Understanding Data Subject Rights in Tanzania: Access, Rectification, Erasure and Destruction of Personal Data

As entities increasingly rely on digital platforms to collect, store, and process personal data, the volume of information handled across sectors such as business, employment, finance, and telecommunications continues to grow. While entities may collect and use this data for legitimate purposes, individuals do not lose control over their personal data once it is shared. They still retain legal rights over how their data is collected, used, stored, disclosed and how it is ultimately disposed of.

In Tanzania, the Personal Data Protection Act, Chapter 44, Revised Edition 2023 (the PDP Act), provides the main legal framework for governing data subjects’ rights. The PDP Act sets out a range of protections for data subjects, including the right to access their personal data, request corrections, object to processing, and seek the erasure or destruction of data where appropriate.

Among the rights provided under the PDP Act, the rights to access, rectification, erasure and destruction provided under sections 29, 33, and 38 of the PDP Act are among the most significant, as they form an integral part of Tanzania’s developing data protection framework.

This legal update explores these key rights and outlines the corresponding obligations imposed on data controllers and processors under the PDP Act.

Right to access personal data (Right of access)

The right of access arises where a data subject is aware that an entity is handling their personal data. It allows the individual to obtain access to their personal data that has been collected or processed and to be informed whether their data is being processed by or on behalf of a data controller. Pursuant to section 33 (b) of the PDP Act, a data subject is entitled to receive from the data controller a description of:

• the personal data held;
• the purposes for which personal data is processed; and 
• the recipients or categories of recipients to whom the data may be disclosed.

Additionally, pursuant to section 33 (c) of the PDP Act, where personal data is processed by automated means for the purpose of evaluating an individual, and such processing forms the sole basis of a decision that significantly affects them, the data subject has the right to be informed of the logic involved in that decision-making process.

It is worth noting that, the right of access is not absolute. A data controller or processor is not required to provide access where the personal data is:

• inaccurate;
• forms part of an ongoing investigation in accordance with the law; or 
• where disclosure has been restricted by a court order.

In practice, access requests may arise in a range of situations. For example:

• an employee may request access to performance reviews or disciplinary records during a workplace dispute;
• a customer may seek information held by a bank following suspected unauthorised transactions; or 
• a patient may request access to medical records held by a healthcare provider.

Right to rectification, erasure and destruction of personal data

The right to rectification, erasure, and destruction of personal data is provided under sections 29 and 38 of the PDP Act. This right ensures that personal data held by entities remains accurate, is relevant, and is not kept longer than is necessary. This right allows a data subject to require a data controller or processor to correct, block, erase, or destroy personal data that is inaccurate, misleading, incomplete, unlawfully obtained, or no longer necessary for the purpose for which it was collected.

The PDP Act also gives the Personal Data Protection Commission (the Commission) a central role in enforcing this right. Where the Commission is satisfied, upon an application by a data subject, that personal data is inaccurate, it may order the data controller or processor to rectify, block, erase, or destroy the personal data. This applies even where the data reflects information originally received from the data subject or from a third party. 

A practical example of where this right may be exercised is where a financial institution mistakenly records that a customer has defaulted on a loan and shares that information with credit reference bureaus, resulting in the individual suffering financial loss and reputational harm. In such a case, the data subject is entitled to request correction of the inaccurate information and to stop any further dissemination.

Additionally, once the data has been corrected or removed, the data controller or processor must notify any third parties to whom the data was previously disclosed, ensuring that inaccurate information is not further relied upon elsewhere pursuant to section 38(4) of the PDP Act.

This right reflects two key principles in data protection. First, personal data must be accurate and up to date, particularly where it is used to make decisions affecting individuals. Second, personal data should not be retained indefinitely without a valid legal or operational reason. Together, these principles place a continuing obligation on organisations to actively review the quality and relevance of the data they hold.

Practical compliance considerations

As awareness of privacy rights continues to increase, entities should adopt proactive compliance measures to reduce legal and operational risk. Key considerations may include:

• establishing data subject request procedures;
• maintaining accurate records of processing activities;
• implementing retention and deletion policies;
• reviewing privacy notices and consent mechanisms; and
• staff training and internal awareness on personal data protection compliance.

Conclusion

At a practical level, the rights to access, rectification, erasure, and destruction are not just legal concepts but tools that allow individuals to retain control over their personal data. While these rights promote transparency and accountability, they also require entities to be more diligent in how they collect and manage personal data. As awareness grows and oversight becomes more visible in Tanzania, entities that fail to comply with the PDP Act risk regulatory action and reputational harm, while those that strengthen their data governance practices will be better placed to manage risk and build trust.