Data protection & privacy laws in eSwatini (2026)

The Data Protection Act No. 5 of 2022 was gazetted on 4 March 2022 and entered into force immediately. It applies to automated and non-automated processing of personal information by any public or private body, including foreign entities processing data within eSwatini.

ESCCOM is designated as the national EDPA and is empowered to investigate data breaches, adjudicate complaints, conduct physical inspections, issue enforcement/compliance notices, and sanction non-compliant controllers and processors.

Processing requires one of five lawful bases: explicit consent, contract performance, legal obligation, protection of the data subject's legitimate interests, or public-body duty. Data subjects hold rights of access (free of charge), correction, deletion, and objection.

Data controllers must notify the EDPA of a personal data breach within 72 hours of becoming aware of it, mirroring the GDPR standard.

Administrative fines reach up to E5 million (≈ USD 268,000) or 2% of annual turnover; severe violations may attract criminal liability. ESCCOM issued enforcement notices against unregistered entities in 2024–2025 and awarded registration certificates to compliant organisations, including a renewal round completed in June 2025.

The Act prohibits processing of special-category data (race, religion, health, political views, etc.) except under specific exemptions such as medical necessity, public interest, or Commission authorisation. ESCCOM became a member of the Network of African Data Protection Authorities (NADPA), deepening regional regulatory cooperation.