Global Data Protection Law Guide  Tanzania

Hilton Law Group

 

What law(s) specifically govern personal data / information?

The Personal Data Protection Act No. 11 of 2022

The Electronic and Postal Communications (EPOCA) Act, 2010;

The Cybercrimes Act, 2015;

The Electronic Transactions Act, 2015;

The Finance Act, 2022 (Amendments to the NIDA Act

The Tanzania Communications Regulatory Authority (TCRA) Act, 2003.

 

What are the key data protection principles in this jurisdiction?:

Lawfulness and fairness 

Transparency of personal data processing

Data security (Confidentiality and security of personal data processing)

Accountability

Accuracy of personal data

Purpose limitation

Data minimization (Collection limitation)

Storage limitation

Consent

Confidentiality

Data subject rights

 

What is the supervisory authority / regulator in charge of data protection?

The Personal Data Protection Commission.

 

Is there a requirement to register with a supervisory authority / regulator?

Organizations that collect, process, or store personal data are required to register with the Personal Data Protection Commission

 

Is there a requirement to notify the supervisory authority / regulator?

There is a requirement for notification:

• In case of data breaches.
• If having data processing activities through registration.
• To get approval for cross-border data transfers.
• Of a Data Protection Officer.

 

Is it possible to register with / notify the supervisory authority / regulator online?

All registrations/notifications are done online.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

All registrations/notifications are done online.

Right to information

Right to access

Right to rectification of errors

Right to deletion/right to be forgotten

Right to restriction of processing

Right to data portability

Right to object to processing

Right to withdraw consent

Right to complain to the relevant data protection authority(ies)

Right not to be subject to automated individual decision-making

Right to Complain to the Supervisory Authority

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Yes, applicable:

• If an organization processes large volumes of personal data, particularly sensitive data.
• For organizations that handle sensitive personal data.
• To public sector organizations or entities performing tasks in the public interest.
• If an organization's core activities involve systematic monitoring of individuals.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Data Protection Impact Assessments (DPIAs) are a common requirement especially when certain data processing activities pose a high risk to the rights and freedoms of individuals.

 

Does this jurisdiction have any specific data breach notification requirements?

Data controllers are to promptly notify any personal data security breach to the Personal Data Protection Commission.

 

What restrictions apply to the international transfer of personal data / information?

The PDPA permits the transfer of personal data outside Tanzania only on the following circumstances:

to a country that has a legal framework that provides for adequate personal data protection (essentially equivalent levels of protection to that within Tanzania) provided the recipient has established that:

• such personal data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of a data controller; or
• the importance of the transfer and there is no reason to assume that the subject's legitimate interests may be prejudiced by the transfer or the processing in the recipient country.

The data controller must carry out a provisional evaluation on the need to transfer such personal data and ensure the recipient of the data only processes the relevant information in the data and for the purpose for which the data was transferred.
The recipient of the data must also ensure that the necessity for the transfer of the personal data can be subsequently verified:

• to any other country with appropriate safeguards on the security and protection of personal data provided the data is transferred solely to permit processing authorised to be undertaken by the controller;
• to a country which does not have the adequate level of protection provided the transfer is in accordance with specifications issued by the Minister responsible for Information, Communication and Information Technology, the data subject has consented to such transfer and the transfer is necessary for:
• the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the request of the data subject;
• conclusion or performance of a contract concluded or to be concluded the controller and another person in the interest of the data subject;
• or legally required on public interest grounds or the institution, trial defence of a legal claim;
• protecting the legitimate interests of the data subject; and
• the transfer is made in accordance with the law and is aimed to provide information to the public and is open for public consultation in general or by anyone who can demonstrate a legitimate interest, to submit their opinion in accordance with a procedure laid down by law.

Prior to the transfer of personal data outside Tanzania, the data controller or processor must apply for and obtain a permit from the Commission. The application is made using a prescribed form which must be accompanied with proof that:

• the recipient country has ratified an international agreement providing requirements for the protection of personal data;
• there is an agreement between Tanzania and the recipient country regarding the protection of personal data; or
• there is a contractual agreement between the person requesting the personal data and the recipient of the personal data who is outside Tanzania.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

The Act has a limited extraterritorial application. It applies to the processing of personal information carried out by:

• A controller residing in Tanzania or in a place where the laws of Tanzania apply per the international laws; and
• A controller or processor residing outside Tanzania if the processing has occurred in Tanzania.

 

What rules specifically deal with marketing?

The Electronic and Postal Communications (Consumer Protection) Regulations, 2018.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No, the same rules apply

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

N/A

 

What rules specifically deal with cookies?

There is not yet a comprehensive and specific law focused entirely on cookies, however, existing data protection and cybersecurity regulations likely offer some guidance on the collection and use of cookies, particularly in relation to user consent, transparency, and data privacy.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

The Commission may issue an enforcement notice directing the respective person to remedy such violation within a certain period.

The Commission may issue a notice of penalty where the respective party has failed to remedy the violation within the given period. The severity of the breach determines the fine imposed.

Unconsented disclosure of personal data by an individual shall be punishable by a fine of not less than TZS 100,000 and not more than TZS 20,000,000 or imprisonment for a term not exceeding ten years or condemned to a fine and imprisonment. For body corporate, the Act imposes a fine of not less than TZS 1,000,000 and not more than TZS 5,000,000,000.

Unlawful destruction, deletion, concealment or conversion of personal data shall be punishable by a fine of not less than TZS 100,000 and not more than TZS 10,000,000 or imprisonment for a term not exceeding five years or condemned to a fine and imprisonment.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Cross border data transfer

Registration with the PDPC

Principles applicable in data protection.

 

What upcoming data protection developments should multinational organisations be aware of?

Stricter enforcement with fines, penalties, and possible legal actions for breaches of data protection requirements.

Organizations that fail to comply with the Act may face significant financial and reputational consequences.

Shaping the country’s digital and data governance landscape, with a clear emphasis on securing personal data and holding organizations accountable.

Industries such as telecommunications, finance, and healthcare, which handle large amounts of sensitive personal data, will see more tailored guidance on compliance.

 

Search by:

Need more information?
Contact a member firm:

Dorothy Ndazi

Hilton Law Group

Tanzania

Disclaimer:

© 2025, Hilton Law Group. All rights reserved by Hilton Law Group as author and the owner of the copyright in this chapter. Hilton Law Group has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2025