Legal Update – 30 May 2020

Collection and Processing of Personal Data Regulations Published

  • Provide for application and registration of data controllers
  • Commission to keep register of data controllers
  • Rights of data subjects stipulated
  • Cross-border data transfer elucidated
  • Obligations of data controllers provided
  • Deregistration procedure enunciated
  • Commission’s decisions appealable to the Minister
  • Offences and penalties stipulated
  • Standard forms provided

In a bid to ensure protection of personal data in Tanzania, on 12 May 2023, the Minister for Information, Communication and Technology (the Minister) issued the Personal Data Protection (Collection and Processing of Personal Data) Regulations vide Government Notice No. 349 of 2023 (the Regulations). The said Regulations provide for application and registration procedure of data controllers and data processors (data controllers) and other related matters connected thereto.

The Regulations make it mandatory for data controllers to be registered with the Personal Data Protection Commission (the Commission) prior to any collection and processing (collection) of personal data. Regulation 4 requires a person who intends to collect personal data to apply for registration to the Commission through Form No. 1, and to pay relevant fees as prescribed in the Second Schedule to the Regulations. It is important to note that the application form should be accompanied by incorporation documents, in case of a corporate entity, and personal identification, in case of an individual. Further, the Regulations oblige the Commission to maintain a register with records of registered data controllers.

The Regulations confer a right to a data subject to require the data controllers to suspend collection of personal data if the said collection is detrimental to the subject. Upon such request, the data controller is obliged, within 72 hours, to: acknowledge receipt of the request; indicate that the collection of data has been halted; and inform any third party who had access to such data. Thereafter, the data controller is required, within 7 days, to determine such a request and may agree or disagree with the said request. The data subject, if aggrieved, may file a complaint to the Commission within 14 days from the date of such a refusal.

The data controller who intends to engage in cross-border data transfer is required to apply for an approval from the Commission through Form No. 7 as prescribed in the First Schedule to the Regulations. The Regulations further provide that the approval for cross-border data transfer should be accompanied by the conditions that: personal data should be transferred to a person who is authorized in the approval; the transferred personal data should be processed only in accordance with the intended purpose; data will not be accessible or transferred to any other person without the Commission’s approval; and processing of transferred data should abide by the laws of Tanzania. This will likely have an impact on companies that send data abroad for processing and inputting purposes.

In so far as the obligations of data controllers are concerned, the Regulations demand, among others, that: data should be legally collected and in a transparent manner; data should be collected only for the intended purposes; cross-border transfer of data should be done in accordance with the law; rights of data subjects should be observed; and data should not be used without taking necessary steps that will ensure the said data is complete, correct and corresponds to the purpose. Also, the data controller is required to observe all conditions and requirements that will ensure security of personal data.

Moreover, the Regulations mandate the Commission to deregister any data controller who contravenes the provisions of the law, including giving false information during registration and breach of conditions attached to the registration. Prior to deregistration, the Commission is required to issue a 14 day notice to the data controller obliging him to show cause why he should not be deregistered. In the event a data controller is aggrieved by any decision of the Commission, an appeal against such decision lies with the Minister within 7 days from the date of such a decision.

The Regulations make it an offence for any person to contravene the provisions of the Regulations and such an offence is punishable as stipulated in the Personal Data Protection Act, 2022 (the Act). Further, the Act provides for various offences, including the offence of unlawful disclosure of personal data which is punishable by, in case of an individual, a fine of not less that TZS 100,000 and not exceeding 20M; and in case of a corporation, a fine ranging from 1M to 5B. Lastly, the Regulations provide for different Forms which are contained in the First schedule.

To read the Personal Data Protection (Collection and Processing of Personal Data) Regulations, 2023  click here.

To read our previous update on the Personal Data Protection Act click here.