Personal data and Privacy are a fundamental right recognized by the Constitution of United Republic of Tanzania as well as International treaties and conventions such as the Universal Declaration of Human Rights (UDHR), International Convention on Civil and Political Rights (ICCPR) and the African Charter on Human and Peoples’ Rights (ACHPR). To implement the right to privacy as enshrined in Article 16 of the Constitution, the Personal Data Protection Act was enacted. It is also clear that every person has the right to the protection of the law against interference of his privacy, was held in the case of (Tito Magoti vs Hon. Attorney General (Misc. Civil Cause No. 18 of 2023) [2024] TZHC 1939 (8 May 2024).

1. Apply to the commission for registration Application is in a prescribed form under Personal Data Protection (Personal Data Collection and Processing) Regulation of 2023 and payment of required fees. Obtain certificate of registration. The Personal Data Protection Commission was officially established on May 1, 2023, following the enactment of the Personal Data Protection Act No. 11, 2022.

2. Appointment of Data Protection Officer A "data protection officer" is a person chosen by the data controller or processor to make sure they follow the rules. The responsibilities include: ensuring compliance with the Act and Regulations in personal data processing, reporting violations and advising on corrective measures, submitting quarterly compliance reports to the Commission, handling applications or complaints from data subjects or their representatives, and performing any additional duties as directed by the data controller or processor.

3. Data processors must operate under a contract with data controllers that mandates adherence to the controller's instructions and ensures compliance with applicable security standards. A “data processor” is a person, company, or other body which processes personal data on the data controller's behalf.

4. Ensure an appropriate level of security for personal data protection based on the latest technological advancements, implementation costs, the nature of the data, and potential risks to data subjects, by adopting reasonable safeguards against negligent loss, unauthorized destruction, alteration, access, or processing.

5. The data controller must promptly notify the Commission of any security breach involving the processing of personal data. A "data controller" is a person or organization (individual, company, or public body) that decides how and why personal data is processed. If the law specifies the purpose and methods, the law designates the responsible person or organization, including their representative.

6. Data controllers must retain personal data for a specified duration in accordance with relevant laws or regulations, ensuring that data subjects have a reasonable opportunity to access their personal data when needed. The Minister may also prescribe regulations regarding the retention and disposal of such data based on the purpose of retention.

7. Data controllers and processors must ensure that personal data is collected and processed in a lawful, fair, and transparent manner for legitimate purposes, is adequate and relevant, accurate and up-to-date, stored only as long as necessary, and managed in accordance with the rights of data subjects while implementing appropriate security measures to protect against unauthorized access, loss, or damage.

8. The data controller or data processor shall establish and implement technical measures and mechanisms to ensure the protection of personal data in accordance with established principles.

9. To ensure compliance with the security of personal data during processing, the data controller or data processor must implement robust information security policies and procedures, assess and mitigate risks, maintain resilience against changes and cyber threats, restrict access to authorized personnel only, secure data transfers and storage, maintain necessary backups and logs, utilize audit trails and monitoring for routine security, and adequately protect sensitive personal data.

10. To ensure compliance with the principles of proportionality and necessity in personal data processing, data controllers and processors must avoid bulk processing, limit data collection to what is essential, demonstrate data relevance, pseudonymize unnecessary identifiable data, anonymize or delete data no longer needed, streamline data flows to prevent duplication or unauthorized access, and use suitable technologies for data minimization.

11. To comply with the principle of accuracy in personal data processing, the data controller or processor must verify source reliability, ensure accuracy for intended purposes, engage data subjects for confirmation, promptly correct inaccuracies, mitigate processing errors, provide accessible information, maintain accurate records, conduct assessments at critical stages, update data as needed, and employ technology to reduce inaccuracies.

In conclusion, both data processors and data collectors have important responsibilities to handle personal data responsibly. They must follow the rules and ensure the privacy and security of the data they manage. By doing so, they help protect individuals' rights and build trust with those whose data they process.

Contact Us