Eswatini: An overview of the Data Protection Act
On 4 March 2022, King Mswati III signed the Data Protection Act No. 5 of 2022 ('the Act') into law. In this article, Melody Musoni, an independent privacy professional, breaks down the key provisions of the Act, touching on topics such as legitimate bases and data processing principles, data subject rights, and data transfers.
The preamble of the Act outlines that the Act provides for the collection, processing, disclosure, and protection of personal data, balancing competing values of personal information privacy, sector-specific laws, and other related matters. The terms 'personal data' and 'personal information' are used interchangeably in the Act. The Act applies to any data controller or data processor who uses automated or non-automated means in Eswatini for forwarding personal information, regardless of whether the data controller or data processor are domiciled in Eswatini or have their principal place of business in Eswatini. The Act also applies to the processing of personal information performed wholly or partly by automated means (Section 3 of the Act).
The functions and powers of a data protection authority under the Act have been assigned to the Eswatini Communications Commission ('the Commission'). Some of the functions of the Commission include administering the Act and protecting the respective privacy rights provided for under the DPA or any other law, ensuring that the processing of personal data by the controller complies with the Act, promoting the understanding and acceptance of information protection principles through education and public awareness, issuing codes of conduct, and monitoring and enforcing compliance with the provisions of the Act by public and private bodies, among other things (Section 5 of the Act).
The personal information shall be processed and kept in a filing cabinet and/or electronic form (Section 9(1) of the Act). The Act sets out six legal bases for the processing of personal data. Personal data may be processed if:
- the data subject provides explicit consent to the processing;
- it is necessary for the conclusion or performance of a contract to which the data subject is a party;
- it is necessary for compliance with a legal obligation to which the data controller is subject;
- it is necessary to protect the legitimate interests of the data subject;
- it is necessary for the proper performance of public law duty by a public body; or
- it is necessary for pursuing the legitimate interests of the data controller or a third party to whom the information is supplied (Section 9(2) of the Act).
Data processing principles
Collection of personal information from a data subject
The collection of personal information should be from a data subject unless if there are justifiable exceptions. Some of the exceptions include instances where information is in a public record, the data subject has consented to the collection of the information from another source, or if the collection of information from another source will not prejudice a legitimate interest of the data subject (Section 10 of the Act).
Collection of personal information by the data controller
When a data controller collects personal information from the data subject, it must take reasonable and practicable steps to ensure that the data subject is aware of the data controller's name and address, information collected, the purpose for collection, whether or not the supply of the information by the data subject is mandatory, the consequences for failure to provide the information, any law authorising or requiring the collection of the information, and any further information which is necessary (Section 11 of the Act).
Purpose specification and further processing limitation
Another important principle found in the Act is the processing of personal data for a specific purpose and restriction of any further processing. Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. Any further processing activities are permitted if they are compatible with the original purpose at collection (Section 12 of the Act).
The Act puts in place limitations on the retention of records. Generally, records of personal information are not to be retained for a period longer than is required. However, the Act provides for instances where longer retention periods are permitted, such as if it is authorised by law, the data controller reasonably requires the record for lawful purposes, the record is required by a contract between the parties, or the data subject has provided consent to a longer retention period (Section 13 of the Act).
A data controller shall secure the integrity of personal information in its possession or under its control by taking appropriate and reasonable technical and administrative measures to prevent the loss of, modification and damage to, or unauthorised destruction of personal information, and unlawful access to, or processing of, personal information. Undertaking risk assessments forms part of the security measures which may be undertaken by a data controller (Section 14 of the Act). The obligation of maintaining security measures also extends to a data processor when processing personal data for, and on behalf of, a data controller (Section 16 of the Act). There is an obligation to notify the Commission and affected data subjects when a data breach or security compromise occurs. This obligation falls on both the data controller or any other third party processing personal information under the authority of a data controller (Section 17 of the Act).
Quality of information
A person who is responsible for collecting and processing personal information shall take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading, and kept up to date where necessary (Section 18 of the Act).
Sensitive personal information
The Act defines sensitive personal information to include genetic data, data related to children, data related to offences, criminal sentences or security measure, and biometric data, as well as, if it is processed for what it reveals, personal information revealing racial or ethnic origin, political opinions, or affiliations, religious or philosophical beliefs, affiliation, trade-union membership, gender, and data concerning health or sex life. The definition further includes any personal information otherwise considered by the laws of Eswatini as presenting a major risk to the rights and interests of the data subject, in particular unlawful or arbitrary discrimination. There is a general prohibition against the processing of sensitive personal information. A data controller may process sensitive personal information under strict circumstances as provided for under the Act (Section 22 of the Act).
Part IV of the Act outlines the exemptions applicable to the processing of sensitive personal information, including:
- spiritual, religious, or philosophical beliefs of a data subject (Section 23 of the Act);
- race of a data subject (Section 24 of the Act);
- trade union membership of a data subject (Section 25 of the Act);
- political affiliation of a data subject (Section 26 of the Act);
- health or sexual life of a data subject (Section 27 of the Act);
- criminal behaviour of a data subject (Section 28 of the Act);
- sensitive personal information (Section 29 of the Act);
- authorisation by the Commission (Section 30 of the Act); and
- for processing of personal data for historical, statistical, and research purposes (Section 31 of the Act).
Apart from the exemptions under Part IV, the Act also features other exemptions. The Act does not apply to the processing of personal information for a purely personal or household activity (Section 4(a) of the Act) or to any personal information which has been de-identified to the extent that it cannot be re-identified (Section 4(b) of the Act). Personal information processed by, or on behalf of, the State and involving national security and defence or public safety is also not subject to the Act (Section 4(c) of the Act). Further, the Act does not apply to personal information used solely for journalistic purposes or the purposes of artistic or literary expression, where the artistic or literary expression are necessary to reconcile the right to privacy with the rules governing freedom of expression (Section 4(d) of the Act).
Data subject rights
Right of access to information
A data subject has the right to request access to personal information about them which is held by the data controller (Section 19(1) of the Act).
Right to receive reasons
If the data controller denies a data subject a request for access to information, the data subject shall be entitled to be given written reasons for the denial (Section 19(2) of the Act).
Right to challenge reasons
A data subject has a right to challenge the written reasons for denial or requests made (Section 19(3) of the Act).
Right to correction
A data subject has the right to an accurate record of their personal data and may request the data controller to correct or delete an inaccurate, irrelevant, excessive, and out-of-date record. This right also extends to destroying or deleting a record that the data controller is no longer authorised to retain (Section 20 of the Act).
Right of notification
A data subject has the right to be notified in writing of a security compromise as soon as reasonably possible (Sections 17(1)(b) and 17(4) of the Act).
Right to object to direct marketing
A data subject is entitled to object to the processing of their personal data by the data controller for direct marketing purposes (Section 44(2) of the Act).
Right not to be subjected to automated decision making
A data subject may not be subjected to a decision which has legal effect on them, or which affects them significantly, based solely on the automated processing of personal information intended to provide a profile of certain aspects of their personality or personal habits (Section 45 of the Act).
Part V of the Act contains provisions on trans-border flows of personal data outside of Eswatini. The rules for cross-border data transfers depend on whether the recipient is located within or outside the Southern African Development Community ('SADC'), an economic block which covers 16 countries in Southern Africa. The SADC Member States approved the SADC Model Law on Data Protection which sets out the guiding principles which can be adopted by Member States when developing their national laws on data protection. The Act provides that if a SADC Member State has transposed these SADC data protection requirements, the transfer of data to a recipient in this Member State is permitted (Section 32(1) of the Act). This form of transfer is permitted where the recipient establishes that the data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of the data controller, or where the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject's legitimate interests might be prejudiced by the transfer or the processing in the Member State (Sections 32(1)(a) and (b) of the Act).
Section 33 of the Act permits the transfer of personal information to recipients, other than in Member States of the SADC, or which are not subject to national law adopted pursuant to SADC data protection requirements, if an adequate level of protection is ensured in the country of the recipient and the data is transferred solely to permit processing otherwise authorised to be undertaken by the controller (Section 33 of the Act). The Act provides a list of factors which must be considered when assessing whether the third country receiving the personal data has an adequate level of protection. These include the nature of the data, the purpose and duration of the proposed processing, the country of the recipient, the relevant laws in force in the third country, and the professional rules and security measures which are complied with in that country of the recipient (Section 33(2) of the Act).
Apart from the above requirements, transfers of personal data are permitted where the data subject has unambiguously given their consent to the proposed transfer, the transfer is necessary for the performance of a contract between the data subject and the controller, or the implementation of pre-contractual measures taken in response to the request of the data subject (Sections 33(4)(a) and (b) of the Act). Further, if the transfer is necessary for the conclusion or performance of a contract concluded, or to be concluded, between the controller and a third party in the interest of the data subject, or the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise, or defence of legal claims (Sections 33(4)(c) and (d) of the Act). Finally, transfers are also permitted if it is necessary to protect the legitimate interests of the data subject, or if the transfer is made from a register which is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled (Sections 33(4)(e) and (f) of the Act).
Appointment of DPOs
The head of a data controller may designate one or more data protection officers ('DPOs') or employees to be DPOs of that controller. The functions of a DPO include promoting compliance with the Act, cooperating with the Commission on investigations or proceedings, dealing with requests made to the controller pursuant to the controller's obligations, and pursuing legal appeals with relevant judicial authorities (Section 48 of the Act). There is no requirement for the registration of the DPO with the Commission. There is also no requirement for data processors to appoint a DPO.
The Act does not put an outright ban on direct marketing. Instead, the burden is placed on the data subject to give notice to a data controller that the same should cease, or not begin, the processing of their personal data for direct marketing purposes (Section 44(2) of the Act). If the data controller continues to send direct marketing material to a data subject after receiving a notice not to do so, the data subject may inform the Commission. If the Commission is satisfied, on the application of a person who has given the notice, that the data controller has failed to comply with the notice, the Commission may order the data controller to take such steps to comply with the notice as the Commission deems fit (Section 44 (3) of the Act).
Sanctions, offences, and penalties
There are different types of sanctions which can be imposed by the Commission depending on whether one is a data controller or not. In the case of a data controller, actions which can be taken by the Commission against the data controller for its non-compliance include the following:
If after an investigation, the Commission is satisfied that a data controller has contravened the Act, the Commission shall serve the data with an enforcement notice requiring the data controller to take specified steps, refrain from taking action, or to stop processing personal information specified in the enforcement notice or for a purpose or in a manner specified in the enforcement notice within a period specified in the same (Section 41 of the Act).
The Commission may issue a warning to a data controller who fails to comply with the obligations of the Act (Section 6(1)(a) of the Act). The Act does not clarify whether this warning will be a written warning submitted to the data controller's email address, postal address, or published in the Gazette or news media, or whether it is a verbal warning. Section 52(1) of the Act provides that a warning by the Commission shall be regarded as a sanction.
The Commission may issue a formal notice calling upon a data controller to comply. The formal notice will specify the time frames within which the data controller is expected to comply (Section 6(1)(b) of the Act).
If the data controller fails to comply with the formal notice, the Commission may limit, suspend, or terminate the authorisation of a data controller to process personal information (Section 6(3)(a) of the Act).
Apart from suspending, limiting, or terminating authorisation to process personal information, the Commission can impose an administrative fine. The fine should not exceed SZL 5 million (approx. €280,360) or 2% of the annual turnover of the data controller (Section 6(3)(b) of the Act).
Action against a person/body/persons
In the case of any person, body, or persons which fail to comply with the Act the Commission can impose any one of three sanctions:
- cancelling or suspending the authorisation to process personal information;
- imposing a fine against that person, body, or persons; or
- ordering that person, body, or persons to compensate to the benefit of an aggrieved person or data subject (Section 6(4) of the Act).
Section 53 of the Act prescribes the offences which can be committed under the Act. A person who hinders, obstructs, or unlawfully influences the Commission or any person acting on behalf or under the direction of the Commission in the performance of the Commission's duties and functions under this Act commits an offence (Section 53(a) of the Act). It is also an offence for a person to breach the rules of confidentiality made under this Act or to intentionally and unlawfully obstruct a person in the execution of a warrant issued under this Act (Sections 53(b) and (c) of the Act). If a person fails, without reasonable cause, to give a person executing a warrant assistance as the person may reasonably require for the execution of the warrant, it commits an offence (Section 53(d) of the Act). It is also an offence for a person to violate, without reasonable cause, its obligations under this Act, subject to the determination of the Commission (Section 53(e) of the Act). The prescribed penalties include a fine or imprisonment, or both. The fine may not exceed SZL 1 million (approx. €56,040), or 5% of the annual turnover of the data controller. The jail term shall not exceed ten years. Where the offender is a juristic person, the Act clarifies that the jail term will be served by the head of the data controller.
Melody Musoni Independent Privacy Professional