Intellectual Property in Tanzania: the 2022 Regulations on Copyright Licensing and Rights to Benefit from Re-Sale
Popular search terms
Click each term for related articles
Data Protection & Privacy
The Personal Data Protection Act No. 11 of 2022 (the Act) was passed on 1 November 2022 as a recognition to the right to privacy and personal security enshrined under Article 16 of the Constitution of the United Republic of Tanzania, 1977. The Act sets minimum requirements for the collection and processing of personal data in Tanzania. It is crucial to note that the commencement of the Act is subject to publication of a notice by the Minister of Information, Communication and Information Technology setting out a date from which the Act will take effect. As of the date of this legal update, the notice of commencement of the Act is yet to be published. In this update, we provide an overview of the Act and analyse the mechanisms put in place to ensure the protection of personal data as collected and processed for various purposes.
The Act applies to both public and private institutions with the responsibility to collect and process personal data in Tanzania. Undeniably, the protection of personal data existed before the enactment of the Act, however, the Act comes in to strengthen such protection and provide specific remedies for breach in relation to personal data.
Parties which accumulate significant data will no doubt query whether they are covered by the Act or not. Would a law firm or an accountancy firm be covered by the Act for example? Both institutions accumulate data and sensitive information. Would they qualify as Data Collectors or Data Processors for example? As the Act has just been published and is not yet in force, there are currently no accompanying Regulations which provide specific clarity on the matter. What is clear is that if one is an institution which collects data for statistics for example or market surveys then one is likely covered. We will prepare an additional legal update once further information becomes available from the relevant Ministry.
The following key terms have been defined in the Act:
“Child” means a person below the age of eighteen years;
“Code of ethics” means the code that sets out the ethics and restrictions on collectors and processors of personal data prepared in accordance with the Act;
“Data collector” means a person, body corporate or a public institution which either alone or in conjunction with another institution determine the purpose and methodology of personal data processing and where such methods have been prescribed by law;
“Data processor” means a person, body corporate or public institution which processes personal data for and on behalf of the data collector under the guidance of the data collector, except persons under the direct control of the data collector, and includes their agents;
“Data subject” means a person whose personal data is being processed in accordance with the Act;
“Minister” means the minister responsible for communications;
“Personal data” means information of an identifiable person stored in any form, which includes:
“Personal data protection officer” means a person appointed by a data collector or processor and given the responsibility to ensure the implementation of obligations specified in the Act;
“Recipient” means a person, entity or public institution who receives personal information from the collector;
“Sensitive personal data” means:
“Transfer of personal data abroad” means the transfer of personal data across countries through electronic means or any other means.
The Act was prepared in order to ensure that the collection and processing of personal data is strictly controlled. This is achieved through establishing legal and institutional arrangements for the protection of such information. According to the Act, data collectors and processors shall ensure that personal information:
The Act establishes a Personal Data Protection Commission (the Commission) which is a body corporate with perpetual succession and common seal. The Commission shall be capable of doing the following in its own name:
The Commission is tasked with various functions which include:
Furthermore, the Act establishes a Board of the Commission with the duty to provide guidelines for the management of the Commission, to approve the Commission’s investment plans and performance reports, among others.
The Act provides a strict requirement for any person who intends to collect or process data in Tanzania to be registered by the Commission. Registration is initiated through an application made to the Commission which will either accept or reject the application. Upon acceptance, the Commission will issue a certificate of registration and where rejected, the Commission will provide its reasons for the decision in writing.
An issued certificate of registration shall be valid for a period of five years from the date of issuance. The Act directs that all applications for renewal be made three months before the expiry of the registration period. The Act further provides a leeway for the Commission to cancel an issued certificate of registration.
The Act directs that personal information be collected where necessary and for a legitimate purpose. To ensure accuracy of information, the Act places a duty on data collectors to take necessary steps to confirm that data collected is complete, correct and consistent with the content for which it was collected. Such steps are necessitated prior to using the collected data.
According to the Act, data collected may only be disclosed under the following circumstances:
Disclosure of information may also be permitted where:
Additionally, data collectors are required to maintain a proper security system dedicated to ensuring that the data collected is not destructed, converted, accessed or processed in any way without authorisation.
The Act does not prohibit the transfer of personal data to other jurisdictions, provided that such jurisdictions have a reliable legal system for the protection of personal data, and the said transfer is necessary for a legitimate or public interest. Please note that the Commission may restrict transfer of personal data to other countries in accordance with the Act. In some instances, personal data may be transferred to a receiving country with no specific legal protection on personal data but has guaranteed protection of such data.
As a guarantee to the protection of personal data, the Act vests the following rights upon a data subject:
According to the Act, a person may file a complaint against a data collector or processor who has violated the principles of personal data protection. Please note that such complaints are submitted to the Commission. The Commission will initiate a confidential investigation where satisfied that there are fundamental reasons to investigate. Such investigation will be conducted and concluded within 90 days, however under certain circumstances, the Commission may extend such period.
Where it is determined that there has been a violation in the provisions of the Act, the Commission may issue an enforcement notice directing the respective person to remedy such violation within a certain period. Furthermore, the Commission may issue a notice of penalty where the respective party has failed to remedy the violation within the given period.
According to the Act, unconsented disclosure of personal data by an individual shall constitute an offence punishable by a fine of not less than TZS 100,000 (approximately USD 43) and not more than TZS 20,000,000 (approximately USD 8,600) or to imprisonment for a term not exceeding ten years. In some instances, both a fine and imprisonment may be imposed.
With regards to a body corporate, the Act imposes a fine of not less than TZS 1,000,000 (approximately USD 430) and not more than TZS 5,000,000,000 (approximately USD 2,127,700) for unconsented disclosure of personal data.
The Act further establishes an offence of unlawful destruction, deletion, concealment or conversion of personal data. This offence is punishable by a fine of not less than TZS 100,000 (approximately USD 43) and not more than TZS 10,000,000 (approximately USD 4,300) or to imprisonment for a term not exceeding five years. Both a fine and imprisonment may be imposed in some instances.
Where an offence is committed by a body corporate, the Act poses a direct liability on all officers who intentionally authorised or allowed the commission of such an offence.
Additionally, the Act stipulates a general fine of not less than TZS 100,000 (approximately USD 43) and not more than TZS 5,000,000 (approximately USD 2,200) or to imprisonment for a term not exceeding five years, or to both, a fine and imprisonment. This provision will apply where the Act does not specifically provide a punishment for an offence.