Law: Data Protection Act, 2011 ('the Act)

Regulator: The Data Protection Commission (not yet established)

Summary: On February 22, 2012, the Lesotho Data Protection Act (the Act) came into effect after being published in the Lesotho Government Gazette. The Act aims to align Lesotho with EU regulations and incorporate data protection standards from the South African Development Community (SADC). The Act sets out comprehensive requirements for data protection in Lesotho, including data subject rights, data processing notifications, legal bases for processing, and restrictions on data transfers. Additionally, the Act sets out breach notification obligations and explicitly defines the right to object to direct marketing.

Furthermore, the Act stipulates the creation of Lesotho's Data Protection Commission; however, this is yet to be established. When it is appointed, the Commission will have considerably less enforcement power than similar bodies in other jurisdictions, given its lack of ability to impose fines on entities that violate the Act. Nonetheless, the Act imposes sanctions for non-compliance, including potential fines of up to LSL 50,000 (approx. $2,709) and imprisonment of up to five years for data controllers who breach the law.