The Act regulates the protection and processing of personal and sensitive personal data, including the cross-border transfer of such data, and establishes the Information and Data Protection Commission. It sets forth requirements for the lawful processing of personal and sensitive data, outlines procedures for data subjects to file complaints, and specifies sanctions for violations of the Act. The Act came into effect in October 2021, with the most recent amendment, the Data Protection Act (Transitional Period) Order, 2023, taking effect on October 13, 2023.  

Scope and Applicability. 

Territorial scope 

Section 3(1) of the Act applies to the processing of personal and sensitive data within Botswana, as well as the transfer of such data outside the country. If the data controller is outside Botswana, the Act still applies if the processing uses automated or non-automated means located in Botswana. However, the Act does not apply if automated means are only used for transmitting personal data.  

Material scope 

The Act applies to the processing of personal and sensitive personal data of natural persons in Botswana. 

Legal bases 

1. Consent 

2. Contract with the Data Subject 

3. Legal Obligation 

4. Public Interest. 

5. Interest of the Data Subject. 

6. Legitimate Interests of the Data Controller. 

Principles of Data Protection

Key Principles of Processing

Personal data must be processed in accordance with the principles outlined in Section 14 of the Act, which include: 

1. Fair and Lawful Processing: Personal data must be processed fairly and lawfully, and, where applicable, with the knowledge or consent of the data subject. 

2. Adequacy and Relevance: The data collected must be adequate, relevant, and limited to what is necessary for the purposes of processing. 

3. Accuracy and Timeliness: Personal data must be accurate, complete, and kept up to date as necessary for processing. 

4. Purpose Limitation: Data must be collected for specific, legitimate, and clearly stated purposes. 

5. Purpose Compatibility: Personal data must not be processed for purposes that are incompatible with the original, explicitly stated purposes. 

6. Security Safeguards: Data must be protected by reasonable security measures to guard against risks such as loss, unauthorized access, destruction, or misuse. 

7. Correction of Inaccuracies: Where data is incomplete or inaccurate, reasonable steps must be taken to correct, complete, block, or delete the data, in line with its intended use. 

8. Retention Limitation: Personal data should not be kept longer than necessary for the purposes for which it was collected, subject to retention requirements under other Botswana laws (e.g., the FIA, Banking Act, Income Tax Act, and Employment Act). 

9. Good Practice: Personal data must be processed under good practices and ethical standards. 

Controller and Processor Obligation.  

Data processing notification 

Section 5(2)(i) of the Act requires the Commissioner to establish and maintain a public register of all data controllers. Additionally, under Section 39 of the Act, the Commissioner is responsible for maintaining a register of processing operations notified under Section 34(1), which must include the information specified in Section 34(3). 

Data transfers 

Under Section 48 of the Act, the general rule is that the transfer of personal data from Botswana to another country is prohibited. However, the Minister has published a list of countries to which personal data may be transferred. 

Notwithstanding Section 48, personal data undergoing processing or intended for processing may only be transferred to a third country if that country provides an adequate level of protection for the personal data, as outlined in Section 49 of the Act. 

Data processing records 

The Act does not specifically require data controllers or processors to maintain records of data processing. However, Section 37(1) mandates the Data Protection Regulator (DPR) to maintain a register of processing activities conducted on behalf of the data controller. 

Data protection impact assessment 

Not Provided for by the Act. 

Data Protection Officer appointment 

Section 36 of the Act allows a data controller to appoint a Data Protection Representative (DPR) and requires them to notify the Commissioner of the appointment. The Act does not mandate hiring a new employee for the DPR role; an existing employee may be designated. The DPR must possess the necessary qualifications and maintain an accessible list of processing activities. 

Data Breach notification. 

Section 33(1) of the Act requires data controllers to promptly notify the Commissioner of any personal data security breach. Similarly, data processors must inform the data controller without delay if a breach occurs involving data held on their behalf. The Act does not define what constitutes a data breach or outline the specific process for data controllers and processors to follow in such cases. 

Data Retention 

The Act does not specify exact time frames for data retention. However, Section 14(h) requires data controllers to ensure that personal data is not retained longer than necessary for the purposes for which it was collected. 

Children's data 

The Act classifies personal data related to minors as sensitive, requiring extra protections. Children's data must be processed in accordance with the provisions for sensitive data. Under the Constitution, the age of majority in Botswana is 18, meaning the age of consent is also 18.   

Special categories of personal data 

As a general rule, the processing of sensitive personal data is prohibited. But Definition of Sensitive data includes data related to a data subject's alleged or actual commission of an offense, legal proceedings, or court sentences. Criminal conviction data may only be processed in accordance with the conditions specified in Section 20 of the Act.  

Data Subject Rights 

Right to be informed  Right to Access  Right to rectification  Right to erasure  Right to object/opt-out Right not to be subject to automated decision-making. 

Penalties 

Section 51 of the Act outlines offenses and penalties, which include: 

• A person who processes personal data in violation of the Act may face a fine of up to BWP 300,000 (approx. $22,000), imprisonment for up to 7 years, or both. 

• Processing sensitive personal data in violation of the Act can result in a fine up to BWP 500,000 (approx. $36,740), imprisonment for up to 9 years, or both. 

• A data controller processing personal data unlawfully may be fined up to BWP 500,000 (approx. $36,740) or imprisoned for up to 9 years, or both. 

• A data controller processing sensitive personal data unlawfully may face a fine of up to BWP 1 million (approx. $73,500), imprisonment for up to 12 years, or both. 

• Failure to inform a data subject of their rights under the Act can lead to a fine of up to BWP 100,000 (approx. $7,350) or imprisonment for up to 3 years, or both. 

• A data controller failing to implement required security safeguards under Section 32 may be fined BWP 500,000 (approx. $36,740) or face up to 9 years in prison, or both. 

• A data controller processing data for direct marketing despite a data subject's objection can face a fine of up to BWP 500,000 (approx. $36,740) or up to 9 years imprisonment, or both. 

• Non-compliance with a request from the Commissioner under Section 10 can result in a fine up to BWP 100,000 (approx. $7,350) or up to 3 years imprisonment, or both. 

The Act regulates the protection and processing of personal and sensitive personal data, including the cross-border transfer of such data, and establishes the Information and Data Protection Commission. It sets forth requirements for the lawful processing of personal and sensitive data, outlines procedures for data subjects to file complaints, and specifies sanctions for violations of the Act. The Act came into effect in October 2021, with the most recent amendment, the Data Protection Act (Transitional Period) Order, 2023, taking effect on October 13, 2023.  

Scope and Applicability. 

Territorial scope 

Section 3(1) of the Act applies to the processing of personal and sensitive data within Botswana, as well as the transfer of such data outside the country. If the data controller is outside Botswana, the Act still applies if the processing uses automated or non-automated means located in Botswana. However, the Act does not apply if automated means are only used for transmitting personal data.  

Material scope 

The Act applies to the processing of personal and sensitive personal data of natural persons in Botswana. 

Legal bases 

1. Consent 

2. Contract with the Data Subject 

3. Legal Obligation 

4. Public Interest. 

5. Interest of the Data Subject. 

6. Legitimate Interests of the Data Controller. 

Principles of Data Protection

Key Principles of Processing

Personal data must be processed in accordance with the principles outlined in Section 14 of the Act, which include: 

1. Fair and Lawful Processing: Personal data must be processed fairly and lawfully, and, where applicable, with the knowledge or consent of the data subject. 

2. Adequacy and Relevance: The data collected must be adequate, relevant, and limited to what is necessary for the purposes of processing. 

3. Accuracy and Timeliness: Personal data must be accurate, complete, and kept up to date as necessary for processing. 

4. Purpose Limitation: Data must be collected for specific, legitimate, and clearly stated purposes. 

5. Purpose Compatibility: Personal data must not be processed for purposes that are incompatible with the original, explicitly stated purposes. 

6. Security Safeguards: Data must be protected by reasonable security measures to guard against risks such as loss, unauthorized access, destruction, or misuse. 

7. Correction of Inaccuracies: Where data is incomplete or inaccurate, reasonable steps must be taken to correct, complete, block, or delete the data, in line with its intended use. 

8. Retention Limitation: Personal data should not be kept longer than necessary for the purposes for which it was collected, subject to retention requirements under other Botswana laws (e.g., the FIA, Banking Act, Income Tax Act, and Employment Act). 

9. Good Practice: Personal data must be processed under good practices and ethical standards. 

Controller and Processor Obligation.  

Data processing notification 

Section 5(2)(i) of the Act requires the Commissioner to establish and maintain a public register of all data controllers. Additionally, under Section 39 of the Act, the Commissioner is responsible for maintaining a register of processing operations notified under Section 34(1), which must include the information specified in Section 34(3). 

Data transfers 

Under Section 48 of the Act, the general rule is that the transfer of personal data from Botswana to another country is prohibited. However, the Minister has published a list of countries to which personal data may be transferred. 

Notwithstanding Section 48, personal data undergoing processing or intended for processing may only be transferred to a third country if that country provides an adequate level of protection for the personal data, as outlined in Section 49 of the Act. 

Data processing records 

The Act does not specifically require data controllers or processors to maintain records of data processing. However, Section 37(1) mandates the Data Protection Regulator (DPR) to maintain a register of processing activities conducted on behalf of the data controller. 

Data protection impact assessment 

Not Provided for by the Act. 

Data Protection Officer appointment 

Section 36 of the Act allows a data controller to appoint a Data Protection Representative (DPR) and requires them to notify the Commissioner of the appointment. The Act does not mandate hiring a new employee for the DPR role; an existing employee may be designated. The DPR must possess the necessary qualifications and maintain an accessible list of processing activities. 

Data Breach notification. 

Section 33(1) of the Act requires data controllers to promptly notify the Commissioner of any personal data security breach. Similarly, data processors must inform the data controller without delay if a breach occurs involving data held on their behalf. The Act does not define what constitutes a data breach or outline the specific process for data controllers and processors to follow in such cases. 

Data Retention 

The Act does not specify exact time frames for data retention. However, Section 14(h) requires data controllers to ensure that personal data is not retained longer than necessary for the purposes for which it was collected. 

Children's data 

The Act classifies personal data related to minors as sensitive, requiring extra protections. Children's data must be processed in accordance with the provisions for sensitive data. Under the Constitution, the age of majority in Botswana is 18, meaning the age of consent is also 18.   

Special categories of personal data 

As a general rule, the processing of sensitive personal data is prohibited. But Definition of Sensitive data includes data related to a data subject's alleged or actual commission of an offense, legal proceedings, or court sentences. Criminal conviction data may only be processed in accordance with the conditions specified in Section 20 of the Act.  

Data Subject Rights 

Right to be informed  Right to Access  Right to rectification  Right to erasure  Right to object/opt-out Right not to be subject to automated decision-making. 

Penalties 

Section 51 of the Act outlines offenses and penalties, which include: 

• A person who processes personal data in violation of the Act may face a fine of up to BWP 300,000 (approx. $22,000), imprisonment for up to 7 years, or both. 

• Processing sensitive personal data in violation of the Act can result in a fine up to BWP 500,000 (approx. $36,740), imprisonment for up to 9 years, or both. 

• A data controller processing personal data unlawfully may be fined up to BWP 500,000 (approx. $36,740) or imprisoned for up to 9 years, or both. 

• A data controller processing sensitive personal data unlawfully may face a fine of up to BWP 1 million (approx. $73,500), imprisonment for up to 12 years, or both. 

• Failure to inform a data subject of their rights under the Act can lead to a fine of up to BWP 100,000 (approx. $7,350) or imprisonment for up to 3 years, or both. 

• A data controller failing to implement required security safeguards under Section 32 may be fined BWP 500,000 (approx. $36,740) or face up to 9 years in prison, or both. 

• A data controller processing data for direct marketing despite a data subject's objection can face a fine of up to BWP 500,000 (approx. $36,740) or up to 9 years imprisonment, or both. 

• Non-compliance with a request from the Commissioner under Section 10 can result in a fine up to BWP 100,000 (approx. $7,350) or up to 3 years imprisonment, or both.