Key obligations for data controllers and data processors under Tanzania’s Personal Data Protection Act

The enactment of the Personal Data Protection Act No.11, 2022 (the Act) and its regulations in Tanzania marks a significant step towards safeguarding personal data rights in the country.

Introduction

The Act imposes crucial obligations on data controllers and data processors to ensure lawful, fair, and transparent handling of personal data. The Act also establishes strict penalties for entities that fail to comply with its provisions.

In this month’s legal update, we analyse the key obligations of data controllers and data processors under Tanzania’s personal data protection laws and highlight the penalties for non-compliance.

Key terms

The following are terms defined in the Act which we find relevant to this updater:

“damage” means financial loss and damage not involving financial loss.

“data controller” means a natural person, legal person, or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law, “data controller” is the natural person, legal person or public body designated as such by that law and it includes his representative.

“data processor” means a natural person, legal person, or public body which processes personal data for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct authority of the controller, are authorised to process the data and it includes his representative.

“data subject” means the subject of personal data which are processed under the Act.

“personal data” means data about an identifiable person that is recorded in any form, including:

a) personal data relating to the race, national or ethnic origin, religion, age, or marital status of the individual;
b) personal data relating to the education, medical, criminal, or employment history;
c) any identifying number, symbol, or other particular assigned to the individual;
d) the address, fingerprints, or blood type of the individual;
e) the name of the individual appearing on the personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual; and
f) correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature and replies to such correspondence that would reveal the contents of the original correspondence and the views or opinions of any other person about the data subject.

“processing” means analysis of personal data, whether or not by automated means, such as obtaining, recording, or holding the data or carrying out any analysis on personal data, including:

a) organisation, adaptation, or alteration of the personal data;
b) retrieval or use of the data; or
c) alignment, combination, blocking, erasure, or destruction of the data;

“sensitive data” includes:

a) genetic data, data related to children, data related to offences, financial transactions of the individual, security measure or biometric data;
b) if they are processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; and
c) any personal data otherwise considered under the laws of the country as presenting a major risk to the rights and interests of the data subject.

Key obligations for data controllers

Data controllers hold significant responsibilities under Tanzania’s personal data protection framework. We have set out some of these responsibilities below:

     1.  Establishing lawful grounds for processing 

Data controllers must ensure that personal data is collected and processed lawfully, fairly, and transparently. The Act provides a framework for lawful processing, which includes obtaining the consent of the data subject, which should be specific, informed, and freely given; and relying on other lawful grounds, such as contractual necessity or compliance with a legal obligation. The burden lies with the data controller to demonstrate that lawful grounds for processing exist.

     2.  Ensuring data minimisation

A data controller is required to collect personal data that is strictly necessary for achieving the intended processing purpose. Collecting excessive personal data creates compliance risks and exposes data subjects to unnecessary privacy violations.

This encourages businesses to periodically review and adjust their data collection practices to align with the requirement for necessity.

     3.  Limiting processing to a specific purpose

The Personal Data Protection Commission (the Commission) mandates that data controllers collect and use personal data solely for purposes specified at the time of collection. Personal data should not be repurposed for activities unrelated to the original intent without informing the data subject. For example, if a company collects a customer’s personal data for service delivery, it cannot subsequently use the same personal data for marketing unless the customer has provided additional consent.

Data controllers must establish internal procedures to ensure that data is only accessed and processed for the specific purposes authorized by law.

     4.  Maintaining personal data accuracy

Data controllers must take reasonable steps to ensure that personal data is accurate, complete, relevant, not misleading, and up to date. Inaccurate personal data can lead to unfair decisions or harm data subjects. Data controllers are also required to allow data subjects to correct inaccurate information.

     5.  Implementing personal data retention policies 

Personal data should not be retained longer than necessary for the purpose for which it was collected. Data controllers must establish clear retention schedules. Personal data that is no longer required should be securely deleted or anonymised. Improper disposal of personal data may result in unauthorised access and legal repercussions.

For example, employment data may need to be retained only for the duration of the employment period or any other specified period as set out in the relevant laws.

     6.  Ensuring transparency and accountability 

Data controllers must provide clear information to data subjects regarding the collection, use, and protection of their personal data. Transparency builds trust and ensures data subjects are fully informed about their rights. This obligation includes issuing privacy notices that specify the purpose of data processing, data recipients, and security measures.

     7.  Safeguarding personal data

A data controller must implement adequate technical and organisational measures to protect personal data against unauthorised access, destruction, or accidental loss. This may include encryption, access controls, and regular security assessments.

Additionally, data controllers are required to notify the Commission and affected data subjects in the event of a data breach.

     8.  Facilitating the rights of data subjects

Data controllers must enable data subjects to exercise their rights under the Act, which include:

          a. Right of access to personal data;
          b. Right to rectification of personal data;
          c. Right of erasure/deletion of personal data;
          d. Right to restrict processing of personal data; and
          e. Right to object processing of personal data.

Key obligations for data processors

It is important to note that many obligations assigned to data controllers also extend to data processors, although their scope may differ based on the level of control they have over personal data. This overlap often occurs because data processors handle sensitive data on behalf of data controllers and must adhere to similar principles of data protection, security, and confidentiality. Therefore, compliance by data processors complements the responsibilities of data controllers, ensuring a unified approach to safeguarding personal data.

Data processors have equally important obligations under Tanzania’s data protection laws and these include:

     1.  Acting on data controller’s instructions 

A data processor must process personal data exclusively in accordance with the instructions provided by a data controller. Unauthorised processing is strictly prohibited.

This obligation requires a formal agreement between a data controller and a data processor to be entered into that clearly defines roles and responsibilities.

     2.  Implementing robust personal data security measures 

Data Processors are obligated to adopt appropriate technical and organisational safeguards to protect personal data. These measures may include encryption, secure storage, and access restrictions.

     3.  Notifying personal breaches

If a data processor becomes aware of a data breach, they must notify the data controller without undue delay.

     4.  Maintaining records of processing activities

Data processors are required to keep records of personal data processing activities, including the categories of personal data processed, and the processing purposes.

Penalties for non-compliance with the provisions of the personal data protection laws

The Act imposes severe penalties for non-compliance which include administrative fines, criminal charges, and compensation orders:

1. Administrative fines:  
   
   Organisations may face fines of up to Tanzanian Shillings (TZS) 100 million for contraventions under the Act.
    
2. Criminal penalties:
   
   Unlawful disclosure or misuse of personal data can result in criminal sanctions, including fines ranging from TZS 100,000 to TZS 20 million or imprisonment for a term not exceeding 10 years, or both. Unlawful destruction, deletion, concealment, or alteration of personal data carries penalties of up to TZS 10 million or imprisonment for a term not exceeding 5 years.
    
3. Compensation orders:
   
   A data subject who suffers damage or whose rights have been infringed by reason of contravention of any of the requirements of the Act by a data controller or data processor shall be entitled to compensation from the data controller or data processor for that damage. The Commission may order a data controller or data processor to compensate the affected data subject. Additionally, the Commission may order the rectification, blocking, erasure, or destruction of that personal data.
    
4. General penalties:
   
   Any person who contravenes the provisions of the Act and where no penalty is specifically provided, shall upon conviction, be liable to a fine of between TZS 100,000 and TZS 5 million or face imprisonment for a term of up to 5 years, or both.

Best practices for compliance

To mitigate risks and ensure compliance, organisations should:

1. Appoint a Data Protection Officer responsible for overseeing compliance with personal data protection laws.
2. Conduct Data Protection Impact Assessments necessary for identifying and mitigating risks in data processing activities.
3. Implement comprehensive privacy policies.
4. Equip employees with the knowledge required to handle personal data responsibly through training.

Conclusion

The Act provides a robust legal framework for safeguarding personal data. Organisations must adopt proactive measures to meet their legal obligations under Tanzania’s personal data protection laws.

If you have any further questions on the Tanzania Personal Data Protection Laws, please contact Joseph Louis, Hadia Mgaya or Tenda Msinjili