CHAPTER 42:17
DATA PROTECTION

ARRANGEMENT OF SECTIONS

    SECTION

PART I
Preliminary Provisions

    1. Short title

    2. Interpretation

    3. Objects of the Act

    4. Application

    5. Act binds state

PART II
Continuation of Information and Data Protection Commission

    6. Continuation of Information and Data Protection Commission

    7. Divisions of Commission

    8. Appointment of Commissioner

    9. Oath of secrecy

    10. Operational independence of Commission

    11. Confidentiality

PART III
Competence and Powers of the Commission

    12. Competence of Commission

    13. Duties of Commission

    14. Investigative powers of Commission

    15. Powers of search, seizure and detention

    16. Corrective powers of Commission

    17. Authorisation and advisory powers of Commission

    18. Activity reports

PART IV
Principles Relating to Processing of Personal Data

    19. Lawfulness, fairness and transparency

    20. Purpose limitation

    21. Data minimisation

    22. Accuracy

    23. Storage limitation

    24. Integrity and confidentiality

    25. Accountability

PART V
Legal Basis for Processing of Personal Data

    26. Lawfulness of processing

    27. Conditions for consent

    28. Right to withdraw consent

    29. Conditions applicable to children in relation to information society services

PART VI
Processing of Sensitive Personal Data

    30. Processing of sensitive personal data

    31. Processing of sensitive data by entities

    32. Processing of personal data relating to criminal convictions and offences

    33. Processing which does not require identification

PART VII
Provisions Relating to Specific Processing Situations

    34. Processing and public access to official documents

    35. Processing for archiving, research or statistical purposes

    36. Obligations of secrecy

PART VIII
Rights of Data Subjects

    37. Transparent information and communication

    38. Modalities for exercising rights of data subject

    39. Information provided when personal data is collected from data subject

    40. Further information to ensure transparent processing

    41. Information provided when personal data is not obtained from data subject

    42. Right of access by data subject

    43. Right to rectification

    44. Right to erasure

    45. Right to restriction of processing

    46. Notification obligation for rectification or erasure of personal data or restriction of processing

    47. Right to data portability

    48. Right to object

    49. Automated individual decision-making, including profiling

PART IX
Legal Restrictions

    50. Legal restrictions

PART X
Data Controller and Data Processor

    51. Responsibility of data controller

    52. Data protection by design and by default

    53. Joint data controllers

    54. Representatives of controllers or processors not established in Botswana

    55. Data processor

    56. Data processor governed by contract or law

    57. Data processor engaging another data processor

    58. Contract to be in writing

    59. Standard contractual clauses

    60. Record of processing activities

    61. Cooperation with Commission

PART XI
Security of Personal Data

    62. Appropriate technical and organisational measures

    63. Notification of personal data breach

    64. Communication of personal data breach to data subject

PART XII
Data Protection Impact Assessment and Prior Consultation

    65. Data protection impact assessment

    66. List of processing operations subject to data protection impact assessment

    67. Contents of data protection impact assessment

    68. Prior consultation

PART XIII
Data Protection Officer

    69. Designation of data protection officer

    70. Qualification for designation

    71. Position of data protection officer

    72. Duties of data protection officer

    73. Code of conduct

PART XIV
Transfers of Personal Data to Third Countries or International Organisations

    74. General principle for transfers

    75. Transfers on basis of adequacy decision

    76. Transfers subject to appropriate safeguards

    77. Binding corporate rules

    78. Derogations for specific situations

    79. International cooperation

PART XV
Compensation, Administrative Fines and Penalties

    80. Right to lodge complaint with Commission

    81. Right to compensation and liability

    82. General conditions for imposing administrative fines

    83. Gravity of contravention and administrative fines

    84. Offences and penalties

PART XVI
Continuation of Appeals Tribunal

    85. Continuation of Appeals Tribunal

    86. Composition of Tribunal

    87. Jurisdiction of Tribunal

    88. Tenure of office for members of Tribunal

    89. Disqualification, suspension and removal of member of Tribunal

    90. Vacation of office by member of Tribunal

    91. Resignation from Tribunal

    92. Filling of vacancy

    93. Remuneration of members of Tribunal

    94. Appointment of Registrar of Tribunal

    95. Appeals to Tribunal

    96. Proceedings of Tribunal

    97. Appeal against decision of Tribunal

PART XVII
Miscellaneous Provisions

    98. Protection from personal liability

    99. Regulations

    100. Repeal of Cap. 43:14

    101. Transitional and savings provisions

Act 32, 2018,
S.I. 86, 2021,
Act 33, 2022,
Act 18, 2024,
S.I. 4, 2025.

    An Act to make provision for the continuation of the Information and Data Protection Commission; to regulate the protection of personal data and to ensure that the privacy of individuals in relation to their personal data is maintained; and to provide for all matters incidental thereto.

[Date of Commencement: 14th January, 2025]

PART I
Preliminary Provisions

1. Short title

    This Act may be cited as the Data Protection Act.