Tanzania has the Personal Data Protection Act 2022, Act No. 11 of 2022. The PDPA was passed into law on 27 November 2022. It provides detailed provisions on personal data protection, places restrictions upon personal data collectors and processors, and establishes a Personal Data Protection Commission ('the Commission') to administer and enforce the provisions of the PDPA. 

Scope and Applicability. Territorial scope 

The PDPA applies to Tanzania Mainland and Zanzibar. However, in Zanzibar, its application is limited to matters designated as 'Union matters' under the Constitution.

  Material scope 

The PDPA is enacted to provide a legal framework for recognizing personal information in Tanzania. It outlines the rights of data subjects and establishes the Commission, along with its governing Board, to oversee the administration and enforcement of the Act.  

Legal bases 

1. Consent 

2. Contract with the Data Subject 

3. Legal Obligation 

4. Public Interest. 

5. Interest of the Data Subject. 

6. Legitimate Interests of the Data Controller. 

Principles 

Not applicable  

Controller and Processor Obligation. 

Data processing notification 

Data collection and processing must be transparent to the data subject. The PDPA does not specify or mandate a particular method for notifying the data subject.  

Data transfers 

The PDPA does not prohibit data transfers. However, Section 31(2) stipulates that such transfers are permitted only to countries with adequate legal protections for personal data. Additionally, the transfer must be demonstrated to be necessary and in the public interest or for another legitimate purpose. The Commission is empowered to prohibit or restrict the transfer of personal data outside the country, under the conditions set out in the PDPA. 

 Data processing records 

Personal data collected and processed must be retained for a duration specified in the regulations to be established under the PDPA. 

Data protection impact assessment 

Not Applicable.  

Data Protection Officer appointment 

According to Section 27(3) of the PDPA, either the data collector or the data processor is required to appoint a Personal Data Protection Officer responsible for ensuring the security of the data. 

Data Breach notification. 

Section 27(5) of the PDPA requires a data collector to inform the Commission as soon as practicable where there is security breach which aects safety of personal data.   

Data Retention Data may be retained for such a period as may be prescribed by Regulations which the Minister is empowered to enact under the PDPA.  

Children's data Under the Law of the Child Act 2009, a child is defined as any person under the age of 18 years. The PDPA classifies any information related to children as sensitive information.     

Special categories of personal data Sensitive personal data is subject to stricter regulations under the PDPA. This includes information about an individual's DNA, children, criminal records, financial transactions, security details, biometric data, race, color, tribe, political affiliations, religion or beliefs, sex, health, sexual relationships, or any other information deemed to have serious consequences for the data subject under the law. Section 30 of the PDPA prohibits the processing of such sensitive personal data without the data subject's written consent.  

Data Subject Rights 

1. Right to be Information  

2. Right to Access 

3. Right to Rectification. 

4. Right to erasure 

5. Right to Object/opt-out 

6. Right not to be subject to automated decision-making.   

Penalties

 1. Unauthorized Disclosure of Personal Data:   

Individual: Fine of TZS 100,000–20 million (approx. $39–$7,940), imprisonment up to 10 years, or both.   Corporate: Fine of TZS 1 million–5 billion (approx. $390–$1,980,940).   

2. Illegal Destruction, Erasure, Concealment, or Modification of Data:     

Fine of TZS 100,000–10 million (approx. $39–$3,970), imprisonment up to 5 years, or both.   

3. Unspecified Breaches:     

- Fine of TZS 100,000–5 million (approx. $39–$1,980), imprisonment up to 5 years, or both.   

4. Corporate Accountability: Officers authorizing offenses may be personally liable.