Customer personal data

/in /by

We are a new tech-driven delivery startup operating in Arusha and planning to roll out both a web platform and a mobile app to allow customers to order fresh produce and local goods. As part of the app experience, we intend to collect personal data such as names, locations, order history, and preferences to enhance recommendations and speed up service. We might also use the data to partner with other vendors or for analytics in the future. Are there specific legal restrictions in Tanzania that we must comply with before implementing this? We are committed to ensuring that we protect customer privacy and build trust.
NM, Arusha 

It is encouraging to see that you are mindful of the importance of privacy and personal data protection. In Tanzania, the legal regime governing this area is primarily anchored in the Personal Data Protection Act No. 11 of 2022. This Act provides comprehensive rules concerning how personal data may be lawfully collected, used, and disclosed. More specifically, section 25 of the Act stipulates that personal data may only be used for the original purpose for which it was collected. If your company intends to use customer data for a different purpose (for example, data analytics, promotional partnerships, or other forms of commercial profiling), such use will only be permitted under certain legal exceptions. These include situations where the data subject has provided informed consent, where the alternative use is authorized or required by law, or where the secondary use is directly related to the original purpose. Additionally, the law permits use in anonymized or statistical form, or where the data must be used to prevent a serious and imminent threat to someone’s life, health, or public safety.

Furthermore, you must be aware that the law strictly regulates the sharing or disclosure of personal data to third parties. Unless one of the aforementioned conditions is met, such disclosure is prohibited. In addition, under the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023 (GN No. 449C of 2023), a person or entity cannot lawfully collect or process personal data unless registered with the Personal Data Protection Commission as either a data controller or a data processor. Regulation 4 clearly outlines the requirement for registration and provides the procedure to be followed, including submission of a formal application to the Commission.

In view of the above, it is essential that your company defines clearly what types of personal data it intends to collect, the purposes for which such data will be used, and how data subjects (your customers) will be informed and protected. You must also ensure that registration with the Commission is completed before you begin data processing operations. As a best practice, consider preparing a detailed privacy policy and obtaining users’ explicit consent at the point of data collection—particularly for any intended future uses beyond basic service delivery. We recommend consulting with a legal practitioner or the Personal Data Protection Commission directly to help align your digital strategy with Tanzania’s evolving data protection framework.