Skip to content

Tanzania: Regulations made under the Personal Data Protection Act 2022

23 June 2023
– 7 Minute Read

DOWNLOAD ARTICLE

Tanzania: Regulations made under the Personal Data Protection Act 2022

23 June 2023
- 7 Minute Read

DOWNLOAD ARTICLE

Overview

  • Tanzania recently promulgated the Personal Data Collection and Processing Regulations, G.N No. 349 of 2023 (Data Collection Regulations) and the Complaint Handling and Breach of Personal Data Regulations, G.N No. 350 of 2023 (Complaint Handling Regulations) (collectively, Regulations).
  • The Regulations, which came into operation on 12 May 2023, and fall within the remit of the Minister of Information, Communication and Information Technology, are intended to regulate, among other things, the collection and processing of data and provide procedures for presenting complaints under the Personal Data Protection Act, 2022. They are currently promulgated only in Kiswahili.

Tanzania recently promulgated the Personal Data Collection and Processing Regulations, G.N No. 349 of 2023 (Data Collection Regulations) and the Complaint Handling and Breach of Personal Data Regulations, G.N No. 350 of 2023 (Complaint Handling Regulations) (collectively, the Regulations).

The Regulations are intended to regulate, among other things, the collection and processing of data and procedures for presenting complaints under the Personal Data Protection Act 2022 (Act).

The Regulations came into operation on 12 May 2023, and fall within the remit of the Minister of Information, Communication and Information Technology (Minister). They are currently promulgated only in Kiswahili.

The Data Collection Regulations

Registration procedures for collectors and processors

A person who intends to collect or process personal information shall submit a registration application to the Commission for Personal Data (Commission) using a prescribed form together with identity documentation if the applicant is an individual, or incorporation documents if the applicant is an entity. A registration fee is payable depending on the number of employees the data processor or collector has.

The Commission has seven days to review the application, after which it will either issue a certificate of registration or will, within 14 days, provide written information to the applicant explaining the reasons for rejecting the application.

The registration certificate will be valid for a period of five years from the date of issue and may be renewed three months before the date of expiry.

Register of data collectors and processors

There will be a register of registered collectors and processors which will include the following information:

  • the name of the collector or processor;
  • address of place of work;
  • type of information to be collected and processed;
  • information of the personal data protection officer; and
  • any other information that the Commission may request.

The Commission may permit any person to search or download any information entered in the register, provided that the person submits their request in writing to the Commission together with payment of fees as specified by the Commission.

The Commission may cancel a registration if it is satisfied that the processor or collector:

  • has given false or misleading information in relation to the conditions of registration;
  • has violated the criteria and conditions of registration set in accordance with the law;
  • has repeated an offence; or
  • has refused to pay the fine imposed on the processor or collector in accordance with the law or the Data Collection Regulations within the time given.

If a data collector or processor is dissatisfied with any decision made by the Commission, they can submit an appeal in writing to the Minister within seven days from the date of the decision of the Commission and the decision of the Minister will be final.

Procedure for the data subject to obtain rights in the collection and processing of personal data

The data subject may request the collector or processor to delete or destroy personal information held by the collector or processor where:

  • such personal information is no longer required for the intended purpose;
  • the data subject has withdrawn the consent that authorised the collector or processor to retain the personal information;
  • the data subject does not intend to continue the processing of data;
  • the processing of personal data is for commercial purposes and the data subject does not want their information to be used commercially;
  • the processing of personal data has violated the law; or
  • deletion or destruction of information is necessary according to the law.

The collector or processor shall, within a period of 14 days deal with the request to delete or destroy personal information and may accept or reject such a request.

Procedure for exporting personal data

A collector or processor who intends to export personal information abroad will have to submit a permit application to the Commission using a prescribed form. At the time of submission, the applicant shall submit proof that:

  • the country receiving the personal information has ratified an international convention that provides conditions related to the protection of personal information;
  • there is an agreement between the United Republic of Tanzania and the country receiving the information regarding the protection of personal information; or
  • there is a contractual agreement between the data requester and the person receiving the information who is abroad.

The Commission shall within 14 days accept or reject such an application. The permit issued by the Commission shall be used on the following terms:

  • the personal information will be sent to the recipient authorised in the permit;
  • the personal information exported will be processed only for the intended purpose;
  • the personal information will not be given or sent to another recipient without the permission of the Commission; and
  • the processing of information exported abroad will not violate the laws of the country.

The Complaint Handling Regulations

Submission of complaints

Anyone who discovers a violation of the protection of personal data or is dissatisfied with a decision by the collector or processor regarding personal data can submit a complaint to the Commission, either in English or Kiswahili, again using a prescribed form.

The respondent shall, for a period no later than 21 days after receiving the summons, submit a defence to the Commission. If the respondent fails to submit its defence as required, it will be considered that the respondent has waived its right to attend and participate in the proceedings and the Commission will continue to hear one side.

Investigation and dispute resolution

The Commission will investigate complaints submitted to it. The Commission will try to resolve the complaint within 30 days of its submission. During dispute resolution, the Commission shall appoint one official from the Commission to be the arbitrator between the parties to the complaint.

An appointed arbitrator will try to resolve the dispute and in doing so will be able to convene arbitration meetings at the location and time as may be agreed upon by the parties.

If, at any stage within the 30-day period, it is found that the parties have failed to reach an agreement within the given time, the arbitrator will return the complaint to the Commission for hearing procedures.

Complaint hearing procedures

If there is no agreement after investigation and mediation efforts, the Commission will appoint a Complaint Hearing Committee (Committee) that will be made up of three people from the Commission including people with expertise and experience in the legal industry and the personal information protection and information technology industry. The party may attend in person or be represented by a lawyer or their senior officer or an authorised representative.

Any person who has an interest in the complaint before the Commission may, at any stage before the end of the hearing, submit an application to the Commission to intervene in the complaint. The Commission will then notify the parties in the proceedings of the application and any party can file an objection within seven days after receiving the notification. The Committee will ensure that the prospective person intervening in the complaint is directly affected by the outcome of the hearing.

The awards of the Commission will be implemented as the order of the High Court of Tanzania (High Court). The decree holder will, subject to the period of the limitation specified in the penalty notice, request the registration of the award at the High Court. Applications for registration of awards will be submitted through a letter attaching the award to be registered. The High Court, after receiving the application will register the award as if the award had been made under the Arbitration Act 2020.

Appeal procedures

Any party to the complaint who is not satisfied with the award of the Commission may, within 21 days, request referral of the award to the Commission using a prescribed form. The Commission, within 14 days of receiving the referral request, will refer to its award and may cancel, change, or terminate any instructions it has given in the award. References to the Commission’s award will be made by an officer or officials other than the one who handled the complaint.

Any party who is not satisfied with the decision of the Commission may, within a period of 21 days from the date of the award, appeal to the High Court.