DLA Piper Intelligence

Data Protection
Laws of the World

Law

Tanzania
Tanzania

There is no one specific standalone law on data protection in Tanzania. Article 16 of the Constitution of the United Republic of Tanzania, 1977 (“Constitution”) affords a fundamental right to privacy. This right encompasses private and family life, home and private communication including mail, telephone communications and emails in the workplace and has wide ranging applications including data protection. 

As a result, there are sector specific legislations which impose data protection principles and rules that should be followed by those engaged in the processing of personal data, e.g., in the electronic and postal communication sector and the financial sector, the health sector. Below are examples of some of the applicable laws:

  • The Electronic and Postal Communications Act, 2010 (“EPOCA”)
  • The Electronic and Postal Communications (Consumer Protection) Regulations, GN. No. 61 of 2018 (“Consumer Protection Regulations”)
  • The Electronic and Postal Communications (Licensing) Regulations, 2018 (“Licensing Regulations”)
  • The Electronic and Postal Communications (Computer Emergency Response Team) Regulations, 2018 (“CERT Regulations”)
  • The National Payment System Act, 2015 (“NPS Act”)
  • The Bank of Tanzania (Financial Consumer Protection) Regulations, 2019 (“Financial Consumer Protection”)
Last modified 21 Feb 2022
Law
Tanzania

There is no one specific standalone law on data protection in Tanzania. Article 16 of the Constitution of the United Republic of Tanzania, 1977 (“Constitution”) affords a fundamental right to privacy. This right encompasses private and family life, home and private communication including mail, telephone communications and emails in the workplace and has wide ranging applications including data protection. 

As a result, there are sector specific legislations which impose data protection principles and rules that should be followed by those engaged in the processing of personal data, e.g., in the electronic and postal communication sector and the financial sector, the health sector. Below are examples of some of the applicable laws:

  • The Electronic and Postal Communications Act, 2010 (“EPOCA”)
  • The Electronic and Postal Communications (Consumer Protection) Regulations, GN. No. 61 of 2018 (“Consumer Protection Regulations”)
  • The Electronic and Postal Communications (Licensing) Regulations, 2018 (“Licensing Regulations”)
  • The Electronic and Postal Communications (Computer Emergency Response Team) Regulations, 2018 (“CERT Regulations”)
  • The National Payment System Act, 2015 (“NPS Act”)
  • The Bank of Tanzania (Financial Consumer Protection) Regulations, 2019 (“Financial Consumer Protection”)
Last modified 21 Feb 2022
Definitions

Definition of Personal Data

None. There is no law which defines personal data.

Definition of Sensitive Personal Data

None. There is no which defines sensitive personal data.

Last modified 21 Feb 2022
Authority

There is no specific national data protection authority. The relevant authority depends on the affected sector. For instance, Tanzania Communications Regulatory Authority (TCRA) is the national data protection authority in relation to electronic and postal communications and the Bank of Tanzania (BOT) is the national data protection authority for financial services.

Last modified 21 Feb 2022
Registration

None. There are no legal obligations for data controllers or processors to register with a supervisory authority.

Last modified 21 Feb 2022
Data Protection Officers

None. There are no legal requirements on data controllers or processors to designate a data protection officer.

Last modified 21 Feb 2022
Collection & Processing

The collection, storage and disclosure of information relating to private life interferes with the fundamental right to privacy. Article 16(2) of the Constitution provides that any interference requires justification and must be in accordance with the law (i.e., legal procedures laid down by state authority). 

For instance, EPOCA requires electronic communications services and postal services licensees to collect, process and store personal data of customers in a manner which is:

  • lawful and fair;
  • for identified purposes;
  • accurate;
  • protects against improper or accidental disclosure;
  • in accordance with the consumer’s other rights.[1

Financial services providers are required to collect personal data of consumers within the limits established by the regulations and with the consumer’s consent, where applicable. Such data must be used exclusively for the purpose for which data is collected.[2] A financial service provider must make rules for collection and usage of data including means, purpose and types of data that maybe collected and retained. 

Any collection and processing of personal data involving in any other sector must be carried out in accordance with the laws applicable to that sector.

Footnotes

[1] Regulation 6, Consumer Protection Regulations
[2] Regulation 37 of Financial Consumer Protection Regulations

Last modified 21 Feb 2022
Transfer

Any transfer of personal data requires justification and must be in accordance with the law (i.e., legal procedures laid down by state authority). 

For instance, EPOCA restricts transfers of personal data (including outside Tanzania) by electronic communications services and postal services licensees. Such data may only be transferred if the following conditions are met:

  • the transfer is in accordance with the terms and conditions agreed with the data subject; and either
  • the TCRA has approved or permitted the transfer; or
  • the transfer is permitted or required by any applicable law. 

Financial service providers can only transfer personal data of consumers with the consent of the data subject unless otherwise authorized by the law or court order.

Last modified 21 Feb 2022
Security

Article 16 of the Constitution infers that personal data must be collected, processed, and stored in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful disclosures, processing, accidental loss, destruction, or damage.

Last modified 21 Feb 2022
Breach Notification

Generally, data controllers are expected notify any personal data breach to the relevant national supervisory authority and, in certain cases, the affected data subject.

Mandatory breach notification

Electronic communication services providers are required to notify any data security breaches to the Computer Emergency Response Team and measures undertaken to prevent recurrence of the threat.

Last modified 21 Feb 2022
Enforcement

Enforcement powers are found in specific sector legislations. National supervisory authorities have a number of investigative powers and corrective.

Last modified 21 Feb 2022
Electronic Marketing

Electronic marketing is prohibited unless the consumer consents to the communication and the person sending the same discloses its identity and purpose at the beginning of the communication and gives an opt-out option to reject further communication.[1

Financial services providers are prohibited from sharing consumers’ information with a third party for any purpose, including electronic marketing, unless such information is used for the purpose that is consistent with the purpose for which it was originally collected and obtains prior written consent of the consumer before using such information for future promotional offers.[2]

Footnotes

[1] Section 32(1), Electronic Transactions Act, 2015 and Regulation 9(3), VAS Regulations
[2] Regulation 39(b) and (c), Financial Consumer Protection Regulations

Last modified 21 Feb 2022
Online Privacy

Every data collector and processor has a general obligation to ensure any confidential information it collects, maintains or processes is protected against improper or accidental disclosure. 

Licensed online content service providers are required to ensure that online contents are safe, secure and do not contravene the provisions of any law. They are also required to use passwords to protect any user equipment, access equipment or hardware and prevent unauthorized access or use by unintended persons.[1

Payment system providers are required to protect privacy of any participant and customer information and not disclose such information unless the disclosure is in compliance with the law, an order of a court or with the express consent of the system participant or consumer concerned.[2]

Footnotes

[1] Regulation 9(a) and (i), Online Content Regulations
[2] Section 47, NPS Act

Last modified 21 Feb 2022
Contacts
Madina Chenge
Madina Chenge
Partner
DLA Piper Africa, IMMMA Advocates
T +255 22 2211080/1/2/3
Miriam Bachuba
Miriam Bachuba
Senior Associate
DLA Piper Africa, IMMMA Advocates
T +255 22 2211080/1/2/3
Last modified 21 Feb 2022