By 
by Bahle Gama
Entities or companies found to have breached the Data Protection Act will be liable to a fine of up to E100 million or 2 per cent of their turnover.
This was disclosed by Eswatini Data Protection Authority Manager Sicelo Simelane in an interview in response to the repercussions for not adhering to the Act by organisations.
Simelane said the Act mandates data controllers to report personal data breaches within 72 hours of business awareness.
He described data protection as the process of safeguarding important data from corruption, unlawful disclosure, compromise, or loss and providing the capability to restore the data to a functional state should something happen to render the data inaccessible or unusable.
Data laws across countries and Eswatini enacted the Data Protection Act 2022 which designates the Eswatini Communications Commission (ESCCOM) as the Eswatini Data Protection Authority, guarantees the rights of data subjects, and lays down principles for processing personal information.
This means the Commission is mandated to regulate how personal information is handled, investigate breaches in handling information, and resolve any complaints relating to breaches.
In doing so, the Commission may issue any sanction available in terms of the Act and may as well impose administrative fines whilst enforcing the Act’s provisions.
Simelane said just like every law, the Act has clauses that guide and ensure that data controllers and distributors are adhering to it.
“I don’t think anyone wants to be fined that much, and we believe people will adhere to the law and protect the data and the people they collect it from,” said Simelane.
ALSO READ: The Africa We Want; How Digital Technologies Can Help
Data protection rules apply to personal data that can identify individuals, such as their name, ID number, email address, or their address.
“Therefore, data protection is essential for security, privacy, compliance, as well as for innovation and trust in today’s digital economy,” Simelane added.
According to information from the Authority’s broacher, seven protection principles guide data controllers and processors to ensure they adhere to the Act.
One of these is integrity and confidentiality, whereby data controllers and processors must keep personal data safe, so it does not get accidentally deleted or changed, or seen by someone who is not allowed to see it.
Another is accountability which means entities must demonstrate how they take responsibility for how they use people’s data, then storage limitation wherein data controllers and protectors must not keep personal data for longer than it is needed.
Entities have the responsibility to ensure the data they hold must be accurate and up to date and must be the minimum necessary.
They also have the responsibility to purpose limitation; wherein personal data must be used only for the purpose that it was collected for.
Additionally, data collectors and processors must exercise lawfulness, fairness, and transparency which means there must be a valid legal reason for the processing of personal data.
“Data controllers must also disclose fully the reasons for collecting the personal data and how it will be used,” reads the broacher.
‘EmaSwati can object to data usage for marketing purposes’
In the event a company or entity may feel the need to use an individual’s personal data for marketing purposes, a person has a right to object to that.
According to the Eswatini Data Protection Authority emaSwati have the right to object to their personal data being used for marketing reasons.
In other circumstances, they may also object to how their data is being processed.
This is one of the rights that individuals must ensure the data given to organisations and businesses is safely kept and properly processed.
Another is the right to be informed, which means businesses must give individuals clear, succinct, and easily understandable information on what they want to do with the data. This fosters a level of trust.
“Companies dealing in data must provide privacy information including the name and contact details of the organisation, representative, data protection officer, the purpose of data collection and processing, legitimate interests for processing as well as retention periods,” said the Authority.
ALSO READ: e-Commerce uptake is very low in Eswatini
Other rights include:
- The right to certification: individual data subjects have the right to rectify or correct inaccurate personal data or have it fully completed if the information is not complete. They can request rectification in writing or verbally and the company has one calendar month to respond to a request for rectification.
- The right to access: this gives individuals the legal right to copy of their personal data and any other supplementary data. Individuals have the right access to their personal data as held by a company. A subject access request can be made to the company concerned either verbally or in writing, and the company has 30 days to respond.
- The right to erasure: also called the right to be forgotten means individuals can request that their data be erased permanently from the controller’s databases. The request can be made verbally or on in writing and a response must be provided within 30 days. This right only applies in certain circumstances and is not absolute.
- The right to restrict processing, wherein individuals have the right to suppress or block their data from being used. This is not absolute and applies to specific circumstances.
- The right to data portability allows individuals to obtain and use their data for their reasons. It means they can copy, transfer, or move personal data from one online environment to another safely, securely, and in a frequently used machine-readable format.
Rights regarding automated profiling and decision-making refers to the use of technology to process and analyse the individual’s personal data.
This means that resolutions are taken by automation with no involvement from humans. The individual must be informed of the automated profiling and decision-making, and there must be easy ways for them to challenge an automated decision or ask for a human being to check it.
