Regulatory risk
Understanding Registered Users of Trade and Service Marks in Mainland Tanzania
Cliquez sur chaque termes pour accéder aux articles correspondants
Afrique
Protection des données et de la vie privée
As the global exchange of information becomes increasingly prevailing, safeguarding personal data during cross-border transfers is essential. The Personal Data Protection Act No. 11 of 2022) (PDP Act) and the Personal Data Protection (Personal Data Collection and Processing) Regulations, GN No. 449C of 2023 (PDP Regulations), provide a detailed legal framework that governs the transfer of personal data outside the United Republic of Tanzania (URT).
In this month’s legal update, we review the legal requirements for data controllers and data processors involved in cross-border personal data transfers.
The following are the key terms as defined in the PDP Act which we find relevant to this updater:
“Data subject” means the subject of personal data which are processed under the PDP Act.
“Personal data” means data about an identifiable person that is recorded in any form, including:
“Processing” means analysis of personal data, whether or not by automated means, such as obtaining, recording, or holding the data or carrying out any analysis on personal data, including:
“Recipient” means a natural person, legal person, public body, or any other person who receives personal data from a data controller.
“Sensitive data” includes:
The PDP Act sets strict requirements to ensure that personal data is protected during cross-border transfers. The legal framework distinguishes between transfers to countries / states with adequate personal data protection and those without such adequate protection – we have further expounded on this below.
Section 31 of the PDP Act authorises the transfer of personal data to countries that have established a legal framework providing adequate personal data protection. This determination is based on several factors, including the legal environment in the recipient country and the necessity of the data transfer. The recipient must demonstrate that the transfer is necessary for tasks carried out in the public interest or pursuant to the lawful functions of a data controller and that the transfer will not compromise the legitimate interests of the data subject. Despite the PDP Act authorising transfer of personal data to such countries, the transfer will be subject to obtaining a permit from the Personal Data Protection Commission (the Commission) as further expounded below.
Section 32 of the PDP Act imposes additional requirements for personal data transfers to countries / states that do not provide adequate data protection. This is aimed at ensuring that the data subject’s rights and freedom are protected regardless of the country to which data is transferred. The conditions under which such transfers may be permitted include:
The recipient country must provide an adequate level of protection. Adequacy is assessed by considering factors such as the nature of the personal data (e.g., sensitive data), the purpose, and duration of processing, the recipient country, relevant laws in force in the recipient country that govern personal data protection, and the professional rules and security measures adhered to within the recipient country.
Even in cases where the recipient country does not meet adequate protection standards, personal data transfers may still occur under particular circumstances as provided under section 32(4) of the PDP Act. These include instances where:
i. the data subject has consented to the proposed transfer;
ii. the transfer is necessary for the performance of a contract between the data subject and the data controller, or the implementation of pre-contractual measures taken in response to the data subject’s request;
iii. the transfer is necessary for reasons of public interest, institution, trial, or defence of legal claims;
iv. the transfer is necessary to protect the legitimate interests of the data subject; and
v. the transfer is made in accordance with the law and is intended to provide information to the public and is open for consultation by the public in general or any person who can demonstrate a legitimate interest.
The PDP Regulations outline the procedural requirements for obtaining permission to transfer personal data outside Tanzania. In particular, regulation 20 of the PDP Regulations details the application process that data controllers and data processors must follow to secure a permit from the Commission to transfer personal data outside Tanzania.
An application to the Commission for a permit to transfer personal data must be in a prescribed form and must include the following information:
An applicant must also submit evidence demonstrating that:
Even where a permit to transfer personal data is granted, the transfer of personal data is subject to several strict conditions, including:
Cross-border transfer of personal data is a complex and highly regulated process under the Tanzanian personal data protection laws. The PDP Act and PDP Regulations provide a robust framework designed to protect personal data, including in instances when it is transferred outside Tanzania. By understanding and adhering to these legal requirements, businesses or entities can ensure that personal data transfers are secure, lawful, and fully compliant with Tanzanian data protection standards.
Fin