January 2024

1. Governing Texts 

Tanzania has the Personal Data Protection Act 2022, Act No. 11 of 2022 (available in Swahili and English here) ('PDPA'). Hitherto, there had never been comprehensive legislation on protection of private information or data. Whatever little of data protection legal provisions there were, they were to be found in varying degrees in a number of sector related legislations, especially in the banking, electronic, and telecommunications sectors, as well as in penal statutes.

The PDPA was passed into law on 27 November 2022. It provides detailed provisions on personal data protection which are geared towards protection of personal data, places restrictions upon personal data collectors and processors, and establishes a Personal Data Protection Commission ('the Commission') to administer and enforce the provisions of the PDPA.

In addition, there are supporting regulations to the PDPA, namely, the Collection and Processing of Personal Information Regulations, 2023 (GN No. 349 of 2023) ('Regulation No. 349 of 2023'); and Personal Data Protection (Complaints Settlement Procedures) Regulations, 2023 (GN No. 350 of 2023) ('Regulation No. 350 of 2023').

1.1. Key acts, regulations, directives, bills

The PDPA is a newly enacted law on personal data protection. It is comprehensive in scope and attempts to set out certain minimum requirements on matters relating with personal data protection. The enactment of this law fulfils the aspirations of Article 16 of the Constitution of the United Republic of Tanzania 1977 ('the Constitution'), which provides that every person is entitled to the respect and protection of themselves, their family and of their matrimonial life, and respect and protection of their residence and private communications.

Aside from the PDPA, and its supporting regulations, there are a lot of other laws which embody data protection provisions. However, we will cite here a few but main legislations in this area, such as the Banking and Financial Institutions Act 2006 ('the Banking and Financial Institutions Act'), the Electronic and Postal Communications Act, 2010 ('EPOCA'), the Cybercrimes Act 2015 ('the Cybercrimes Act'), the Electronic Transactions Act 2022, and the Access to Information Act 2016.

1.2. Guidelines

The PDPA establishes the Commission, which is designated as the registrar of data collectors and processors; the investigator into personal data matters; the advisor to the Government of Tanzania ('the Government'); and the adjudicator of data protection disputes.

In addition, the PDPA also empowers the Ministry of Information, Communication and Information Technology ('the Ministry') with the mandate and jurisdiction to enact regulations to support the better application and enforcement of the provisions of the PDPA and to facilitate the role of the Commission in implementing its mandate under the PDPA.  The Ministry has enacted two sets of regulations, namely Regulation No. 349 of 2023 and Regulation No. 350 of 2023.

1.3. Case law

Jamii Media Company Ltd v. The Attorney General (2017) TLS LR 447

The petitioner was an operator of a website which provided users a platform to anonymously post and engage in discussions of social, economic, or political significance. Pursuant to the Cybercrimes Act, the police had issued orders demanding the disclosure of information regarding the users of the platform, threatening to prosecute the petitioner if they did not comply.

The petitioner filed a petition to challenge Sections 32 and 38 of the Cybercrimes Act as unconstitutional for offending Articles 13(6)(a), 16, and 18(1) and (2) of the Constitution. The petitioner's contention was that Section 32 of the Cybercrimes Act takes away the right to privacy and Section 38 of the Cybercrimes Act offends the right to be heard.

The High Court of Tanzania ('the High Court') held that Section 32 of the Cybercrimes Act was within permissible national and international proportional limits and that it was not unreasonable for people in possession of relevant data to disclose it to investigators.

Deogras John Marando v Managing Director, Tanzania Beijing Huayuan Security Guard Service co. Ltd, High Court of Tanzania, Civil Appeal No 110 of 2018 (unreported)

The respondent had used the image of the appellant in company advertisements and for commercial purposes without the consent of the appellant. Although there was no comprehensive law in Tanzania for protection of personal image and privacy the High Court relied upon Article 16 of the Constitution and drew from common law principles to award general damages in favor of the Appellant. The High Court adopted the following principles in its judgment in this case:

• there must be intrusion of personal privacy of the claimant on their identity/image by the respondent;
• there must be appropriation of the claimant's image or celebrity or likeness for the respondent's advantage in any form but in particular commercial purposes;
• there must be lack of consent from the claimant; and
• there must be proof that the respondent earned profit out of the illegal use of the claimant's image.

Raymond Paul Kanegene and Bob Chacha Wangwe v The Attorney General, High Court of Tanzania, Consolidated Misc. Civil Cause No. 15 OF 2019 & No. 5 OF 2020

In this case the petitioner was challenging the constitutionality of sections 16 and 39(2)(a) and (b) of the Cybercrimes Act, which were alleged to be in violation of the right to privacy and the right to freedom of expression under Articles 16 and 18 of the Constitution. 

Section 16 of the Cybercrimes Act provides that any person who publishes information or data presented in a picture, text, symbol, or any other form in a computer system knowing that such information or data is false, deceptive, or misleading or inaccurate, and with intent to defame, threaten, abuse, insult, or otherwise deceive or mislead the public or concealing commission of an offense, commits an offense, and shall on conviction be liable to a fine of not less than TZS 5 million (approx. $1,980) or to imprisonment for a term of not less than three years or to both.

And section 39(2) of the Cybercrimes Act provides that the Minister may prescribe procedures for service providers to:

• inform the competent authority of alleged illegal activities undertaken or information provided by recipients of their services; and
• avail competent authorities, at their request, with information enabling the identification of recipients of their service.

In relation to Section 39 (2)(a) and (b) of the PDPA, the submissions were based on the argument that the Minister's power to prescribe the procedures requiring service providers to divulge specified information and identify service recipients interferes with the right to privacy and private communication under Article 16(1) of the Constitution, and the right to freedom of opinion and expression, the right to seek, receive and disseminate information and ideas without restrictions as provided under Article 18 of the Constitution. It was argued that service providers should not be compelled to give information without the consent of a person who issued such information.

The High Court was of the view that the constitutionality of a statutory provision is not in what could happen in its operation but in what it actually provides for, and that the mere possibility of a statutory provision being abused in actual operation will not, as a matter of general rule make it invalid. On that ground the petition was dismissed and it was held that the impugned provisions do not violate the constitutional provisions.

Kisonga Ahmed Issa & Another Vs. Republic, Court of Appeal of Tanzania, Consolidated Criminal Appeal No. 17 of 2016 and 362 of 2017, and in Francis Nyandindi v Republic, High Court of Tanzania (at Dar es Salaam), Criminal Appeal No. 173 of 2021, (unreported)

Article 16 of the Constitution was used to refuse admissibility of evidence of a quoted statement during the criminal investigation process on the ground that the statement recorded the statement of the accused while their rights to privacy were being violated.

2. Scope of Application

2.1. Personal scope

The PDPA applies to any person who is engage in the collection or processing of personal information or data; to any public institution which is engaged in the collection and processing of personal information or data, and to data subjects.

The Constitution and the Cybercrimes Act apply generally to all persons as elaborated above. However, the sectoral legislations, for example EPOCA, its supporting regulations, and the Banking and Financial Institutions Act, apply to licensees and banks respectively.

2.2. Territorial scope

The PDPA applies to Tanzania Mainland, and to Zanzibar. However, in Zanzibar the PDPA applies only with respect to matters which are prescribed under the Constitution as 'Union matters'.

Union matters is a term used to describe the currently 22 matters which fall within the jurisdiction of the union government. These matters are: the Constitution and the Government; the Foreign Affairs; the Defence and Security; the Police; the Emergency Powers; the Citizenship; the Immigration; the External borrowing and trade; the Service in the Government; the Income Tax; the Harbours and matters relating to air transport, posts, and telecommunications; All matters concerning currency, banks, foreign exchange and exchange control; Industrial licensing and statistics; the Higher education; the Mineral oil resources, including crude oil and natural gas; the National Examination Council of Tanzania; the Civil Aviation; the Research; the Meteorology; the Statistics; the Court of Appeal of the United Republic of Tanzania; and the Registration of Political Parties and other matters related with political parties.

2.3. Material scope

The PDPA is enacted with the objective of establishing a legal basis for the recognition of and protection of personal data. It sets out the rights of the data subject, establishes the Commission and its governing the Board with the mandate to administer and enforce the PDPA. 

One of the key provisions under, Section 5 of the PDPA, requires data collectors and processors to ensure that personal data is lawfully collected, for a legitimate purpose which has been disclosed to the data subject, the data collected is complete and accurate, is kept and processed in a manner which ensures security of the data and safeguards against unauthorized processing of data contrary to law.

Personal data collectors and processors are required to be registered pursuant to Section 14 of the PDPA. A data collector has been defined as a person, a body corporate, or a public institution which has been designated according to law, and it includes a representative. A data processor has been defined as a person, a body corporate or a public institution which processes personal information on behalf of the personal data collector and under their direction and includes a representative. A data subject has been as a person who is the subject of the personal data which is being processed in accordance with the provisions of the PDPA.  

The registration of personal data collectors and processors is for five years and may be renewed.

The public or state institutions which deal with the collection and processing of personal data are deemed to be automatically registered under the PDPA and are bound to observe the provisions of the PDPA.

The collection of personal data must be done directly from the date subject. It is prohibited to collect personal data from third parties unless such information is already in the public domain, or the data subject has authorized the collection of such date from a third party or circumstances necessitate collection from a third party.

The collector of personal data has a duty to inform and ensure that the data subject is aware of the purpose for which data is being collected, that the collection of such data is for a purpose which is authorized by law, and the recipient of such personal data to be collected is disclosed.

There are higher restrictions with regard to certain personal data which is classed as sensitive personal data. Such data includes information on an individuals DNA, their children, information relating to offenses, a person's financial transactions, person's security, a person’s biometric information, race, color, tribe, political affiliation, religion or beliefs, sex, health, information about one's sexual relationships, or any other information which pursuant to the laws of the land is considered could have serious consequences to the data subject. Section 30 of the PDPA prohibits processing of such sensitive personal data without the written consent of the data subject.

A data subject is entitled to compensation pursuant to Section 37 of the PDPA for any injury suffered arising from breach of the provisions of the PDPA by personal data collectors or processors.

In its role as the administrator and enforcer of the PDPA the Commission is a registrar of data collectors and processors and has also the role of an investigator and may impose fines, upon an investigation, for breach of the provisions of the Act. The highest fine that the Commission may impose under the PDPA is TZS 100 million (approx. $39,700). In addition, where a person has suffered an injury, the Commission has a mandate to order compensation to the injured party.

The Commission has legal mandate to review its own decisions. Moreover, where a party is aggrieved by any decision of the Commission, there is a right of appeal against the decision to the High Court.

The Banking and Financial Institutions Act

Section 48 of the Banking and Financial Institutions Act prohibits banks from divulging their customer's affairs and information, unless required by law. Under the Bank of Tanzania (Credit Reference Bureau) Regulations, 2012 ('the Credit Reference Bureau Regulations'), banks and financial institutions must surrender credit information of their customers to the Credit Reference Databank maintained by the Bank of Tanzania, which shares said information to licensed companies operating as credit reference bureaus who are allowed to share such information to banks and financial institutions who process customer's loans. The credit information being surrendered contains borrower's information and their credit history.

The Credit Reference Bureau Regulations prohibit credit reference bureaus from maintaining any information relating to the borrower's race, creed, color, ancestry, ethnic origin, religious or political affiliation, state of health, or criminal record except financial fraud and other similar types of offenses. Additionally, a credit reference bureau is prohibited from keeping information relating to:

• information as to judgment six years after the judgment was filed unless the borrower confirms that it remains unpaid in whole or in part and such information appear in the credit history;
• information as to any judgment against a person unless mention is made of the name and where available, the address of the judgment creditor as given at the date of entry of the judgment, and the amount;
• information as to the bankruptcy or liquidation of a person, after six years from the date of the bankrupt's discharge or liquidations finalization;
• information regarding any judgment, collection, or debt that is statute-barred after six years unless it is accompanied by evidence appearing in the credit history that recovery is not barred by the expiration of a limitation period;
• information as to the payment or non-payment of taxes and lawfully imposed fines after six years;
• information as to writs that were issued against the person more than 12 months after their issuance;
• any adverse information where more than six years have expired since the adverse information was placed in the database or last reaffirmed; or
• any other information as may be prescribed by the Bank of Tanzania.

The Electronic and Postal Communications Act

The EPOCA, is the principal legislation governing electronic, telecom, and postal communications. The Tanzania Communications and Regulatory Authority ('TCRA') is the authority empowered to enforce the EPOCA.

Pursuant to Section 84 of the EPOCA, the TCRA maintains a Central Equipment Identification Register ('CEIR') with information on all devices that licensees use in their networks. Furthermore, the licensees are obliged to maintain a sub-register of the information submitted to the CEIR and to maintain subscribers' information, which must be submitted to TCRA once every month. This means that for the users of SIM cards to be allowed to connect to telecommunications networks, they must disclose their full details, names, residence, occupation, or business, verified by producing an identify card or, in the case of companies, business registration documents.

However, Section 98 of the EPOCA imposes a duty of confidentiality upon the TCRA and companies licensed to offer services pursuant to the TCRA, unless disclosure is allowed by law.

Further provisions are to be found under the Regulations made under the EPOCA. Rule 6 of the Electronic and Postal Communications (Consumer Protection) Regulations, 2018 ('the EPOCA Consumer Protection Regulations') prescribes restrictions under which customer's information may be collected and used by the licensee companies. It provides that a licensee may collect and maintain information on individual consumers where it is reasonably required for its business purposes.

The EPOCA Consumer Protection Regulations further provide that the collection and maintenance of information on individual consumers shall be:

• fairly and lawfully collected and processed;
• processed for identified purposes;
• accurate;
• processed in accordance with the consumer's other rights;
• protected against improper or accidental disclosure; and
• not transferred to any party except as permitted by any terms and conditions agreed with the said consumer, as permitted by any permission or approval of the TCRA, or as otherwise permitted or required by other applicable laws.

The above-mentioned section seems to be broad in scope and the supporting regulations do not provide details or elaboration as to the proper scope for the said provisions. For example, the word 'fairly' as used under paragraph (a) has not been elaborated what exactly it means in the context of information collection.

The Electronic and Postal Communications (Online Content) Regulations, 2020 ('the EPOCA Online Content Regulations') provide that subscribers and users of online content shall be responsible and accountable for the information they post in an online forum, social media, blog, and any other related media, and are required to ensure that their posts do not contravene the provisions of the EPOCA Online Content Regulations or any other written law. Under Rule 17, prohibits any disclosure of any information obtained by the TCRA in the course of their duties or exercise of their functions under the EPOCA Online Content Regulations. A similar restriction is found under Rule 20 of the Electronic and Postal Communications (SIM Card Registration) Regulations, 2020 ('the SIM Card Registration Regulations').

The EPOCA Investigation Regulations prohibits any person from intercepting any communication at any place in the country except as provided under the Regulations. Under Rule 4 the EPOCA Investigation Regulations repeat the provisions of Article 16 of the Constitution. However, it further provides that any person's communications may be intercepted for the purpose of:

• preservation or protection of national security;
• preservation of public safety, economic well-being, or interest of the country;
• the preservation, investigation, or proof of criminal offenses; and
• prosecution of offenders or the execution of criminal sentences or security measures.

Lawful interception shall be done by the Director General of Tanzania Intelligence and Security Service; or the Director of Criminal Investigations, under a warrant duly applied for and granted by the issuing authority. The issuing authority for purposes of issuing warrants under these regulations is the Inspector General of Police and not a court of law as is ordinarily the case under the penal statutes.

The effect of the warrant is to serve as a disclosure order to any person in possession of a key to disclose the protected information to the holder of an interception warrant. The warrant entitles the person in possession of the key to obtain access to the protected communications and requires the person to disclose the protected communications in an intelligible form. Failure to comply with a warrant is an offense punishable by imprisonment for a term of not less than 12 months, or a fine of not less than TZS 5 million (approx. $1,984), or both fine and imprisonment.

In addition, any person may intercept communications if he/she is:

• party to the communications;
• has the consent of the person who is sending, the person to whom it is sent, or a party to the communication;
• is authorized by law; or
• is bona fide intercepting communications for the purpose of or in connection with the provision, installation, maintenance, or repair of the communications service.

Rule 7 prohibits any person from developing or possessing interception technology. Contravening this Rule is an offense punishable by a fine of not less than TZS 10 million (approx. $3,970), or to imprisonment for a term of not less than two years, or both fine and imprisonment.

The Cybercrimes Act

This is a penal statute intended to deter and discourage privacy and data protection abuses. The Cybercrimes Act applies to offences committed within the United Republic of Tanzania, including on vessels or aircrafts registered in Tanzania. It also applies to Tanzanian nationals residing abroad if they commit an offense under the Cybercrimes Act, which is also an offense under the laws of the host country. Further, the Cybercrimes Act applies to any person, regardless of nationality, if the act:

• is committed using a computer system, device, or data located within Tanzania; or
• directed against a computer system, device, data, or person located in Tanzania.

It is an offense to access or cause a computer system to be accessed without permission. Any persons convicted of this offense will be liable to imprisonment for not less than one year or to a fine of not less than TZS 3 million (approx. $1,190), or to both a fine and imprisonment. It is an offense to intentionally and unlawfully remain in a computer system or to continue to use a computer system after the expiration of the time which one was allowed to do so. Doing so is punishable by imprisonment of not less than one year or to a fine of not less than TZS 1 million (approx. $390), or to both.

Similarly, it is an offense to intercept personal communications and interfere with data by damaging, deleting, altering, obstructing, and interrupting it. The penalty is a fine of not less than TZS 10 million (approx. $3,390), or three times the value of undue advantage received by the offender, whichever is greater, or to imprisonment for a term of not less than three years.

The Cybercrimes Act also prohibits operators and other service providers from monitoring activities or data being transmitted in their systems. However, they are also shielded from being held liable for illegal activity that takes place within their networks or systems through the actions of third parties.

The Electronic Transactions Act

This law does not set out data protection clauses per se. However, its significance is in its application on giving legal recognition to electronic information which prior to this law electronic communications or transactions could not be easily enforced as there was no statutory recognition of the same.

This law, therefore, has for the first time provided the statutory legal recognition of electronic transactions, which includes recognition of electronic signatures and electronic documents and communications. It has established and authorized electronic Government services that has now enabled the Government to deliver services and interact with the public electronically. It has also facilitated the use of Information and Communication Technologies in collection of evidence, admissibility of electronic evidence.

It establishes the office of and the regulator of Cryptographic and Certification Services whose functions are to:

• license and regulate cryptographic and certification services;
• prescribe security standards for cryptography and electronic signatures;
• determine standards to be maintained by certification authorities;
• keep and maintain a register of cryptographic and certification service providers; and
• do such other things necessary for the implementation of these functions.

Access to information Act

This Act was enacted with the objective of providing for access to information and to define the scope of information which the public has the right to access, to promote transparency and accountability of information holders and related matters.

This law applies to public authorities and private bodies registered under Tanzanian laws which utilise public funds or are in possession of information which is of significance to public interest.

As such, under this law, any person has a right of access to information which is under the control of the information holders. However, it provides an exception that certain information shall not be released by the information holders, among which is any information which involves an unwarranted invasion of the privacy of an individual.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Commission as established under the PDPA is the main regulator for data protection. 

The Commission is a body corporate, with powers to sue and be sued, to acquire, own and dispose of properties, and to do any such thing which a body corporate ordinarily would have legal powers to do for the better carrying out of its mandate under the PDPA.

The Commission is headed by a Chief Executive Director appointed by the President of the United Republic of Tanzania. 

There is also a Board of the Commission which, among other things, has the obligation of oversight over the implementation of the powers of the Commission and to ensure that the Commission executes its mandate according to law.

3.2. Main powers, duties and responsibilities

The Commission has the following obligations:

• to ensure compliance with the PDPA by personal data collectors and processors;
• to register personal date collectors and processors;
• to receive and attend to complaints on breach of personal data protection and privacy;
• to investigate and take action against any act which the Commission finds jeopardizes protection of personal information and privacy;
• to educate the public as far as possible regarding the application of the PDPA;
• research and follow up on developments of technology regarding the processing of data;
• to coordinate cooperation between the various public institutions which deal with protection of personal data; and
• to implement other obligations of the Commission under the PDPA.

4. Key Definitions 

Data controller: A data controller is defined as a natural person, legal person or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law, 'data controller' is the natural person, legal person or public body designated as such by that law and it includes his representative.

Data processor: a natural person, legal person or public body which processes personal data for and on behalf of the controller and under the data controller's instruction, except for the persons who, under the direct authority of the controller, are authorized to process the data and it includes his representative.

Personal data: is information of an identifiable person which have been stored in any form, which includes:

• personal information concerning the race, national  or ethnic origin, religion, age, or marital status of an individual;
• personal information concerning education, medical , criminal, or employment history;
• any identification number, symbol or anything which identifies a person;
• address, finger prints or blood group of an individual;
• a name of a person which appears on another person's personal information to whom they are related or where disclosure of such name would reveal personal information; and
• information which is sent to a personal data controller which is obvious that such information is personal or confidential, and a response to such information may reveal the content of a prior information, and the views of any other person about the data subject.

Sensitive data: is defined as:

• genetic information, information relating to children, offenses, financial transactions of an individual, security and biometric information;
• In the case the information is processed for what it reveals,  personal information revealing race or ethnic origin, political outlook, religious or philosophical beliefs, trade-union membership, , gender, health data or sexual relationships; and

any personal information which by virtue of the laws of the country as presenting a major risk to the rights and interests of the data subject.

Health data: The PDPA does not define health data.

Biometric data: The PDPA does not define biometric data.

Pseudonymisation: The PDPA does not define pseudonymisation.

5. Legal Bases

5.1. Consent

Generally, consent is implied to be required from the overall intention and objectives of the PDPA. Particularly, the requirement that collection of personal data be done directly from the data subject, and the requirements of full disclosure under Section 23 of the PDPA implies a need for consent.

However, there is an express requirement for a written consent in the case of collection of sensitive personal data under Section 30 of the PDPA.

5.2. Contract with the data subject

Contractual obligations are binding and enforceable pursuant to the Law of Contract Act, 2019. A person may validly allow access to personal data under a contract.

5.3. Legal obligations

There are numerous instances, depending on the sector, where statutory obligations require both data collection and data protection. For example the SIM Card Registration Regulations require licensees to collect personal information with an overriding obligation to keep such information confidential. The same also applies to banks under the Banking and Financial Institutions Act, and the Credit Reference Bureau Regulations. The Anti Money Laundering Act, 2006 and Anti Money Laundering Regulations of 2012 require a reporting person to collect personal information of the persons they engage in business with the aim of reporting to the Financial Intelligence Unit ('FIU') which monitors money laundering.

5.4. Interests of the data subject

Interests of the data subject are given paramount importance. The data subject has certain rights in the course of data collection and data processing. There is an implied need for consent for any personal data being collected or processed, and there is an express requirement for written consent if the personal data is sensitive data. The data subject has a right to access personal information collected; may require correction of errors of information; has a right to prohibit processing of personal data where such processing may have grave consequences to the data subject or to anybody else; and has a right of compensation for injuries that arise as a result of breach of the provisions of the PDPA.

5.5. Public interest

Data collection is in some cases carried out in the public interest, an example of which is the requirement for SIM Card registration which empowers telephone companies to collect personal data for the broader public interest of curbing crime through the use of mobile phones. The collection of data under the EPOCA Investigation Regulations or the Cybercrimes Act is also in the public interest in order to assist in investigation of crimes.

5.6. Legitimate interests of the data controller

The purpose of the PDPA is to protect the legitimate interests of both the data subjects and data controllers and processors. The PDPA operates in favor of the data controller by facilitating a lawful collection and processing of personal data, and protects interests of the data subject through regulation and institutional oversight to ensure that there is compliance.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Not applicable.

7. Controller and Processor Obligations

7.1. Data processing notification

Data collection and processing must be done at full disclosure to the data subject. The PDPA does not specify or prescribe the mode which a notification to the data subject must take.

7.2. Data transfers

There is no prohibition of data transfers. However, Section 31(2) of the PDPA requires that transfer shall be done only to a country which has sufficient legal protection to personal data. It is also required that data transfer must be shown to be necessary and important for public interest or for any other legitimate reason.

The Commission is vested with powers to prohibit and prevent personal data from being transferred outside of the country pursuant to the conditions prescribed under the PDPA.

7.3. Data processing records

Personal data collected and processes will be required to be preserved for a period of time which shall be prescribed in the regulations to be enacted under the PDPA.

7.4. Data protection impact assessment

Not applicable.

7.5. Data protection officer appointment

Section 27(3) of the PDPA requires that either the data collector or the data processor must appoint a personal data protection officer who will ensure security of the data.

7.6. Data breach notification

Section 27(5) of the PDPA requires a data collector to inform the Commission as soon as practicable where there is security breach which affects safety of personal data.

7.7. Data retention

Data may be retained for such a period as may be prescribed by Regulations which the Minister is empowered to enact under the PDPA.

7.8. Children's data

A child is any person under the age of 18 years pursuant to the Law of the Law of the Child Act 2009. Any information concerning children is classified as sensitive information under the PDPA.

7.9. Special categories of personal data

There is personal data generally, and sensitive personal data as already indicated above.

7.10. Controller and processor contracts

Section 27(4) of the PDPA requires for a contract between a data collector and data processor to administer their relationship.

8. Data Subject Rights 

8.1. Right to be informed

Data subject has a right to be informed of data collection and processing, for what purpose and the recipients of such data.

8.2. Right to access

Data subject has a right to access of data collected and processed under the PDPA.

8.3. Right to rectification

Data subject has a right to rectification of personal information to ensure it is accurate and free from errors.

8.4. Right to erasure

Data subject has a right to erasure of data under section 38(1) and (2) through an application to the Commission.

8.5. Right to object/opt-out

Data subject has a right to object or opt-out of data processing under section 34 if such processing will have adverse effects.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Data subject has a right under section 36 of the PDPA to require the data collector to ensure that decision to be made by the data collector or on their behalf which may have adverse effects to the data subject will not depend only on automated processing.

And where a decision which has adverse effects on the data subject is taken based solely on an automated processing of personal data the data collector is required at once to notify the data subject that the decision was arrived at on the basis of an automated processing, and that the data subject has a right to demand the data collector to review the decision.

8.8. Other rights

The PDPA requires that the personal data must be accurate and be kept in a secure manner as not to be divulged to third parties. Personal data must be used only for the intended purpose for which it was collected.

There is a prohibition under the Cybercrimes Act against publication of information of a data subject in a misleading manner with intent to defame, threaten, abuse, insult, or otherwise deceive or mislead the public.

9. Penalties

Under the PDPA, in respect of offenses of disclosures of personal data contrary to law, upon conviction, if it is a natural person, he shall be liable to a fine not less than TZS 100,000 (approx. $39), and not exceeding TZS 20 million (approx. $7,940), or imprisonment for a term not exceeding ten years, or to both fine and imprisonment; if it is a body corporate, a fine of not less than TZS 1 million (approx. $390) and not exceeding TZS 5 billion (approx. $1,980,940).

In respect of offenses of destruction, erasure, concealment, or modification of personal data contrary to law, upon conviction is punishable by fine of not less than TZS 100,000 (approx. $39) Only and not more than TZS 10 million (approx. $3,970), or to imprisonment for a term not exceeding five years, or to both fine and imprisonment.

Where an offense has been committed by a body corporate, any officer who knowingly authorizes the commission of such offenses will be held liable.

For any breach of the conditions of the PDPA for which no punishment has been prescribed, the offence shall be punishable by fine of not less than TZS 100,000 (approx. $39) and not exceeding TZS 5 million (approx. $1,980); or to imprisonment not exceeding five years, or to both fine and imprisonment.

Under the Cybercrimes Act, for publishing child pornography the penalty is a fine of not less than TZS 50 million (approx. $19,850) or three times of the value the advantage obtained from committing the crime; or imprisonment for not less than seven years, or to both fine and imprisonment.

For publishing misleading information, the penalty is a fine not exceeding TZS 5 million (approx. $1,980) or imprisonment of not less than three years, or both fine and imprisonment.

9.1 Enforcement decisions

Not applicable.