Vexatious privacy complaint

/in /by

We are a new research consultancy company based in Dodoma and are registered as data processors and controllers as required under the Personal Data Protection Act. Despite this, there are a lot of compliance issues, especially in the area of data collection, processing, and sharing. A recent project led to several complaints filed against us. In one of these complaints, a Tanzanian citizen discovered that their personal data, collected by our company, has been shared with third parties without their consent.  We think the complaint is unjustified since consent was obtained when this person volunteered to participate in our research? Please enlighten us on this.
IC, Dodoma

The Personal Data Protection Act, Act No. 11 of 2022 (the Act), governs data protection in Tanzania. It mandates that personal data must be processed lawfully, fairly, and transparently, ensuring the security and privacy of the data subject. The Act outlines principles such as limiting data collection to explicit purposes and ensuring accuracy. Violations, such as unauthorized sharing, can lead to penalties under the Act. The aggrieved individual can file a complaint with the Personal Data Protection Commission, established under the Act, to seek redress. Upon filling the complaint, section 39 provides that where the Commission is satisfied that there are reasonable grounds to investigate a matter under the Act, the Commission may initiate an investigation in respect thereof. The complaint will be investigated and concluded within 90 days from the date of receipt. The Commission may, taking into account the circumstances of the complaint, extend the time provided up to a period not exceeding 90 days. We are sure this investigation will establish whether the complaint was justified. To avoid future complaints, we advise you to evaluate your compliance with the law and data risks with an expert. Consult your lawyer for further guidance.