Personal Data Protection Act 2022

A Brief Guideline on Personal Data Protection Act 2022 of Tanzania

Introduction

The Personal Data Protection Act (PDPA) of 2022 is a pivotal step for Tanzania in establishing privacy rights, setting up guidelines for data handling, and safeguarding citizens' data. Enacted to address the rapid growth of digital and data-based services, the PDPA aligns Tanzania with global data protection standards and provides citizens with clear rights and protections. This article provides a concise overview of the PDPA, covering the key principles, data subject rights, obligations of data controllers and processors, and enforcement mechanisms.

Objectives and Scope of the PDPA

Purpose: The PDPA is designed to regulate the collection, processing, storage, and protection of personal data in Tanzania.

Scope: Applicable to both government and private sector entities that process personal data, including local and international organizations handling Tanzanian data.

Exclusions: Data processed solely for personal or household activities, law enforcement, and national security may be exempt under specific circumstances.

Key Definitions in the PDPA

Personal Data: Any information that can directly or indirectly identify an individual, including names, identification numbers, location data, etc.

Data Subject: Any individual whose personal data is processed.

Data Controller and Data Processor:

• Data Controller: The entity or individual that determines the purposes and means of processing personal data.

• Data Processor: An entity that processes data on behalf of the controller.

Core Principles of Data Protection

Lawfulness, Fairness, and Transparency: Data must be collected and processed legally, fairly, and transparently.

Purpose Limitation: Data should only be collected for specified, explicit, and legitimate purposes.

Data Minimization: Only data strictly necessary for the intended purpose should be collected.

Accuracy: Ensures data is accurate and kept up to date.

Storage Limitation: Data should only be retained as long as necessary.

Integrity and Confidentiality: Personal data must be handled securely to prevent unauthorized access.

Accountability: Data controllers and processors are accountable for adhering to these principles.

Rights of Data Subjects

The PDPA grants data subjects several rights to protect their personal information:

• Right to Access: Data subjects have the right to know if their data is being processed and to access their data.

• Right to Rectification: Individuals can request corrections to inaccurate or incomplete data.

• Right to Erasure (Right to be Forgotten): Allows data subjects to request deletion of their personal data under certain conditions.

• Right to Restriction of Processing: Data subjects may restrict processing under specific circumstances.

• Right to Data Portability: Individuals have the right to transfer their data between controllers.

• Right to Object: Individuals may object to the processing of their data, especially in cases of direct marketing.

Automated Decision-Making: Protection against decisions made solely based on automated processing without human intervention.

Obligations of Data Controllers and Processors

Registration and Compliance: All data controllers and processors must register with the designated authority.

Data Impact Assessment: Conducting assessments for potential risks to personal data.

Records of Processing: Controllers must maintain records of processing activities.

Data Protection by Design and Default: Integrating data protection principles into data processing from the outset.

Security Measures: Implementing robust security protocols to protect personal data from unauthorized access or breaches.

Data Transfer Regulations

Cross-Border Transfers: The PDPA sets restrictions on the transfer of personal data outside Tanzania, ensuring that data is only transferred to countries with adequate protection.

Exceptions: Transfers may occur in the interest of the data subject, with explicit consent, or under specific conditions as outlined in the PDPA.

Data Breach Notification Requirements

Obligation to Notify: In the event of a data breach, data controllers must notify the relevant authority and the affected individuals.

Timeframe: Notification must be prompt, typically within 72 hours of becoming aware of the breach.

Enforcement and Penalties

Regulatory Authority: The PDPA establishes a Data Protection Commissioner to oversee compliance and enforce the Act.

Sanctions and Penalties: Non-compliance can result in significant fines, suspension of operations, or other corrective measures.

Appeals: Data subjects have the right to appeal decisions or file complaints if they believe their rights have been violated.

Practical Implications for Businesses

Compliance Requirements: Businesses need to ensure compliance with PDPA standards to avoid penalties, including updating data handling policies, implementing robust security measures, and training staff.

Data Privacy as a Business Ethic: Emphasizes the importance of data privacy in establishing trust with customers and partners.

Conclusion

The Personal Data Protection Act 2022 is a robust legal framework that enhances data security and personal privacy in Tanzania. By adhering to its principles, organisations can not only avoid penalties but also foster a culture of trust and transparency, essential for modern business operations. For individuals, the PDPA is an essential tool for protecting personal rights in the digital age.

For more information visit: https://www.pdpc.go.tz/en/ 

To Download the Article Click Here