Personal Liability and Accountability of Data Protection Officers in Tanzania: Are DPOs Personally at Risk?

With the enactment of the Personal Data Protection Act, Cap 44 Revised Edition 2023 (the PDP Act), Tanzania established a robust legal framework governing the collection, processing, and protection of personal data.

Among the key features of the PDP Act is the requirement for entities, as data controllers and/or data processors to appoint Data Protection Officers (DPOs) to oversee compliance and act as a liaison with the Personal Data Protection Commission (the Commission).

Nevertheless, as the enforcement of the PDP Act gains momentum, questions are increasingly being raised on the personal liability and accountability of DPOs for data protection failures within entities, particularly where an entity fails to adequately protect personal data. 

This legal update examines the potential personal liability of DPOs and considers the broader implications for entities and privacy professionals.

Statutory Allocation of Responsibility

The PDP Act adopts a clear institutional accountability framework. Primarily, under the PDP Act, the legal responsibility for compliance rests with entities as the data controllers and/or data processors, responsible for determining the purpose and means of processing personal data. The PDP Act anchors liability at the entity level, reflecting the reality that key data governance decisions are corporate, not individual acts. The DPOs’ role is embedded within this framework as a compliance and oversight function rather than as a bearer of primary legal risk.

Specifically, regulation 23 of the Personal Data (Collection and Processing) Regulations Government Notice No. 449 C of 2023 (the Collection and Processing Regulations) provides the obligations of data controllers and data processors to ensure personal data is:

(a) collected or processed lawfully, fairly and transparently; 
(b) collected for a legitimate and specified purpose;
(c) adequate and necessary for purposes for which it is processed; 
(d) accurate and where necessary, kept up to date with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay;
(e) stored in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed;
(f) processed in accordance with the rights of the data subject;
(g) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against any loss, destruction or damage, using appropriate technical or organisational measures;
(h) not transferred abroad contrary to the provisions of the PDP Act; and
(i) not applied in the existing circumstances without taking steps to ensure such data are complete, accurate, consistent with the content and not misleading.

Roles of DPOs under the Data Protection Legislation

The role of a DPO, is generally secondary to that of data controllers and processors. The Collection and Processing Regulations assign the following duties to DPOs:

(a) to ensure compliance with the PDP Act and the Collection and Processing Regulations in the processing of personal data carried out by the relevant data controller and/or data processor; 
(b) to provide information on violation of the PDP Act or the Collection and Processing Regulations committed in data processing by the relevant data controller and/or data processor. This duty also requires a DPO to advise on rectification measures accordingly; 
(c) to prepare and submit quarterly reports on the compliance of the PDP Act to the Commission; 
(d) handling the applications or complaints made by a data subject, his representative or any other person to the data controller and/or data processor in relation to the collection or processing of personal data; and
(e) to perform any other duty as may be directed by the relevant data controller and/or data processor.

Data protection laws require DPOs to support compliance through monitoring, advisory, and liaison functions. DPOs are expected to guide the relevant entity, assess risks, engage with the Commission, and promote adherence to data protection principles. Importantly, the PDP Act does not grant DPOs the executive authority over data processing operations; their role is oversight and assurance rather than operational control.

Is There Personal Liability for DPOs?

While the PDP Act and the Collection and Processing Regulations do not impose automatic personal liability on DPOs, section 61 of the PDP Act introduces a potential exposure to liability. It provides that “any person”, which could extend to officers of a corporate body, including DPOs, who unlawfully destroys, deletes, misleads, conceals, or alters personal data may, upon conviction, be liable to:

(a)  a fine of not less than Tanzanian Shillings (TZS) 100,000 (approximately USD 41) but not exceeding TZS 10,000,000 (approximately USD 4,081);
(b)  imprisonment of up to five (5) years; or
(c)  both fine and imprisonment.

Practical Guidance for Entities and DPOs

In light of the PDP Act and the Collection and Processing Regulations, entities should treat data protection compliance as a corporate governance priority rather than a purely technical function. Boards and senior management must actively support DPOs through:

(a)  adequate resourcing;
(b)  access to key decision-making especially on personal data related matters; and 
(c)  the authority to raise compliance concerns.

Additionally, implementing clear policies, regular training, and documented procedures is essential to demonstrate accountability and reduce regulatory risk.

For DPOs, it is essential to maintain independence, transparency, and thorough documentation of all compliance-related activities. This includes keeping written records of advice given, risk assessments conducted, and reports submitted to the Commission. Where potential violations are identified, DPOs should promptly advise the management in writing and recommend appropriate corrective action. This approach not only strengthens compliance but also provides evidence that the DPO has fulfilled their statutory duties in good faith.

Conclusion

While DPOs primarily serve in an advisory and oversight role, section 61 of the PDP Act creates potential personal liability for any unlawful conduct. Corporate entities should embed data protection into governance and support DPOs with independence and resources, while DPOs must act transparently and in good faith to minimise risk and ensure compliance.