1. PREAMBLE
AI Eswatini (“AI Eswatini”, “AIE”, “we”, “us”, or “our”) is a non-profit technology and research organisation established in the Kingdom of Eswatini to promote artificial intelligence research, education, innovation, and responsible digital transformation.
AI Eswatini is committed to safeguarding the fundamental rights and freedoms of natural persons with regard to the processing of personal data. This Policy establishes the principles, governance structures, and procedural safeguards governing the collection, use, storage, disclosure, and protection of personal information in compliance with:
- The Eswatini Data Protection Act, 2022
- The General Data Protection Regulation (EU) 2016/679
- The Protection of Personal Information Act (POPIA), 2013 (South Africa)
- Any other applicable data protection and privacy legislation
This Policy applies to all members, directors, employees, volunteers, contractors, partners, researchers, and third-party processors acting on behalf of AI Eswatini.
2. DEFINITIONS
- Personal Data / Personal Information means any information relating to an identified or identifiable natural person.
- Data Subject means the individual to whom personal data relates.
- Processing means any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, disclosure, or destruction.
- Controller means the entity that determines the purpose and means of processing personal data.
- Processor means an entity that processes personal data on behalf of the controller.
- Special Personal Data includes data concerning race, ethnicity, political opinions, religious beliefs, health data, biometric data, genetic data, and criminal records.
- Supervisory Authority means the relevant national data protection regulator.
3. SCOPE OF APPLICATION
This Policy applies to:
- Website visitors and online platform users
- Members of AI Eswatini
- Event participants (physical and virtual)
- Research collaborators
- Scholarship and grant applicants
- Newsletter subscribers
- Employees, interns, and volunteers
- Donors and sponsors
- Any other individuals whose data is processed by AI Eswatini
This Policy applies regardless of whether processing occurs within Eswatini or internationally.
4. PRINCIPLES OF DATA PROCESSING
AI Eswatini shall ensure that personal data is:
- Processed lawfully, fairly, and transparently
- Collected for specified, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Accurate and kept up to date
- Retained only for as long as necessary
- Processed securely and confidentially
- Accountable and demonstrably compliant
5. LAWFUL BASES FOR PROCESSING
AI Eswatini processes personal data on one or more of the following lawful bases:
- Consent of the data subject
- Performance of a contract
- Compliance with a legal obligation
- Protection of vital interests
- Performance of a task carried out in the public interest
- Legitimate interests pursued by AI Eswatini (balanced against data subject rights)
Where consent is relied upon, such consent shall be freely given, specific, informed, and unambiguous.
6. CATEGORIES OF DATA COLLECTED
AI Eswatini may collect:
6.1 Identity Information
Name, surname, ID/passport number, nationality.
6.2 Contact Information
Email address, phone number, physical address.
6.3 Professional and Academic Information
Education history, research interests, CVs, affiliations.
6.4 Technical Information
IP address, device identifiers, browser type, cookies.
6.5 Financial Information
Bank details for grants or stipends (processed securely).
6.6 Special Personal Data
Only where strictly necessary and subject to explicit consent or lawful justification (e.g., disability accommodations for events).
7. PURPOSES OF PROCESSING
Personal data may be processed for:
- Membership administration
- Event registration and participation
- Research collaboration
- Grant and scholarship evaluation
- Community engagement
- Newsletter and communication distribution
- Website analytics
- Legal and regulatory compliance
- Safeguarding organisational integrity and cybersecurity
Data shall not be processed for incompatible purposes.
8. SPECIAL PERSONAL DATA
Processing of special personal data shall only occur:
- With explicit consent; or
- Where required by law; or
- For research purposes under appropriate safeguards; or
- To protect vital interests.
Such data shall be subject to heightened security measures.
9. DATA SUBJECT RIGHTS
Data subjects have the right to:
- Access their personal data
- Rectify inaccurate data
- Erase personal data (“right to be forgotten”)
- Restrict processing
- Object to processing
- Data portability
- Withdraw consent
- Lodge a complaint with the relevant supervisory authority
Requests must be submitted in writing to the designated contact below and will be addressed within legally prescribed timelines.
info@aieswatini.org
10. DATA RETENTION
Personal data shall be retained only for the period necessary to fulfil the purpose for which it was collected, unless a longer retention period is required by law.
Retention schedules shall be maintained and reviewed periodically.
11. DATA SECURITY
AI Eswatini implements appropriate technical and organisational measures including:
- Role-based access control
- Encryption of data in transit and at rest
- Secure cloud hosting
- Multi-factor authentication
- Regular security audits
- Incident response planning
- Staff confidentiality agreements
All personnel are bound by confidentiality obligations.
12. DATA BREACH MANAGEMENT
In the event of a personal data breach:
- The incident shall be documented immediately.
- A risk assessment shall be conducted.
- The relevant supervisory authority shall be notified where required.
- Affected data subjects shall be informed where legally mandated.
- Remedial measures shall be implemented without undue delay.
13. INTERNATIONAL DATA TRANSFERS
Where personal data is transferred outside Eswatini:
- Transfers shall occur only to jurisdictions with adequate protection; or
- Standard Contractual Clauses (SCCs) or binding safeguards shall be implemented; or
- Explicit consent shall be obtained.
AI Eswatini ensures that international transfers comply with GDPR Chapter V and equivalent provisions under Eswatini and POPIA frameworks.
14. THIRD-PARTY PROCESSORS
AI Eswatini may engage third-party service providers including:
- Cloud hosting providers
- Email communication platforms
- Research collaboration tools
- Payment processors
All processors must:
- Enter into written Data Processing Agreements (DPAs)
- Provide sufficient guarantees of compliance
- Implement appropriate security measures
15. COOKIES AND TRACKING
AI Eswatini’s website may use cookies and analytics technologies. Users may manage cookie preferences via browser settings. Where required, cookie consent mechanisms shall be implemented.
16. CHILDREN’S DATA
AI Eswatini does not knowingly process personal data of minors without appropriate parental or guardian consent in accordance with applicable laws.
17. Ethical AI and Responsible Innovation Commitment
AI Eswatini affirms that all artificial intelligence research, development, experimentation, and deployment activities shall be conducted in accordance with:
- Principles of lawfulness, fairness, transparency, and accountability
- Human rights and dignity protections
- Non-discrimination and bias mitigation standards
- Privacy-by-design and privacy-by-default frameworks
- Research ethics governance structures
AI Eswatini shall ensure that AI systems developed, trained, or deployed under its authority do not unlawfully infringe upon the rights and freedoms of natural persons.
18. AI Research Datasets - Collection and Lawful Basis
Where AI Eswatini collects or curates datasets for purposes including machine learning, deep learning, computer vision, natural language processing, or predictive modelling, the following safeguards shall apply:
Personal data shall only be included in AI training datasets where:
- Explicit consent has been obtained; or
- A lawful basis under applicable law exists; or
- The data has been properly anonymised.
Data shall be collected for specified, explicit, and legitimate research purposes.
Data subjects shall be informed, where required, that their data may be used for algorithmic training, testing, or validation.
AI Eswatini shall not process personal data for automated decision-making with legal or similarly significant effects without appropriate safeguards and lawful justification.
19. Anonymisation and Pseudonymisation Standards
AI Eswatini shall implement robust anonymisation and pseudonymisation techniques prior to dataset utilisation, including but not limited to:
- Removal of direct identifiers
- Masking of indirect identifiers
- Tokenisation
- Differential privacy methods (where applicable)
- Secure hashing
- Aggregation techniques
Where data cannot be fully anonymised, it shall be treated as personal data under applicable law.
Re-identification attempts are strictly prohibited unless lawfully authorised for security auditing or compliance purposes.
20. DATA PROTECTION GOVERNANCE
AI Eswatini shall:
- Designate a Data Protection Officer (DPO) or responsible officer
- Maintain a Record of Processing Activities (ROPA)
- Conduct Data Protection Impact Assessments (DPIAs) where required
- Implement privacy by design and by default principles
21. POLICY REVIEW
This Policy shall be reviewed annually or upon legislative changes.
22. CONTACT DETAILS
For all privacy-related enquiries:
Data Protection Officer
AI Eswatini
Note: Contact placeholder in supplied policy text.
23. GOVERNING LAW
This Policy shall be governed by and interpreted in accordance with:
- The laws of the Kingdom of Eswatini
- Applicable provisions of GDPR (where processing concerns EU data subjects)
- The Protection of Personal Information Act (South Africa), where applicable
BOARD RESOLUTION
This Policy is hereby adopted by the governing body of AI Eswatini and shall take effect on the Effective Date stated above.
Signed: