DPA 2022

Data Protection Act 5 of 2022

Flag of SZ
EswatiniOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 4, 2022
Enacted
March 4, 2022
Enforcing Authority
Eswatini Communications Commission (ESCCOM)
Consent Model
Opt-in
Applies To
All public and private bodies processing personal data, whether domiciled in Eswatini or abroad, using automated or non-automated means in the country

Overview

Eswatini's Data Protection Act 2022 is the kingdom's first data protection legislation, enacted in March 2022 with enforcement beginning September 2025. The Eswatini Communications Commission (ESCCOM) serves as the regulatory authority. The law carries some of the highest criminal penalties in Africa, with a two-tier structure separating administrative and criminal sanctions.

What This Means for Your Website

If your website processes personal data of Eswatini visitors, you must obtain consent before processing and comply with principles of purpose limitation, data minimization, and accuracy. The law has extraterritorial scope, covering foreign entities using automated or non-automated means in Eswatini. Prior notification or authorization is required before processing activities begin.

Key Requirements

Administrative penalties reach E5,000,000 or 2% of annual turnover. Criminal penalties escalate dramatically to E100,000,000 or 5% of annual turnover or 10 years imprisonment. Data controllers must maintain processing records, implement security measures, and ensure data subjects can exercise their rights of access, correction, and deletion.

How ConsentStack Handles This

ConsentStack detects visitors from Eswatini and displays a compliant consent banner requiring affirmative opt-in before activating non-essential data processing technologies.

Penalties

Administrative: E5,000,000 or 2% of annual turnover. Criminal: E100,000,000 or 5% of annual turnover or 10 years imprisonment.

Maximum Fine
SZL100,000,000 per violation
Revenue-based
5% of annual revenue

Key Requirements

  • Consent required for personal data processing
  • Principles of purpose limitation, data minimization, accuracy, and storage limitation
  • Data subjects have rights of access, correction, and deletion
  • Data security measures mandatory
  • Processing records required
  • Prior notification or authorization required

Notable Provisions

  • E100,000,000 or 5% criminal penalty among the highest in Africa
  • Two-tier penalty: administrative (2% turnover) vs. criminal (5% turnover + imprisonment)
  • Extraterritorial scope covers foreign entities using means in Eswatini
  • Enforcement from September 2025

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

What are the penalties under Eswatini's DPA?

Administrative: E5M or 2% of turnover. Criminal: E100M or 5% of turnover or 10 years imprisonment -- among the highest in Africa.

When does enforcement begin in Eswatini?

Enforcement of the DPA 2022 begins from September 2025.

Does Eswatini's DPA apply to foreign companies?

Yes. The law has extraterritorial scope covering foreign entities using automated or non-automated means within Eswatini.

Stay compliant with DPA 2022

ConsentStack helps you implement Opt-in consent for Eswatini automatically.

Get started free