The Tanzania Personal Data Protection Act, 2023 (PDPA) marks a significant step forward in East Africa's data protection landscape. Passed by the National Assembly and signed into law in 2023, the PDPA establishes Tanzania's first comprehensive, standalone data protection framework. It creates the Personal Data Protection Commission (PDPC) as the independent regulatory body tasked with overseeing compliance, investigating complaints, and enforcing the law. Organisations operating in Tanzania or processing data of Tanzanian data subjects must now comply with the PDPA's requirements or face administrative penalties and enforcement action. This guide provides a structured compliance checklist for organisations seeking to meet their obligations under the Act.
What Is Tanzania's PDPA?
The Personal Data Protection Act, 2023 is Tanzania's principal data protection legislation. Before its enactment, Tanzania lacked a dedicated, comprehensive data protection law — data protection obligations were scattered across sector-specific legislation such as the Electronic and Postal Communications Act (EPOCA) 2010 and the Cybercrimes Act 2015. The PDPA consolidates these obligations into a single, cohesive framework.
The Act establishes the Personal Data Protection Commission (PDPC) as the independent supervisory authority. The PDPC has the power to issue regulations, register data controllers and processors, receive and investigate complaints, conduct audits, issue enforcement notices, and impose penalties.
Key definitions under the PDPA:
- Personal data: Any information relating to an identified or identifiable natural person, including name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person
- Sensitive personal data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation
- Data controller: A natural or legal person, public authority, agency, or other body which determines the purposes and means of processing personal data
- Data processor: A natural or legal person that processes personal data on behalf of a data controller
- Data subject: An identified or identifiable natural person to whom personal data relates
- Data Protection Officer (DPO): The person appointed by a data controller or processor to monitor internal compliance with the PDPA
Tanzania Joins East Africa's Data Protection Wave
With the PDPA, Tanzania joins Kenya (DPA 2019), Uganda (Data Protection and Privacy Act 2019), and Rwanda (Law Relating to the Protection of Personal Data and Privacy 2021) in establishing comprehensive data protection legislation. Organisations operating across East Africa must now navigate multiple overlapping data protection frameworks — making a centralised compliance platform essential for avoiding duplicate effort. See the Kenya DPA compliance guide for comparison.
Who Must Comply?
The PDPA applies to the processing of personal data by data controllers or processors that are established in Tanzania, or that process the personal data of data subjects who are in Tanzania even if the controller or processor is not established in Tanzania. This extraterritorial scope captures foreign organisations offering goods or services to Tanzanian data subjects or monitoring their behaviour.
The Act applies to:
- Private sector organisations of all sizes operating in Tanzania
- Public sector bodies — government ministries, departments, agencies, and local authorities
- Non-profit organisations — NGOs, civil society organisations, and community groups
- Foreign organisations that process personal data of Tanzanian data subjects
- Data processors acting on behalf of data controllers, including cloud service providers and outsourcing partners
Limited exemptions apply for processing carried out by a natural person in the course of purely personal or household activities, and for processing by state security organs in the interest of national security, subject to safeguards.
Key Provisions
The PDPA establishes a comprehensive set of obligations for data controllers and processors. Below are the principal provisions organisations must address.
Lawful Basis for Processing
Processing of personal data is lawful only if at least one of the following applies:
- Consent — The data subject has given informed, specific consent for one or more purposes
- Contract — Processing is necessary for performance or entry into a contract with the data subject
- Legal obligation — Processing is necessary for compliance with a legal obligation of the controller
- Vital interests — Processing is necessary to protect the vital interests of the data subject or another person
- Public interest — Processing is necessary for the performance of a task in the public interest or the exercise of official authority
- Legitimate interest — Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the data subject's rights
Data Subject Rights
The PDPA grants data subjects the following rights:
- Right to be informed — Data subjects must be notified of the collection and processing of their personal data
- Right of access — Data subjects may request confirmation of processing and a copy of their personal data
- Right to rectification — Data subjects may request correction of inaccurate or incomplete personal data
- Right to erasure — Data subjects may request deletion of their personal data in specified circumstances
- Right to restrict processing — Data subjects may request the restriction of processing in certain circumstances
- Right to object — Data subjects may object to processing based on legitimate interests or public interest
- Right to data portability — Data subjects may receive their data in a structured, machine-readable format
Data Protection Officer Appointment
The PDPA requires certain data controllers and processors to appoint a DPO. The DPO is responsible for monitoring compliance, advising the organisation on data protection matters, and serving as the contact point for the PDPC and data subjects. The DPO must have expert knowledge of data protection law and practice and must operate independently within the organisation.
Breach Notification
Data controllers must notify the PDPC and affected data subjects of personal data breaches without undue delay. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address the breach. The PDPC may specify additional requirements and timelines through regulations.
Cross-Border Transfers
Personal data may only be transferred outside Tanzania where the receiving country or territory ensures an adequate level of data protection as determined by the PDPC, or where appropriate safeguards are in place. The PDPC may issue a list of countries with adequate protection and approve standard contractual clauses for transfers to countries without adequacy determinations.
Data Localisation Considerations
Tanzania has historically taken a more restrictive approach to cross-border data flows, particularly under the Electronic and Postal Communications (Online Content) Regulations 2020 and EPOCA. Organisations should monitor PDPC guidance on cross-border transfers carefully, as the Commission may impose additional requirements or restrictions. Documenting all cross-border transfers and their legal basis is essential for demonstrating compliance.
Compliance Checklist
Use this structured checklist to assess and track your organisation's compliance with the Tanzania PDPA.
Governance & Registration
- Register with the PDPC as a data controller or data processor, if required
- Appoint a Data Protection Officer (DPO) where required by the PDPA
- Develop and publish a data protection policy aligned with the PDPA
- Establish a data governance structure with clear roles, responsibilities, and reporting lines
- Maintain a record of all processing activities
- Conduct data protection impact assessments for high-risk processing activities
Lawful Processing & Consent
- Identify and document the lawful basis for every processing activity
- Where consent is relied upon, ensure it is freely given, specific, informed, and unambiguous
- Implement a mechanism for data subjects to withdraw consent at any time
- Maintain consent records with timestamps and full details
- Ensure sensitive personal data is processed only on permitted grounds
Transparency & Notification
- Draft and publish a privacy notice that meets all PDPA requirements
- Provide the privacy notice at or before the point of data collection
- Include purpose of processing, categories of data, retention periods, data subject rights, and cross-border transfer details
- Review all data collection points for compliance
Security Safeguards
- Implement appropriate technical and organisational measures to protect personal data
- Conduct risk assessments to identify threats to data security
- Deploy encryption, access controls, and intrusion detection as appropriate
- Regularly test and verify the effectiveness of security measures
- Ensure data processors have adequate security measures through binding agreements
Data Subject Rights
- Establish processes to receive, verify, and respond to data subject access requests
- Establish processes for rectification, erasure, restriction, portability, and objection requests
- Define response timelines consistent with the PDPA's requirements
- Train staff on identifying and handling data subject requests
Breach Response
- Develop a documented data breach response procedure
- Define escalation timelines and responsibilities for breach notification to the PDPC
- Establish processes for notifying affected data subjects
- Maintain a breach register recording all incidents
- Conduct regular breach response exercises and tabletop simulations
Cross-Border Transfers
- Identify all cross-border transfers of personal data
- Verify the receiving country has adequate data protection as determined by the PDPC
- Where adequacy is not established, implement appropriate safeguards or obtain explicit consent
- Document the lawful basis for each cross-border transfer
- Include transfer provisions in all data processing agreements
PDPC Role and Powers
The Personal Data Protection Commission (PDPC) is the independent supervisory authority established under the PDPA. The PDPC's key functions include:
- Registration — Registering data controllers and processors operating in Tanzania
- Complaint handling — Receiving and investigating complaints from data subjects
- Auditing — Conducting compliance audits and assessments of data controllers and processors
- Enforcement — Issuing enforcement notices, imposing administrative penalties, and ordering remedial actions
- Guidance — Issuing regulations, codes of practice, and guidelines on data protection matters
- Adequacy determinations — Assessing whether foreign countries provide adequate data protection for cross-border transfers
- Awareness — Promoting public awareness of data protection rights and obligations
The PDPC has the power to require data controllers and processors to provide information, grant access to premises, and produce documents for inspection. Obstruction of the PDPC's functions is an offence under the Act.
PDPC Regulations Are Expected
The PDPC is expected to issue detailed regulations on registration procedures, breach notification timelines, cross-border transfer mechanisms, and sector-specific guidance. Organisations should monitor the PDPC's website and official gazette for new regulations that may introduce additional compliance requirements. Building flexibility into your compliance programme from the outset will help you adapt to evolving regulatory expectations.
Penalties
The PDPA provides for significant penalties for non-compliance. While the specific penalty amounts are subject to the detailed provisions of the Act and any regulations issued by the PDPC, the framework includes:
| Violation | Penalty |
|---|---|
| Processing personal data without a lawful basis | Administrative fines as determined by the PDPC |
| Failure to register with the PDPC (where required) | Administrative sanctions and potential suspension of processing |
| Failure to notify the PDPC of a data breach | Administrative fines and enforcement notices |
| Failure to appoint a DPO (where required) | Administrative fines |
| Unlawful cross-border transfer of personal data | Administrative fines and order to cease transfers |
| Obstruction of the PDPC | Criminal prosecution, fines, and/or imprisonment |
The PDPC may also:
- Issue enforcement notices requiring specific remedial actions within a defined timeline
- Order the suspension or restriction of data processing activities
- Order the rectification, blocking, or destruction of personal data processed in violation of the Act
- Refer matters for criminal prosecution
- Order compensation to affected data subjects
Ongoing Compliance
PDPA compliance is an ongoing obligation. Here is how to maintain sustainable compliance:
1. Integrate PDPA Obligations into Your Risk Register
Treat every PDPA obligation as a compliance risk with a named owner, deadline, mapped controls, and attached evidence. This ensures data protection is monitored alongside all other organisational risks.
2. Monitor PDPC Regulations
As a new regulatory body, the PDPC is expected to issue additional regulations and guidance. Establish a process to monitor and assess new requirements as they are published.
3. Train Staff Continuously
Regular data protection training — at onboarding and annually thereafter — ensures staff understand their obligations and can recognise data subject requests and potential breaches.
4. Review and Update DPIAs
Conduct DPIAs for all high-risk processing activities and review them annually or whenever processing activities change significantly.
5. Use Technology to Automate Compliance
Manual compliance tracking does not scale. A compliance management platform like Dimeri links every PDPA obligation to its controls, evidence, and owner — providing a live compliance dashboard and generating audit-ready reports on demand. This is particularly valuable for organisations operating across multiple East African jurisdictions, where a single platform can map overlapping obligations from the Tanzania PDPA, Kenya DPA, and Nigeria NDPA.
Key Takeaways
- The Tanzania PDPA 2023 is Tanzania's first comprehensive data protection law, establishing the PDPC as the independent supervisory authority
- The Act applies extraterritorially — organisations outside Tanzania that process data of Tanzanian data subjects must comply
- Six lawful bases for processing are established, broadly aligned with GDPR and regional standards
- DPO appointment is required for certain data controllers and processors
- Breach notification must be made without undue delay to the PDPC and affected data subjects
- Cross-border transfers are restricted to countries with adequate protection or where appropriate safeguards are in place
- The PDPC is expected to issue detailed regulations — organisations should build flexibility into their compliance programmes
- Continuous compliance — supported by risk registers, DPIA reviews, staff training, and automated tracking — is essential for sustainable adherence
Frequently Asked Questions
When did the Tanzania PDPA come into force?
The Personal Data Protection Act was passed by the Tanzania National Assembly in 2023 and signed into law the same year. Organisations that process personal data of Tanzanian data subjects should treat the Act as being in force and begin compliance efforts immediately, particularly as the PDPC becomes operational and begins issuing regulations and conducting enforcement activities.
Does the PDPA apply to organisations outside Tanzania?
Yes. The PDPA applies extraterritorially to data controllers and processors that are not established in Tanzania but process personal data of data subjects who are in Tanzania, where the processing relates to offering goods or services to those data subjects or monitoring their behaviour. International organisations with Tanzanian customers, users, or employees must assess their compliance obligations under the PDPA.
Is a Data Protection Officer mandatory under the Tanzania PDPA?
The PDPA requires certain data controllers and processors to appoint a DPO. The specific criteria for when a DPO appointment is mandatory are set out in the Act and may be further detailed by PDPC regulations. As a best practice, all organisations that process significant volumes of personal data or sensitive personal data should consider appointing a DPO, even if not strictly required, to demonstrate a proactive commitment to data protection compliance.
Can personal data be transferred outside Tanzania under the PDPA?
Yes, but only under specific conditions. Personal data may be transferred outside Tanzania if the receiving country has been determined by the PDPC to provide an adequate level of data protection, or if appropriate safeguards are in place such as standard contractual clauses or the explicit consent of the data subject. Organisations using cloud services hosted outside Tanzania must ensure their data processing agreements address these cross-border transfer requirements. All transfers should be documented with the legal basis and safeguards in place.
