Legal and compliance requirements for cross-border personal data transfers under Tanzania's personal data protection framework

As the global exchange of information becomes increasingly prevailing, safeguarding personal data during cross-border transfers is essential. The Personal Data Protection Act No. 11 of 2022) (PDP Act) and the Personal Data Protection (Personal Data Collection and Processing) Regulations, GN No. 449C of 2023 (PDP Regulations), provide a detailed legal framework that governs the transfer of personal data outside the United Republic of Tanzania (URT).

In this month’s legal update, we review the legal requirements for data controllers and data processors involved in cross-border personal data transfers.

Key terms

The following are the key terms as defined in the PDP Act which we find relevant to this updater:

“Data subject” means the subject of personal data which are processed under the PDP Act.

“Personal data” means data about an identifiable person that is recorded in any form, including:

• personal data relating to the race, national or ethnic origin, religion, age, or marital status of the individual;
• personal data relating to the education, medical, criminal, or employment history;
• any identifying number, symbol, or other particular assigned to the individual;
• the address, fingerprints, or blood type of the individual;
• the name of the individual appearing on the personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual; and
• correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature and replies to such correspondence that would reveal the contents of the original correspondence and the views or opinions of any other person about the data subject.

“Processing” means analysis of personal data, whether or not by automated means, such as obtaining, recording, or holding the data or carrying out any analysis on personal data, including:

• organisation, adaptation, or alteration of the personal data;
• retrieval or use of the data; or
• alignment, combination, blocking, erasure, or destruction of the data.

“Recipient” means a natural person, legal person, public body, or any other person who receives personal data from a data controller.

“Sensitive data” includes:

• genetic data, data related to children, data related to offences, financial transactions of the individual, security measure or biometric data;
• if they are processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; and 
• any personal data otherwise considered under the laws of the country as presenting a major risk to the rights and interests of the data subject.

Legal framework governing cross-border personal data transfers

The PDP Act sets strict requirements to ensure that personal data is protected during cross-border transfers. The legal framework distinguishes between transfers to countries / states with adequate personal data protection and those without such adequate protection – we have further expounded on this below.

1. Transfers to countries with adequate personal data protection

Section 31 of the PDP Act authorises the transfer of personal data to countries that have established a legal framework providing adequate personal data protection. This determination is based on several factors, including the legal environment in the recipient country and the necessity of the data transfer. The recipient must demonstrate that the transfer is necessary for tasks carried out in the public interest or pursuant to the lawful functions of a data controller and that the transfer will not compromise the legitimate interests of the data subject. Despite the PDP Act authorising transfer of personal data to such countries, the transfer will be subject to obtaining a permit from the Personal Data Protection Commission (the Commission) as further expounded below. 

2. Transfers to countries without adequate personal data protection

Section 32 of the PDP Act imposes additional requirements for personal data transfers to countries / states that do not provide adequate data protection. This is aimed at ensuring that the data subject’s rights and freedom are protected regardless of the country to which data is transferred. The conditions under which such transfers may be permitted include:

• Adequate protection in the recipient country 

The recipient country must provide an adequate level of protection. Adequacy is assessed by considering factors such as the nature of the personal data (e.g., sensitive data), the purpose, and duration of processing, the recipient country, relevant laws in force in the recipient country that govern personal data protection, and the professional rules and security measures adhered to within the recipient country. 

• Specific grounds for transfer

Even in cases where the recipient country does not meet adequate protection standards, personal data transfers may still occur under particular circumstances as provided under section 32(4) of the PDP Act. These include instances where:

i.  the data subject has consented to the proposed transfer;
ii.  the transfer is necessary for the performance of a contract between the data subject and the data controller, or the implementation of pre-contractual measures taken in response to the data subject’s request;
iii.  the transfer is necessary for reasons of public interest, institution, trial, or defence of legal claims;
iv.  the transfer is necessary to protect the legitimate interests of the data subject; and
v.  the transfer is made in accordance with the law and is intended to provide information to the public and is open for consultation by the public in general or any person who can demonstrate a legitimate interest.

Application process for cross-border personal data transfers

The PDP Regulations outline the procedural requirements for obtaining permission to transfer personal data outside Tanzania. In particular, regulation 20 of the PDP Regulations details the application process that data controllers and data processors must follow to secure a permit from the Commission to transfer personal data outside Tanzania.

An application to the Commission for a permit to transfer personal data must be in a prescribed form and must include the following information:

• particulars of the applicant;
• particulars of the recipient;
• particulars of the data subject;
• the type of personal data to be transferred;
• the purpose and necessity of transferring personal data;
• details of the security of personal data in the recipient country;
• consent of the data subject;
• date and time of sending personal data; and
• any other information as may be required by the Commission.

An applicant must also submit evidence demonstrating that:

• the recipient country has ratified an international agreement providing requirements for personal data protection;
• a bilateral agreement exists between the URT and the recipient country regarding personal data protection; or
• there is a contractual agreement between the applicant and the recipient who is outside Tanzania.

Conditions and restrictions on personal data transfers

Even where a permit to transfer personal data is granted, the transfer of personal data is subject to several strict conditions, including:

• personal data must only be transferred to the recipient specified in the permit;
• personal data must be used exclusively for the purposes outlined in the application i.e. the intended purpose;
• personal data cannot be further transferred to another recipient without the Commission’s approval; and
• the processing of transferred personal data must not violate the laws of the URT.

Conclusion

Cross-border transfer of personal data is a complex and highly regulated process under the Tanzanian personal data protection laws. The PDP Act and PDP Regulations provide a robust framework designed to protect personal data, including in instances when it is transferred outside Tanzania. By understanding and adhering to these legal requirements, businesses or entities can ensure that personal data transfers are secure, lawful, and fully compliant with Tanzanian data protection standards.