA or any other law; and
  • report or release that information to the consumer or prospective consumer, or to any other person;
    • to the extent permitted or required by the CCA or any law; or
    • as directed by:

Protection of privacy in terms of the Criminal Procedure and Evidence Act, 1938

Section 173(1) of the Criminal Procedure and Evidence Act, 1938 ('CPEA') provides for the privacy of information not to be published and it states:

'If an accused is tried upon a charge referred to Section 66(6) of CPEA no person shall subject to subsection (3) at any time publish by radio or any document produced by printing or any other method of multiplication any information relating to such trial or any information disclosed thereat, unless the judge or officer presiding at such trial has, after having consulted the person against or in connection with whom the offence charged is alleged to have been committed (or if they are a minor, their guardian), given their consent, conveyed in a document signed by himself, the registrar, or clerk of the court, to such publication'.

Protection of Privacy under the Common Law

Under the Common Law, the legitimate private interest of an individual is recognised and legally protected. Privacy, therefore, is infringed by the unauthorised collection of personal data (which is the act of intrusion) as well as the disclosure of any such data, while the identity is violated by the collection and disclosure of false information.

The Common Law does appreciate that it may be necessary from time to time that the private interest of an individual may, in the public interest justify the processing of personal data, this processing must be done in a reasonable manner and the data must be reasonably for the protection of a legitimate public interest and that the information must have been obtained in a lawful manner.

The processing of false or misleading data cannot be justified under any circumstances and the processing of such is always wrongful.

Having said all this, it must be noted that the Common Law only applies in such circumstances where there is no promulgated legislation in place. In other words, the Common Law fills the lacunae of the law where there is no specific legislation applicable to that specific set of circumstances.

The Data Protection Act

Section 14(1) of the Act states that a  data controller shall secure the integrity of personal information in its possession or under its control by taking appropriate, reasonable, technical and administrative measures to prevent:

  • loss of, medication and damage to or unauthorised destruction of personal information; and
  • unlawful access to or processing of personal information.

Section 16 of the Act further provides that a data controller shall ensure that a data processor which processes personal information for or on behalf of the data controller establishes and maintains the security measures referred to in the Act.

Moreover, the processing of personal information for a data controller by a data processor on behalf of the data controller shall be govern by a written contract between the data processor and the data controller, which requires the data processor to establish and maintain confidentially and security measures to ensure the integrity of personal information (Article 16(2) of the Act).

In addition, where the data processor is not domiciled or does not have its principal place of business in Eswatini, the data controller shall take reasonable steps to ensure that the data processor complies with the laws relating to the protection of persona information of the territory in which the data processor is domiciled (Article 16(3) of the Act)

Section 15 of the Act stipulates that a person acting on behalf of, or under the direction of the ECC shall treat, as confidential personal information which comes to the person's knowledge, except if the communication of such information is required by law or in the proper performance of their duties.

In addition, Section 14(2) of the Act outlines responsibilities of a data controllers including that a data controller must take reasonable measures to:

  • identify all reasonably foreseeable internal and external risks to personal information in its position or under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify safeguards are effectively implemented; and
  • ensure that safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

1.2. Guidelines

The Eswatini Communications Commission ('ECC') is the statutory body created and envisioned to be responsible for the issuing of data guidelines.

1.3. Case law

In the case of Swaziland National Provident Fund v Dumsile R. Shongwe – Industrial Court of Appeal of Swaziland – Civil Appeal Case No. 06/2016, the Court as per M.C.B. Maphalala CJ, M. Dlamini, AJA M.R. Fakudze, AJA dismissed an appeal by an employee for the payment of arrear salary. The employee (Respondent) had been dismissed for breach of confidentiality and/or trust by allegedly sourcing and transmitting confidential information relating to the appellant which was the employer, to the Swazi Observer Newspaper. The newspaper then published this information, and the employer took steps against the employee. She was subsequently suspended from employment and charged with bringing the employers name into disrepute. Although there was mention of a breach of confidential information, in the judgement, the determination fell on the principles of employment law.

2. Scope of Application

2.1. Personal scope

All the data protection laws apply to data controllers and data processors whether they be artificial persons or natural persons.

2.2. Territorial scope

Data protection laws in Eswatini apply to data controllers and processors whether they are domiciled or have their principal place of business in Eswatini.

2.3. Material scope

Section 3 of the Act states the material scope covers:

  • those who use automated or non-automated means in Eswatini for forwarding personal information; and
  • processing of personal information performed wholly or partly by automated means.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator is the ECC.

3.2. Main powers, duties and responsibilities

According to Section 5 of the Act, the ECC functions are to inter alia:

  • administer the Act and protect the respective rights of information privacy provided for under the Act or any other law;
  • engage in ensuring that the processing of personal data by the controller complies with the Act;
  • promote an understanding and acceptance of information protection principles through education and public awareness;
  • make public statements in relation to any matter affecting protection of personal information;
  • monitor and enforce compliance with the provisions of the Act by public or private bodies;
  • undertake research and monitor developments in information processing and computer technology to ensure that any adverse effects of such developments on protection of personal information of data subjects are minimised;
  • examine any proposed policy or legislation which may affect the protection of personal information;
  • report with or without request to Parliament of Eswatini ('the Parliament') from time to time, on any matter affecting the protection of personal information of data subjects including the need for, or desirability of, taking legislative, administrative or other action to give protection or better protection to personal information;
  • conduct from time to time-to-time audits of personal information maintained by data controller for the purpose of ascertaining whether or not the information is maintained according to the information protection principles;
  • monitor constantly the use of unique identifiers of data subjects;
  • maintain, publish, and provide copies of registers as required under the Act;
  • receive and invite representations from members of the public on any matter provided for under the Act;
  • consult and cooperate with other persons and bodies including international data protection authorities concerned with the protection of personal information;
  • participate in any international and regional cooperation and negotiation on matters of data protection impacting Eswatini;
  • advising Parliament or a public or private body on the obligations of that public or private body under the Act;
  • receive, investigate, or resolve complaints on alleged violations of the provisions of the Act and report the findings and decisions to the complainants;
  • receive complaints or reports of violation of individual rights and liberties under the Act and refer such complaints and reports to the Human Rights and Public Administration Commission for investigation and determination;
  • report to Parliament from time to time on the desirability of the acceptance by Eswatini of any international instrument relating to the protection of personal information;
  • issue, approve, amend or revoke codes of conduct;
  • make and issue guidelines to assist public or private bodies to develop codes of conduct or to apply codes of conduct;
  • impose administrative sanctions which may be punitive, depending on the facts of the matter such as the cancellation of the authorisation of processing of personal information, fines or awarding of damages to the benefit of the injured data subject in the case of violation of the provisions of the Act;
  • establish mechanisms of cooperation with the authorities or other data protection authorities from other countries, for purposes of resolving cross-border disputes pertaining to data protection and information privacy;
  • review a decision made under an approved code of conduct;
  • exercise and perform such other functions or powers conferred by the Act; and
  • make such decisions and authorisations as may be necessary in carrying out the functions of the ECC.

The ECC may, from time to time, in the public interest or in the legitimate interest of any person or body of persons, publish reports relating to the exercise of the functions of the ECC under the Act or to any case investigated by the ECC.

4. Key Definitions 

Data controller: a public or private body which or any other person designated by law, who alone or together with others, determines the purpose of and means for processing personal information, regardless of whether or not such data is processed by that party or by a data processor on its behalf, where the purpose and means of processing are determined by law (Section 2 of the Act).

Data processor: refers to a natural or legal person, or public body which processes personal information for and on behalf of a data controller and under the instructions of a data controller, and excludes persons who are authorised to process data under the direct authority of a data controller (Section 2 of the Act).

Personal data: refers to information about an identifiable individual that is recorded in any form, including without restricting the generality of the foregoing (Section 2 of the Act):

  • information relating to the race. national or ethnic origin, religion, age or marital status of the individual;
  • information relating to the education or the medical, criminal, or employment history of the individual or information relating to financial transactions in which the individual has been involved;
  • any unique identifying number, symbol, or other particular assigned to the individual:
  • the address, fingerprints, or blood type of the individual;
  • the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual;
  • correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature. and replies to such correspondence that would reveal the contents of the original correspondence; and
  • the views or opinions of any other person about the individual.

Sensitive data: refers to (Section 2 of the Act):

  • genetic data, data related to children data related to offences, criminal sentences, or security measure, biometric data as well as, if it is processed or what it reveals, personal information revealing racial or ethnic origin, political opinions or affiliations, religious or philosophical beliefs, affiliations, trade –union membership, gender and data concerning health or sex life; or
  • any personal information otherwise considered by the laws of Eswatini as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination.

Health data: There is no definition provided in the Act or any other relevant legislation.

Biometric data: Means a technique of personal identification that is based on physical characteristics including fingerprinting, DNA analysis, retinal scanning, and voice recognition (Section 2 of the Act).

Pseudonymisation: There is no definition provided in the Act or any other relevant legislation.

Data subject: Means a person who is the subject of the processing of personal information and who is identified or identifiable (Section 2 of the Act).

5. Legal Bases

Section 9(2) of the Act outlines that personal information shall be processed where:

  • the data subject provides explicit consent to the processing;
  • processing is necessary for conclusion or performance of a contract to which the data subject is a party; 
  • processing is necessary for compliance with a legal obligation to which the data controller is subject; 
  • processing is necessary to protect the legitimate interests of the data subject;
  • processing is necessary for the proper performance of public law duty by a public body; or
  • processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the information is supplied.

5.1. Consent

Please see section on 'legal bases' above.

5.2. Contract with the data subject

Please see section on 'legal bases' above.

5.3. Legal obligations

Please see section on 'legal bases' above.

5.4. Interests of the data subject

Please see section on 'legal bases' above.

5.5. Public interest

Please see section on 'legal bases' above.

5.6. Legitimate interests of the data controller

Please see section on 'legal bases' above.

5.7. Legal bases in other instances

Not applicable. 

6. Principles 

At present the only principles laid down are that of transparency in that the Consumer Protection Regulations explicitly detail that data collectors may only do so with the consent of the subject. The rest fall within the ambit of the Constitution and are guaranteed by the enshrined Bill of Human Rights. 

In addition, Section 12 of the Act states that data shall be collected for specified, explicit, and legitimate purposes and shall not be further processed in a way incompatible with those purposes. Furthermore, personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant, and not excessive (Section 9(4) of the Act).

Moreover, the further processing of personal information shall be compatible with the purposes of collection of:

  • the data subject has consented to the further processing of the information;
  • the information is available in public records or has deliberately been made public by the data subject;
  • further processing is necessary:
    • to avoid prejudice to the maintenance of the law or enforcement of law and order;
    • for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
    • in the legitimate interests of national security;
  • the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to:
    • public health and safety; or
    • the life and health of the data subject or another individual; and 
  • the information is used for historical, statistical or research purposes and the data controller has established appropriate safeguards against the personal data being used for any other purposes.

7. Controller and Processor Obligations

7.1. Data processing notification

Section 46 of the Act provides;

  • a data controller shall notify the ECC of the processing of personal information to which the Act applies;
  • the notification contemplated in provided under Section 46(1) of the Act shall contain the following particulars:
    • the name and address of the data controller;
    • the purpose of the processing;
    • a description of the categories of data subjects and of the information or categories of information relating thereto;
    • the recipients or categories of recipients to whom the personal information may be supplied;
    • planned trans-border flow of personal information; and
    • a general description allowing a preliminary assessment of the suitability of the information security measures to be implemented by the data controller to ensure the confidentiality, integrity, and availability of the information which is to be processed; and
  • subject to Section 46(4) of the Act, a data controller shall give notice each time personal information is received or processed;
  • changes in the name and address of the data controller shall be notified within one week and changes to the notification which concern Section 46(2)(b) to (f) of the Act shall be notified within one year of the previous notification, if they are of more incidental importance; and
  • any processing which departs from that which has been notified in accordance with the provisions of Section 46(2)(b) to (f) of the Act shall be recorded and kept for at least three years.

The ECC may by notice exempt certain categories of information processing which are unlikely to infringe the legitimate interests of a data subject from the notification requirements refined to in this Section 46(6) of the Act (Section 46(6) of the Act).

The ECC shall maintain an up-to-date register of the information processing notified to it (Section 46(7) of the Act). A data controller shall process personal information only upon notification to the ECC (Section 46(8) of the Act).

7.2. Data transfers

In terms of our common law and the Act, cross border processing/transfer of personal data can only be done, only on the specific written consent of the data subject.

7.3. Data processing records

Yes, there is and it is provided for by Part III, Section 9(1) of the Act, which states that they shall be kept in a filing cabinet and/or electric form.

7.4. Data protection impact assessment

We are not aware of any such requirement and/or recommendation.

7.5. Data protection officer appointment

Section 48 of the Act details that the head of a data controller may, subject to the provisions of the Act, designate one or more officers or employees to be data protection officers of the controller.

7.6. Data breach notification

Section 17 of the Act which is titled Notification of security compromise states that:

  • where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, the data controller, or any other third-party processing personal information under the authority of a data controller, shall notify:
    • the ECC; and
    • the data subject, unless the identity of such data subject cannot be established; and 
  • the notification referred to in Section 17(1) of the Act shall be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement of any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the information system of the data controller;
  • the data controller shall delay notification to the data subject where the police or the ECC determines that notification will impede a criminal investigation;
  • the notification to a data subject referred to in Section 17(1) of Act shall be in writing and communicated to the data subject in one of the following ways:
    • mailed to the last known physical or postal address of the data subject;
    • sent by e-mail to the last known e-mail address data subject;
    • placed in a prominent position on the website of the party responsible for notification;
    • published in the news media or
    • as may be directed by the ECC.
  • a person making notification shall ensure that the notification provides sufficient information to allow the data subject to take protective measures against potential consequences of the compromise, including, if known to the data controller, the identity of the unauthorised person who may have accessed or acquired the personal information; and
  • the ECC may direct a data controller to publicise, in any manner specified, the facts of any compromise to the integrity or confidentiality of personal information, where the ECC has reasonable grounds to believe that the public would protect a data subject who may be affected by the compromise.

7.7. Data retention

Part III, Section 13 of the Act provides that a data controller shall only retain data for no longer than a prescribed period unless the retention is authorised by law, the data controller reasonably requires the record for lawful purposes related to its function and activities, the retention is required by a contract between the parties and the data subject has consented to the retention of the record.

There are no specific time frames, but the Act stipulates that the data shall be destroyed/ de-identified as soon as reasonably practicable.

AML

In terms of Section of 8 of the Money Laundering and Financing of Terrorism (Prevention) Act of 2011 records by an accountable institution must be kept for a minimum period of five years from the date the evidence of the identity of a person was obtained, including any transaction or correspondence or when the account is closed or when business relationship ceases.

7.8. Children's data

Children's data is classified as 'sensitive personal data' and according to the Act it shall not be processed. The only exemption is upon the consent of a guardian where it is necessary for the performance of their legal duties. The age of consent according to the Children's Protection and Welfare Act of 2012 is 18 years.

7.9. Special categories of personal data

Generally, the processing of the criminal behaviour of a data subject is prohibited however and according to the Act this rule shall not apply where the processing is carried out by a body charged by law with applying criminal law or by a data controller who has obtained that information in accordance with the Act (Section 28 of the Act).

7.10. Controller and processor contracts

Not applicable.

8. Data Subject Rights

8.1. Right to be informed

Where personal information is collected by the data controller directly from the data subject, the data controller shall take reasonable and practicable steps to ensure that the data subject is aware of (Section 18 of the Act):

  • the information being collected;
  • the name and address of the data controller;
  • the purpose for which the information is being collected;
  • whether or not the supply of the information by the data subject is mandatory;
  • the consequences of failure to provide the information;
  • any law authorising or requiring the collection of the information; and
  • any further information which is necessary having regard to the specific circumstances, such as;
    • the recipient or category of recipients of the information;
    • the nature or category of the information; and
    • the existence of the right of access to and the right to rectify the information collected.

8.2. Right to access

A data subject who provides adequate proof of identity, shall have a right to request (Section 19 of the Act):

  • a data controller to confirm, free of charge, whether or not the data controller holds personal information about the data subject; and
  • from a data controller, personal information about the data subject held by the data controller, including information about the identity of all third parties who have or had, access to the information;
    • within a prescribed time;
    • at a prescribed fee;
    • in a reasonable manner and format; and
    • in a form that is generally understandable.

8.3. Right to rectification

A data subject shall, free of charge have a right to challenge the correctness of information by requesting that a data controller (Section 20 of the Act):

  • corrects or deletes personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully; or
  • destroys or deletes a record of personal information about the data subject that the data controller is no longer authorised to retain.

Moreover, a data controller shall, on receipt of a request as per Section 20(1) of the Act, take reasonable steps to investigate the request lodged and correct, destroy, or delete the information, or provide that data subject, with credible evidence in support of the correctness of the information.

8.4. Right to erasure

Please see section on 'Right to Rectification' above.

8.5. Right to object/opt-out

A data subject, may, on compelling legitimate grounds, make a written objection to the processing of data relating to ECC on the grounds that the processing does not comply with the conditions listed in Section 9(1) of the Act and where the objection is upheld by the ECC, the data controller shall not process the data (Section 9(3) of the Act).

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

All these rights are provided for by the Act, and if not explicitly spoken of are inherently covered by the Constitution as well as the Bill of Rights. Additionally, a data subject shall have a right to challenge the written reasons for denial or requests made in terms of subsection Section 19(1) of the Act.

9. Penalties

According to the Section 53 of the Act a person who:

  • hinders, obstructs, or unlawfully influences the ECC or any person acting on behalf of or under the direction of the ECC in the performance of the ECC's duties and functions under the Act;
  • breaches rules of confidentiality made under the Act;
  • intentionally and unlawfully obstructs a person in the execution of a warrant issued under the Act;
  • fails, without reasonable cause to give a person executing a warrant assistance as the person may reasonably require for the execution of the warrant; or
  • violates, without reasonable cause, its obligations under the Act, subject to the determination of the ECC.

Commits an offence and shall on conviction be liable to a fine not exceeding SZL 100 million (approx. €5.8 million) or 5% of the annual turnover of the data controller or to imprisonment for a period not exceeding ten years or to both, and if the offender is a juristic person the sentence shall be served by the head of the data controller.

9.1 Enforcement decisions

Not applicable.