By NOKUNCEDA MAGAGULA | 2024-12-05

Companies that are not registered as data controllers and processors will soon find themselves in trouble with the Eswatini Data Protection Authority (EDPA).

The Authority will be conducting a physical inspection or audit exercise to identify the entities that are not on Eswatini Communications Commission’s (ESCCOM) database of data controllers and processors.

This would be done with the view of determining the reasons for non-compliance and determine the appropriate sanctions where need be. This comes after ESCCOM launched a campaign in March 2024 which elapsed in September inviting entities that deal with clients personal information to register and be certified as data controllers.

This was aimed at ensuring that all companies comply with the provisions of the Data Protection Act, of 2022, as part of the mission to safeguard the personal information of citizens. ESCCOM Chief Executive (CE) Mvilawemphi Dlamini noted that the registration requirement applied to all entities processing personal information.   

He said this was not only companies or businesses but included a wide range of entities such as NGOs, government ministries, religious institutions, trade unions, cooperatives, pharmacies, institutions of higher learning, money lenders, hospitality industry, car rental services, CCTV operators, etc.  

Dlamini said the EDPA conducted a comprehensive stakeholder mapping and had the list of the different entities that process personal data in the Kingdom of Eswatini and was able to identify which entities had not complied.  He said the EDPA was currently compiling a list of entities that were not yet registered.

Dlamini stated that entities that had not registered within the stipulated time were, in effect, in breach of the Act and thus their continued processing of personal information without the registration requirement was deemed illegal unless specifically exempted.

“As with any statute, where there is a breach, there has to be enforcement measures taken and the Act does clothe the Commission with such powers to impose sanctions.  

There were many measures at the Commission’s disposal to deal with entities that were not registered provided under Section six of the Act, and these may include warnings and fines,” he said. spanned He mentioned that the registration spanned for a period of six months which was March to September and the period was long enough for entities to register.  

Dlamini mentioned that to date over 400 entities including banks, telecommunication service providers, private schools, government ministries, parastatals, churches, NGOs, insurances,  cooperatives and associations, employers and private companies, hotels and lodges, and many more across various sector industries had registered.  

Worth mentioning was that compliance with the data protection Act boosted certified entities brands and garnered trust from the public who would their data subjects collected and confidence that their personal data in the entities possession was safe from unauthorised access or disclosure.

share story          

Post Your Comments Below

---