Last modified 24 March 2026

Data Protection in Tanzania

Collection and processing in Tanzania

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Tanzania

Data protection is primarily governed by the Personal Data Protection Act, 2022 (“PDPA”), which came into force on 1 May 2023. The PDPA regulates the collection, processing and protection of personal data by both public and private entities.

The Act established core principles and minimum requirements for lawful data processing. Based on the principles for protection of personal data, provided under section 5, personal data must be:

processed lawfully, fairly, transparently and securely;
collected for explicit, specific, legitimate purposes and not further processed contrary to those purposes;
accurate and kept up to date;
adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
kept in a form which identifies the data subjects and retain for as long as necessary; and
not be transferred outside Tanzania, except in compliance with the PDPA.

The key components of the PDPA includes:

Part II: establishes the Personal Data Protection Commission (“PDPC”)
Part III: provides for registration of the personal data controllers and processors.
Part IV: provides for data processing principles.
Part V: provides for cross-border transfer of personal data
Part VI: provides for data subjects rights

The PDPA has two regulations, namely:

the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023 (“PDPA Processing Regulations”); and
the Personal Data Protection (Complaints Settlement Procedures) Regulations, 2023, as amended (“PDPA Complaints Regulations”).

The PDPA and its Regulations operates together with other laws providing for data protection, including:

the Constitution of the United Republic of Tanzania, 1977 (“Constitution”); and
other sector specific legislations, for instance the Electronic and Postal Communications Act, 2010 (“EPOCA”) and its regulations applicable to the electronic and postal communication sector and the National Payment System Act, 2015 (“NPS Act”) and the Bank of Tanzania (Financial Consumer Protection) Regulations, 2019 applicable to the financial services sector.

Related resources

Definitions

Definitions in Tanzania

The PDPA defines “personal data” as any information relating to an identified or identifiable person, that is recorded in any form, including:

identity details (e.g. name, identification number)
contact details (e.g. address, correspondence)
demographic data (e.g. race, nationality, ethnic origin, religion, age, marital status)
personal records (e.g. education, employment, medical, criminal history)
biometric data (e.g. fingerprints, blood type)

The PDPA defines “sensitive personal data” to include:

genetic and biometric data
data related to children or offences
financial transaction or security related data
personal data revealing racial, ethnic, political, religious or philosophical attributes
affiliation or trade union membership data
gender, health or sexual life data
any personal data classified as high-risk to the data subject’s rights under the laws of Tanzania

Processing sensitive personal data generally requires prior consent, subject to limited exceptions.

Related resources

Authority

National data protection authority in Tanzania

The Personal Data Protection Commission (“PDPC”) is the regulatory authority which oversees implementation, compliance and enforcement of the PDPA.

It was established on 1 May 2023 and became fully operational from 3 April 2024.

Related resources

Registration

Registration in Tanzania

All data controllers and processors must register with the PCPC.

Registration is valid for five (5) years.

Related resources

Data protection officers

Data protection officers in Tanzania

Data controllers or processors must appoint a Data Protection Officer (“DPO”). The DPO is responsible for:

ensuring controls and security measures for protection of personal data are established and fully implemented;
ensuring compliance with the PDPA and its regulations;
managing data subjects’ requests and complaints; and
submitting quarterly compliance reports to the PDPC.

Related resources

Collection and processing

Collection and processing in Tanzania

Personal data must generally be collected directly from the data subject, unless:

the data is publicly available;
the data subject consents to third party collection;
direct collection impracticable;
indirect collection is necessary for compliance with the laws; or
direct collection would prejudice the lawful purpose.

Data subject must be informed of:

the purpose of collection,
the lawful basis of the collection; and
intended recipients of the personal data.

The data subject must be provided with clear consent mechanisms and afforded with a simplified means to withdraw their consent.

Personal data collected must only be used for the intended purpose, unless:

the data subject consents to a further purpose;
authorised or required by law;
secondary/further purpose is directly related to the original purpose;
data is anonymised for statistical/research purposes; or
the use for a further purpose is necessary to prevent or lessen a serious and imminent harm or public health or safety.

Processing must respect data subjects’ rights, including the right to:

be informed about the processing, description of the personal data being processed, the purposes for the processing and the recipients or classes of recipients the data;
not be subject to solely automated decisions with significant effects;
object to processing, including automated decision-making and profiling used for commercial advertising.

Where processing is by automated means, data controllers/processors must disclose the logic behind the decision-making, the purpose and effects of the processing, storage procedures and how adverse impacts will be addressed. Exceptions apply when the automated decision relates to inaccurate personal data, is required or authorised by the law or such notification is prohibited by a court order.

Other data subject rights include:

right to restriction of processing, if processing may cause substantial harm.
right to erasure (right to be forgotten), where data is no longer needed, consent is withdrawn, the subject no longer wishes to continue processing, data is processed for direct marketing, processing is unlawful, erasure is required by law. Exceptions apply where the processing is necessary to exercise the right to freedom of information and expression, to fulfil a legal obligation or for public interest.
right to rectification i.e., correction of inaccurate, outdated or misleading data.

Sensitive personal data may only be processed with a prior written consent of the data subject or in cases where the data subject is a minor, a person of unsound mind or otherwise unable to consent, the data subject’s parents, guardians, heirs, attorneys or any other person recognized by the law to be acting on behalf of the data subject ("data subject’s legal representative").

Exceptions apply where processing is:

necessary to comply with another law;
required to protect vital interests;
necessary for the institution, trial, or defence of legal claims;
personal data has been made public by the data subject;
necessary for scientific research under the PDPC guidelines; or
necessary for medical reasons’ purposes in the data subject’s interest and under supervision of health professionals.

Related resources

Transfer of personal data

Transfer of personal data in Tanzania

Transfers of personal data outside Tanzania are only allowed where the recipient country:

provides adequate protection (i.e., essentially equivalent to that within Tanzania) and the data is necessary for public interest tasks or the transfer does not prejudice the data subject’s interests; or
provides appropriate safeguards, and data is transferred solely for authorized processing.

Where the transfer is to a country which lacks adequate level of protection, (a) the transfer must be in accordance with the specific guidelines issued by the Minister responsible for Information, Communication and Information Technology, (b) the data subject must have consented to such transfer, and (c) the transfer must be necessary for:

contractual, public interest or legal reasons, or for protection of the data subjects’ legitimate interests;
compliance with law;
a purpose relating to public information open for consultation.

The data controller/processor must, prior to the transfer, carry out a provisional evaluation on the need to transfer such personal data, and must ensure the recipient of the data only processes the relevant information in the data and for the purpose for which the data was transferred.

The recipient of the data must also ensure that the necessity for the transfer of the personal data can be subsequently verified.

Prior to the transfer of personal data outside Tanzania, the data controller or processor must obtain a permit from the PDPC. The application must include proof of:

ratification of an international agreement on personal data protection by the recipient country;
a bilateral agreement on personal data protection between Tanzania and the recipient country; or
contractual safeguards with the recipient of the personal data outside Tanzania.

Related resources

Security

Security in Tanzania

Data controllers and their representatives must safeguard personal data by implementing appropriate technical and organisational measures to prevent negligent loss or unauthorised destruction, modification, disclosure, access or processing of personal data.

The security measures must consider the nature and sensitivity of personal data, risk to data subjects, implementation costs and state of technological advancement in place.

They must also:

appoint a DPO;
maintain breach detecting, handling and response procedures;
ensure processors act only on documented instructions and comply with PDPA; and
implement contractual safeguards.

Related resources

Breach notification

Breach notification in Tanzania

Data controllers must promptly notify any personal data security breach to the PDPC.

A "security breach" may include negligent loss, or unauthorized modification, destruction, disclosure, access, or processing of personal data.

Notification is mandatory for every breach of security that may affect personal data which is being processed.

Related resources

Enforcement

Enforcement in Tanzania

The PDPC has broad investigative and corrective powers including:

handling data protection related complaints; and
investigating and taking necessary steps against anything it considers affects the protection of personal data or privacy of individuals.

The PDPC is empowered to issue enforcement notices. The notice specifies the contravened provision of the PDPA, steps to be taken to remedy or eliminate the infringement, the period within which to comply (minimum 21 days), and any right to appeal.

Where the person fails to comply with the enforcement notice, the PDPC can issue a penalty notice requiring the person to pay fine to be specified in the notice. Factors considered to determine a penalty include:

nature, gravity and duration of the infringement;
intentionality or negligent;
mitigating factors;
prior infringements;
cooperation with PDPC during investigation of the infringement;
categories of affected data;
notification behaviour;
the manner in which the PDPC became aware of the infringement;
compliance with conditions of registration and previous enforcement or penalty notices;
adherence to approved codes; and
the effectiveness of a penalty notice.

The maximum penalty which the PDPC may issue in the enforcement notice is Tanzania Shillings One Hundred Million (TZS 100,000,000/= approx. US$ 430,000).

The PDPC may also direct the controller or processor to pay the affected data subject compensation for infringement of the PDPA. There is no ceiling on the amount of compensation which the PDPC can award.

Disclosure of personal data without lawful excuse is a criminal offence, which on conviction carries a fine and/or imprisonment. For individuals, the minimum fine for a violation is Tanzania Shillings One Hundred Thousand (TZS 100,000, approx. US$38) and the maximum is Tanzania Shillings Twenty Million (TZS 20,000,000, approx. US$ 7,732).

The maximum term an individual may be sentenced for violating a provision under the PDPA is ten (10) years. If found in violation of the PDPA, an individual may be required to both pay a fine and serve a sentence.

For a company or corporation, the minimum fine for a violation is Tanzania Shillings One Million (TZS 1,000,000, approx. US$ 387) and the maximum is Tanzania Shillings Five Billion (TZS 5,000,000,000, approx. US$ 1,932,992).

Related resources

Electronic marketing

Electronic marketing in Tanzania

Processing personal data for commercial or direct-marketing purpose requires the data subject’s explicit consent, unless authorized by law, and adherence to original purpose-limitation rules.

A data subject can enter into a contract with a data controller for the processing of his/her personal data for pecuniary benefits. The processing must be in compliance with data protection principles and data subjects' rights (explained above).

The PDPA Regulations entitle a data subject to request a data controller or processor to erase or destroy the personal data held by them if the processing of such data is for commercial purposes and the data subject is unwilling for their data to be used commercially.

Where processing of personal data is by automated means for the purpose of evaluating matters related to a data subject, or is likely to constitute the sole basis for any decision which significantly affects the subject, a data controller must also notify a data subject of the logic involved in that decision and their right to object to the use of their personal data in commercial advertisements.

As advised above, data controllers and processors are required to process personal data for the specific purpose for which it has been collected. (Please refer to "Collection and Processing of Data" above on the requirements to be complied with by the data controllers and data processors while using personal data).

This implies that a person cannot use personal data obtained under the PDPA for commercial use, including electronic marketing, without the data subject’s consent unless such use is authorized under any written law in Tanzania and the data subject has been informed of such use at the time the data was collected.

Further, financial service providers are specifically prohibited from sharing consumer's information with a third party for any purpose, including electronic marketing, without the prior written consent of the consumer, unless such further purpose is consistent with the purpose for which the data was originally collected.

Related resources

Online privacy

Online privacy in Tanzania

Any use of cookies and other third-party trackers which can identify a natural person will qualify as disclosure of personal data and be subject to the PDPA. The PDPA requires data controllers and processors to process personal data for the specific purpose for which it has been collected. (Please refer to Collection and processing on the requirements to be complied with by the data collectors and data processors while using personal data).

This implies that a person cannot use cookies and third-party trackers to process personal data except with the consent from the data subject unless such use is authorised under any written law in Tanzania and the data subject has been informed of such use at the time the data was collected. The data controller must ensure that consent is provided on the basis of information that allows the data subjects to easily identify who the controller is and to understand what they are agreeing to. The controller must also clearly describe the purpose for data processing for which consent is requested.

Related resources

Key contacts

Data protection lawyers in Tanzania

Madina Chenge

Partner

IMMMA Advocates

Dar es Salaam

Email Full bio

Miriam Bachuba

Senior Associate

IMMMA Advocates

Dar es Salaam

Email Full bio

Personal data must generally be collected directly from the data subject, unless:

the data is publicly available;
the data subject consents to third party collection;
direct collection impracticable;
indirect collection is necessary for compliance with the laws; or
direct collection would prejudice the lawful purpose.

Data subject must be informed of:

the purpose of collection,
the lawful basis of the collection; and
intended recipients of the personal data.

The data subject must be provided with clear consent mechanisms and afforded with a simplified means to withdraw their consent.

Personal data collected must only be used for the intended purpose, unless:

the data subject consents to a further purpose;
authorised or required by law;
secondary/further purpose is directly related to the original purpose;
data is anonymised for statistical/research purposes; or
the use for a further purpose is necessary to prevent or lessen a serious and imminent harm or public health or safety.

Processing must respect data subjects’ rights, including the right to:

be informed about the processing, description of the personal data being processed, the purposes for the processing and the recipients or classes of recipients the data;
not be subject to solely automated decisions with significant effects;
object to processing, including automated decision-making and profiling used for commercial advertising.

Other data subject rights include:

right to restriction of processing, if processing may cause substantial harm.
right to erasure (right to be forgotten), where data is no longer needed, consent is withdrawn, the subject no longer wishes to continue processing, data is processed for direct marketing, processing is unlawful, erasure is required by law. Exceptions apply where the processing is necessary to exercise the right to freedom of information and expression, to fulfil a legal obligation or for public interest.
right to rectification i.e., correction of inaccurate, outdated or misleading data.

Exceptions apply where processing is:

necessary to comply with another law;
required to protect vital interests;
necessary for the institution, trial, or defence of legal claims;
personal data has been made public by the data subject;
necessary for scientific research under the PDPC guidelines; or
necessary for medical reasons’ purposes in the data subject’s interest and under supervision of health professionals.

Quick links

Data Protection in Tanzania

Collection and processing in Tanzania

Continue reading