Regulatory and compliance update: A guide to initial compliance with Tanzania's Data Protection Act

24/4/2024
Breakthrough Attorneys

Tanzania has taken a significant step towards data privacy with the official launch of the Personal Data Protection Commission (PDPC) on April 3rd, 2024. This long-awaited development follows the enactment of the Personal Data Protection Act of 2022. The Act itself was a major milestone, but the establishment of the PDPC marks a new era of enforcement. With the Commission operational, its powers have already been acknowledged in court decisions, leading to wide-ranging impacts across various sectors of Tanzania’s economy and society.

 

2.0 Impacted Sectors:

 

The Personal Data Protection Act has significant implications for a diverse range of sectors that handle personal data. Here are some key examples:

  1. Telecommunications: Mobile network operators, internet service providers, and other communication companies must comply with data protection regulations regarding customer information like phone numbers, browsing history, and location data (with consent).
  2. Financial Services: Banks, insurance companies, and other financial institutions that collect and process customer data, such as financial transactions, identification details, and credit scores, need to adapt their practices to ensure compliance.
  3. Healthcare: Hospitals, clinics, and healthcare providers must ensure robust data privacy measures for patient information, including medical records, diagnoses, and treatment details.
  4. Retail and E-commerce: Businesses that collect customer information during transactions, including names, addresses, purchase history, and online behaviour data, need to adhere to the Act’s regulations.
  5. Social Media Platforms: Platforms that handle personal data, such as profiles, posts, and browsing activity, must align their practices with the Personal Data Protection Act.

 

3.0 Beyond Traditional Sectors:

 

The reach of the Act extends beyond these well-established sectors. Here are some additional areas that need to be aware of their obligations:

  1. Schools and Educational Institutions: Student data, including grades, attendance records, and personal information, falls under the Act’s definition of personal data.
  2. Non-Profit Organizations and NGOs: Organizations that collect data from donors, volunteers, or beneficiaries become data controllers and must comply with the Act.
  3. Religious Organizations: Membership information or data collected during religious activities may be considered personal data under the Act.

 

4.0 You Might Be a Data Controller and Not Even Know It!

 

The concept of a data controller might seem like something for large corporations.  However, under the Personal Data Protection Act, many businesses and organizations can inadvertently find themselves acting as data controllers. Here’s how:

  • Do you collect customer information during transactions? This could be anything from names and addresses for online orders to phone numbers collected at a local shop or even membership details for a sports club.
  • Do you have a mailing list? If you store customer data for rewards or promotions, you’re a data controller, regardless of whether you’re a large retail chain or a local bakery.
  • Do you have employee records? Employee data, including names, contact information, and payroll details, qualifies as personal data under the Act. This applies to businesses of all sizes, from large corporations to private clinics.
  • Do you manage a school or religious organization? Student information or member data falls under the Act’s definition of personal data.

 

If you answered yes to any of these questions, then you are likely a data controller. This doesn’t necessarily mean you’re non-compliant, but it does mean you have certain obligations under the Act.

 

5.0 Early Compliance Steps to Take Now:

 

Regardless of whether you definitively know you’re a data controller or processor (the entity processing data on a controller’s behalf), the very initial step towards compliance is registering with the PDPC. This is a crucial first step for all businesses and organizations handling personal data. The deadline for registration is October 10th, 2024. 

 

Procedures for Registering as a Data Controller or Processor under the PDPA (including Fees)

 

The Personal Data Protection (Personal Data Collection and Processing) Regulations require all organizations collecting or processing personal data in Tanzania to register with the Personal Data Protection Commission (PDPC). Here’s a breakdown of the registration process, including the fee structure:

 

Step 1: Prepare your documents

 

Form No. 1: You’ll need to complete and submit Form No. 1, which can be found on the PDPC website or obtained from their offices. This form gathers details about your organization and its data-handling practices.


Other supporting documents:

      1. Individuals: If you’re a sole proprietor or natural person, you’ll need to provide a valid government-issued ID as proof of identity.
      2. Businesses: If you’re a registered company, you’ll need a copy of your certificate of incorporation or registration.
      3. Additional Information: The PDPC may request additional information as needed. It’s best to check with the PDPC for any updates or specific requirements.

Step 2: Submit Your Application and Fees

Submit your completed Form No. 1 and supporting documents to the PDPC.


Pay the registration fee as outlined in the Second Schedule of the Regulations. The fee depends on the category your organization falls under:

Registration Fee Structure

      1. Small-scale Data Controllers/Processors: These are organisations with 1-49 employees and a turnover of less than 100 million shillings per year. The registration fee for this category is 100,000 Tanzanian shillings (TZS), and the renewal fee every five years is TZS 50,000.
      2. Medium-scale Data Controllers/Processors: These are organizations with 50-99 employees and a turnover of 100 million to 500 million shillings per year. The registration fee for this category is TZS 200,000
      3. Large-scale Data Controllers/Processors: These are organizations with 100 or more employees and a turnover exceeding 500 million shillings per year. The registration fee for this category is the highest at TZS 1,000,000.
      4. Public Institutions: These are government service providers, regardless of their size or income. They pay a registration fee between TZS 100,000 and TZS 500,000, and a renewal fee between TZS 50,000 and TZS 300,000 every five years. The specific fee within this range will be determined by the PDPC.
      5. Non-Commercial/Religious Institutions: These are charities or religious organizations, regardless of their income. They benefit from a lower registration fee of TZS 100,000, and the renewal fee every five years is also TZS 50,000.

Step 3: Application Verification (7 Days)

 

  • Upon receiving your application, the PDPC will verify the information and documents within seven days.
  • They may contact you for any missing or unclear information.


Step 4: Application Decision (After Verification)


Based on the verification, the PDPC will either:

- Accept your application: If your application meets all requirements, the PDPC will register you as a data controller or processor and issue a registration certificate (Form No. 2).
- Request modifications: If there are deficiencies, the PDPC will inform you of the necessary corrections and return the application for resubmission.
- Reject your application: In rare cases, the PDPC may reject your application if it doesn’t comply with the regulations. They will provide written notification with reasons for rejection within 14 days of the decision.

 

Step 5: Maintaining Your Registration (5 Years)
Once registered, your registration certificate will remain valid for five years from the date of issuance.

 

6.0 Conclusion

 

The launch of the Personal Data Protection Commission (PDPC) signals a new era of data privacy enforcement in Tanzania. This is no small matter for businesses – across sectors like telecom, finance, and other sectors – compliance with the Personal Data Protection Act is no longer optional.

 

Given the deadline of October 10, 2024, it’s essential for businesses to be proactive. Assessing your data handling practices and registering with the PDPC demonstrates a commitment to responsible data management and helps you avoid potential penalties. This, in turn, fosters trust with customers and stakeholders, which is crucial in today’s privacy-conscious environment.

 

--

Read the original publication at Breakthrough Attorneys