The personal data collection, processing and dispute handling procedures in Tanzania

Following the coming into force of the Personal Data Protection Act No.11 of 2022 (the Act) on 1 May 2023, the Minister of Information, Communication and Information Technology enacted two new regulations; one dealing with procedures for settling complaints arising from violation of personal data and the other dealing with data collection and processing. The Personal Data Protection (Complaints Settlement Procedures) Regulations, G.N. 449B of 2023 (the Complaints Settlement Regulations) and the Personal Data Protection (Personal Data Collection and Processing) Regulations, G.N. 449C of 2023 (the Collection and Processing Regulations) (collectively referred to as “the Regulations”) were published on 4 July 2023.

In this month’s legal update, we provide an overview of the Regulations which we anticipate will play a vital role in complementing the Act in ensuring that data is collected and processed in the correct manner and disputes arising from violation of personal data are handled appropriately. 

View our previous insight on the Personal Data Protection Act of 2022

The Complaints Settlement Regulations

The following key terms have been defined in the Complaints Settlement Regulations:

“Award” means the decision of the Personal Data Protection Commission (the Commission) in the underlying complaint, and includes any previous decision;

 “Complaint” means the material facts of the matter or act complained by the complainant, in respect of the processing or any other use that violates the principles of personal data protection of the data subject by the data controller or data processor;

“Complainant” means a person who has filed a complaint to the Commission pursuant to the Complaints Regulations.

“Respondent” means the data collector or data processor or any person against whom a complaint is filed;

“Third Party” means a person who is not part of the complaint but the respondent has a complaint against him;

“Mediator” means an officer of the Commission who is assigned to mediate the parties to a complaint; and

“Hearing” means all processes required for determination of a complaint including:

• any attempt to reconcile the parties;
• oral or written submissions made by the parties;
• examination of witnesses;
• discovering of documents;
• tendering of exhibits;
• visitation of the scene of the incident; and
• production of documents by order of the Commission. 

The following is a brief analysis on dispute handling procedures as provided under the Complaints Settlement Regulations:

Complaint Filing

A complaint is filed before the Commission through a prescribed form. A complainant may also lodge their complaint orally which will later be reduced into writing by the Commission using the prescribed form and signed by the complainant. The Commission will then, evaluate the complaint to check its propriety and compliance with the Act and the Regulations. When the Commission is satisfied that the Complaint has met the requirements of the Act and the Regulations, it will proceed to investigate and mediate the complaint. 

The Commission may within seven days reject the complaint on various grounds, including the following: non disclosure of cause of action; time limitation; the same matter is pending in any court, tribunal, arbitration or a quasi judicial body; the complainant has no right to file the matter; or that the subject matter does not fall under the Act. Where a complaint is rejected by the Commission, the complainant may lodge a fresh complaint in respect of the same cause of action to the Commission provided that the newly filed complaint meets the required grounds.

Defence Filling 

Where a complaint is successfully lodged, the Commission will issue a summons to the respondent to present their defence in writing within twenty-one days. In response to the complaint, the respondent will be required to respond to every allegation. If the respondent fails to submit his defence within the prescribed time frame, the Commission will proceed with the hearing ex parte and without further summons to the respondent. 

Please note that the complainant may opt to file a reply / rejoinder to the defence filed by the respondent. 

Investigation and Mediation

Once the defence is filed, the Commission will issue a notice of investigation to the respondent and commence the investigation. During the investigation, the Commission may require the data controller or processor to consider or reconsider the complaint within fourteen days where there are valid reasons to do so.

Upon completion of the investigation, the Commission must appoint an officer who will preside as a mediator to the parties. The mediation will take place within thirty days from the date of filing the complaint. If the mediation is successful, the parties will reach a settlement in writing. The settlement reached will then be issued in the form of an award by the Commission within twenty-one days. If the mediation fails, the mediator must refer the complaint to the Commission for hearing within thirty days. 

Hearing

During the hearing stage, the Commission will appoint the Complaints Hearing Committee (the Committee) composed of three members who must have knowledge and experience in the field of law, data protection as well as Information and Communication Technology. Please note that hearing of the complaint will be quasi-judicial in nature.

During the hearing, the Committee may:

• issue interlocutory orders upon a written application by either party;
• require any person to produce any documents or information deemed relevant; and
• require the attendance of any person to give evidence or produce any document that may be in his custody.

On the conclusion of the hearing, the Committee will prepare and submit its recommendations to the Commission. The Commission will then consider such recommendations and issue a written award to the parties. The Commission may issue an enforcement notice together with the award.

Review and Appeal Procedure

The Complaints Settlement Regulations allow for any party who is dissatisfied with the award of the Commission to apply for a review within twenty-one days. The Commission will then review the application within fourteen days and consequently reverse, alter, or revoke any direction given in the award. Alternatively, an aggrieved party may lodge an appeal to the High Court within twenty-one days.

It is important to note that an award issued by the Commission will be enforceable as an order of the High Court. An award holder is required to register the award at the High Court through an application within a specified period. The High Court will then register the award as if the same has been issued under the Arbitration Act, No. 2 of 2020.

Case Study

The High Court of Shinyaga was recently called to determine a case involving an individual that instituted a claim of “substantial loss of privacy” against a reputable telecommunication company in Tanzania (the Company) seeking payment TZS 10 billion (approximately USD 4.8 million). The complainant alleged that the Company shared his personal data with a third party without his consent. The Company has denied the claim and raised a preliminary objection seeking dismissal of the suit with costs for being incompetent. The outcome of this landmark case, after the enactment of the Act and the Regulations, will be fundamental as it will cement the importance of data protection in the United Republic of Tanzania.

The Collection and Processing Regulations

Procedure for Transferring Personal Data

A data controller or processor who intends to transfer personal data outside Tanzania, must apply to the Commission for a permit using a prescribed form. 

Apart from the particulars contained in the application, the data collector or processor must, among other things submit proof that:

• the country receiving the personal data has ratified an international agreement providing requirements for the protection of personal data;
• there is an agreement between Tanzania and the country receiving the personal data regarding the protection of personal data; or 
• there is a contractual agreement between the person requesting the personal data and the recipient of the personal data who is outside Tanzania.

The Commission must within fourteen days issue a permit to transfer personal data with the condition that:

• the personal data will be transferred to the recipient authorised in the permit;
• the personal data transferred will be processed for the intended purpose only;
• the personal data will not be disclosed or transferred to another recipient without approval of the Commission; and
• the processing of personal data transferred outside the country will not violate the laws of Tanzania.

In the event of rejection, the Commission must state the reasons for their decision in writing. The Commission may reject the application on various grounds as set out in the Collection and Processing Regulations.

Rectification of Personal Data

The data subject may apply to the data collector or processor to rectify personal data which is incorrect, changed, outdated, incomplete or misleading by using a prescribed form. The data collector or processor will either accept or reject the application. In the event of rejection, the data collector or processor must give its reasons in writing. 

Erasure or Destruction of Personal Data

A data subject may apply to the data collector or processor to erase or destroy personal data through a prescribed form. The data collector or processor will then consider the application and either erase, destroy or reject the application by providing its reasons in writing. 

The right to erase or destroy personal data is limited if the processing is necessary for one of the following reasons:

• to exercise the right of freedom of expression and information;
• to fulfil legal obligations; and 
• for the implementation of duties carried out in the public interest or in the Government’s jurisdiction.

Prevention of Collection or Processing of Personal Data

A data subject may apply to the data controller or processor to suspend or not to begin the collection or processing of any personal data where such collection or processing is likely to cause substantial damage to the data subject or a third party. Please note that the term “substantial damage” has not been defined under the Act or the Regulations and could therefore be broadly interpreted.

The data controller or processor must acknowledge and act on the application within seventy-two hours of receipt. In the event of refusal of the data collector or processor, the aggrieved data subject may submit a complaint to the Commission within fourteen days. 

Automated Decision Making

Where a decision which significantly affects a data subject is based solely on processing by automatic means, the data controller or processor must notify the relevant data subject in writing. 

Conclusion

It is important to note that the Act and the Regulations apply to both the public and private sector. Therefore, the concepts discussed in this legal update are crucial to any entity in the United Republic of Tanzania which deals with personal data whether directly or indirectly. Furthermore, the Act and the Regulations provide data protection principles which,  will undoubtably protect data subjects from infringement of their rights while affording the same protection to dat if adhered to, a collectors and processors from unwanted liability arising from personal data infringement.

If you want to know more please reach out to Tenda Msinjili, Hadia Mgaya or Linda Natai.