Data protection & privacy laws in Lesotho (2026)

The Data Protection Act, 2012 (Act No. 5 of 2012), gazetted 22 February 2012, is the single comprehensive instrument governing personal-data protection. It was drafted to align broadly with EU standards and SADC data-protection norms.

Part 2 of the Act establishes an independent Data Protection Commission empowered to investigate complaints, issue codes of conduct, and advise on compliance. As of 2026 the Commissioner has never been appointed, rendering the body non-functional; enforcement must therefore proceed through the courts.

The Act grants individuals rights to access, correct, and block misuse of their personal data. Data controllers must obtain informed consent before processing and implement reasonable security measures to safeguard personal information.

Personal data may not be transferred to a foreign country unless the recipient is subject to law or binding conduct upholding principles substantially similar to those in the Act, a meaningful adequacy standard.

Violations carry fines up to M50,000 and/or imprisonment of up to five years. Because the Commission cannot impose fines directly, enforcement requires court proceedings; the absence of an appointed Commission does not suspend controller obligations.

Legal commentary as of late 2025 calls for a targeted amendment adding Data Protection Impact Assessments, records of processing, and Data Protection Officers for high-risk entities, as well as ratification of the AU Malabo Convention, but no such amendment had been passed as of May 2026.