The coming into force of the Personal Data Protection Act, 2022 (“the Act”) on 1 May 2023 has been followed by the issuance of The Personal Data Protection (Collection and Processing of Personal Data) Regulations, 2023 GN. No. 349 of 2023 (“the Regulations”) on 12 May 2023 by the Minister for Information, Communication and Technology. 
The Regulations generally provide for the procedure of registration by data collectors and processors, protection of data subject’s rights, the procedure for cross-border data transfer, obligations of data collectors and processors, as well as principles of data protection during collection and processing of data.

We write this brief to update on essential requirements for your consideration.

A. Registration is mandatory.

  • It is mandatory for data collectors and processors to be registered with the Data Protection Commission (“the Commission”).
  • The Regulations direct that any person intending to collect and process personal data is to apply for registration using Form No. 1 in the First Schedule to the Regulations and pay fees as provided in the Second Schedule to the Regulations. (Regulation 4)
  • Registration shall be valid for five years. It can be renewed by applying three months before the expiry date. Failure to apply for renewal three months in advance will lead to re-application for fresh registration. (Regulations 7 and 8)
  • The Commission is to maintain a register of registered data collectors and processors. The registered data collectors and processors are to inform the Commission of any changes to its information recorded in the register within 14 days of such change. (Regulations 9 and 10)
  • The Regulations also provide for procedures for refusal of registration as well as revocation/cancellation of registration of data collectors and processors. (Regulations 6 and 12)

B. Protection of data subject’s rights.

  • A data subject can request a data collector or processor to suspend or not collect or process personal data if such action may cause harm to the data subject or anyone else. The procedure for this process has been provided in Regulation 15.
  • A data subject can also request for correction and amendment of personal data as guided by Regulation 16.
  • A data subject may also request a data collector or processor to erase or destroy one’s personal data as provided by Regulation 17.
  • The Regulations also provide for the rights of data subjects that can be exercised by another person. They require the collector or processor to act in consideration of the best interests of the data subject. (Regulation 18)

C. Cross-border data transfer.

  • Any data collector or processor intending to transfer data outside Tanzania must apply for a permit from the Commission using Form No. 7 prescribed in the First Schedule to the Regulations, together with necessary attachments. (Regulation 20)
  • The permit for cross-border transfer shall only be used on the conditions that:
    • personal data will be transferred to a receiver approved in the permit and not to anyone else not approved by a permit from the Commission,
    • personal data will be processed only for the intended purposes,
    • and that the transfer of personal data should abide by the laws of Tanzania. (Regulation 22)
  • The permit for cross-border transfer may not be granted for the reasons that:
    • National security is threatened,
    • Commission is satisfied that there is no adequate protection of personal data in the receiver’s country,
    • the application does not meet requirements stipulated under Regulation 20 or for any other substantial reason that the Commission deems is for the interests of the country. (Regulation 21)

D. Obligations of data collectors and processors.

During the collection and processing of personal data, Data collectors and processors are to ensure that: (Regulation 23 and 24)

  • Personal data is rightfully and legally collected in a transparent manner.
  • Personal data is adequate for the intended purpose.
  • Confidentiality is observed when collecting and processing personal data.
  • A mechanism for the protection of personal data is established.
  • Personal data is processed in consideration of the rights of the data subject.
  • All other obligations as provided in the Regulations are fulfilled.

E. Principles of Data Protection

  • During the collection and processing of data, data protection principles must be adhered to. (Regulations 25 – 31)
  • The principles include:
    • lawfulness,
    • personal data security,
    • adequacy,
    • accuracy,
    • storage, as well as the principles of the rights of a data subject.

It is to be noted that, any person that contravenes the Regulations commits an offence and, once convicted will be punished as provided in the Act. Further, a complaint may be submitted to the Commission by a data subject or any other person with interest or who is affected by the processing of personal data or not satisfied with a decision related to personal data made by a data collector or processor contrary to the Act or the Regulations. The Complaint will be handled in accordance with the relevant Regulations. Please note that this is general information on the Data Protection Regulations and does not intend to act as an opinion for a specific question. Please let us know if you have any question or if you will need our assistance in complying with the law.

For questions or advice, contact