By Adv. Fatma Haruna Songoro
- Registration certificates for Data collectors and processors to be valid for 5 years
- Data protection officer of the data collector/ possessor obligated to file quarter reports.
- Grounds for prohibition of cross-border personal data transfer specified.
- Mandatory ADR before determination of a complaint by the Commission
- Awards issued by the Commission to be enforceable as the High Court decree
The Ministry of Information, Communication and Information Technology published the Personal Data Protection Regulations (the Regulations) on the 12th of May 2023. The two regulations issued are :-
i. The Data Protection (Collection and Processing of Personal Data) Regulations, GN No. 349 of 2023.
ii. The Data Protection (Complaints Handling Procedure) Regulations, GN No 350 of 2023.
The publication of the regulation follows the operationalization of the Personal Data Protection Act, 2022 in Tanzania which came into force on 1st May 2023. The operationalization of the law and issuance of the Personal Data Protection Regulations indicates the government seriousness in protecting personal data and privacy in the country. Below is a brief analysis of the recent published Personal Data Protection Regulations:
1. The Data Protection (Collection and Processing of Personal Data) Regulations, GN No. 349
The Data Protection (Collection and Processing of Personal Data) Regulations, GN No. 349 (hereinafter the Regulations) introduces major compliance responsibilities for all entities or persons that deal with the collection or processing of personal data. The Regulations generally provide for registration procedure of data collectors and processors, mechanisms for safeguarding data subject’s rights, establish procedure for cross-border data transfer as well as obligations of collectors and processors. In brief, some of the pertinent issues covered in the Regulation include :-
- Registration: The Regulations prohibit the collection or processing of personal data without being registered by the Data Protection Commission (hereinafter the Commission). The Regulations then provide for the registration procedures as well as for procedure for cancellation or refusal for registration as data collectors or processors. The refusal or cancellation decision made by the Commission is appealable to the Minister, whose decision is final. The Regulations further prescribe the registration fees under the Second Schedule to the Regulation.
- Data subject rights: Part 3 of the Regulations provides for the procedure for data subject to exercise the right to object or prevent processing, right to erasure or destruction, right to reject use of personal data for automated decision and the right to correct personal data that is incorrect, changed, out of date, incomplete or misleading. Further, the Regulations provide for the rights of the data subject to be exercised by another person including processing of children’s personal data to be done on their behalf.
- Data protection principles: The Regulations expound on the application of certain data protection principles such as lawfulness, adequacy, security, accuracy, storage and purpose as well as briefly highlighting the principles of confidentiality, fairness and transparency. Uniquely, Regulation 31 introduces the principle of data subject rights which puts an obligation on the collector or processor to protect the right of the data subject in processing. This principle requires data collector or processors to ensure, inter alia freedom of data subject to control personal data, elimination of discrimination against the data subject, obligation to protect data subject against wrongful use and use of human intervention to reduce impact of automated decisions.
- Data protection officers: The Regulations also require data collectors & processors to appoint data protection officers whose duties and obligations are stipulated in the regulation to include among others ensuring compliance of the collector or processor, provide information on violations and advise on corrective measures, submit to the Commission quarter report and handle requests or complaints made by data subject against the data collector or data processor.
- Cross-border data transfer: The Regulations require request for cross-border data transfer to be made in a prescribed form to the Commission with a proof that the recipient country has ratified international treaty with regard to personal data protection, a reciprocal data protection agreement with Tanzania exist with regard to personal data protection or existence of an agreement between the parties. The Regulations prohibit cross- border transfer of personal data if the transfer threatens national security, there is lack of adequate protection in the recipient’s country, the transfer is prohibited by other laws, request for transfer is incomplete or any other reason which the Commission deems fit.
- Data Impact Assessment (DIA): The Regulations stipulate that processing activities with potential harms on rights and freedom of the data subject shall require a data protection impact assessment to be conducted. The regulation itemizes such activities to include processing of biometric or genetic data, sensitive personal data or data relating to children or vulnerable groups, large scale processing of personal data, a systematic monitoring of a publicly accessible area on a large scale, innovative use or application of new technological or organizational solutions. Further Regulations empower the Commission to give guidance or restrict processing after receiving and assessing the findings of the data protection impact assessment.
With these Regulations in place, organizations need to understand their obligations under the law in order to ensure compliance. Businesses that are reliant on processing of personal data such as banks, fintech, social media, e-commerce, telecoms and others need to restructure their models, policies, services and adopt watertight processes to ensure full compliance and protection of personal data.
2.The Data Protection (Complaints Handling Procedure) Regulations, GN No 350.
The Data Protection (Complaints Handling Procedure) Regulations, GN No 350 (hereinafter the Complaints Regulations) principally deals with the procedure on how data subjects can lodge complaints or seek redress for violation of their personal data. The Complaint Regulations allow a data subject to lodge a complaint in English or Swahili to the Commission either orally or in writing in relation to violation of personal data or if aggrieved by decision of data collector or processor in processing of their personal data. After receiving the complaint, the Commission shall screen the complaint received and proceed to either reject or accept it. Within 7 days of the complaint being accepted, the Commission shall issue a summon to defend to the Respondent under form 2 provided under the First Schedule to the Complaint Regulations. The Regulations also provide for procedures on how to join another respondent who is a third party to the complaint and amendments of complaints or defenses.
As part of the investigation procedure, the Commission is authorized to appoint an officer within the Commission to mediate the dispute between the parties for amicable settlement of the matter within 30 days. If a settlement is reached, the same shall be adopted by the Commission to become an award of the Commission. If the settlement is not reached the matter shall be returned back to the Commission for appointment of the Committee to hear and determine the dispute. The Committee to be formed shall be composed of 3 members who are experts in law, data protection and IT within the Commission. The Committee shall hear the parties and make findings on the dispute that shall be delivered to the Commission for determination of the matter.
If the complaint is determined to have merit, the Commission shall issue an enforcement notice and if the notice is not implemented, the Commission is authorized to issue a penalty notice which shall become part of the award issued by the Commission and capable of enforcement as a decree of the High court. Any party aggrieved by decision of the Commission can within 21 days make an application to the Commission for revision of the award. In exercising the revisionary powers, the Complaint Regulations have empowered the Commission to amend, dismiss or strike any part of the award. Any person who is not satisfied by the decision of the Commission can lodge an appeal to the High Court within 21 days from delivery of the award.
The much-awaited legal framework to address violations of personal data has now become a reality in Tanzania. We commend the government for taking quick strides in putting a legal and regulatory framework on the issue of data protection and privacy. The only pending issue is the establishment of the Data Protection Commission for enforcement and compliance issue. Notwithstanding the foregoing, the level of awareness and understanding of the newly data protection legal framework seems to be low in the country.
Victory Attorneys and Consultants are experts in data protection, privacy information and cybersecurity. Contact us for assistance and advice on ensuring compliance with the data protection laws and Regulations. Victory Attorneys & Consultants can be reached through Mobile No: +255 754 959 726 or Email: firstname.lastname@example.org
DISCLAIMER: This article is not intended to provide legal advice but to provide general information on the matter covered in the Article. The article does not constitute and is not to be relied upon as legal advice. Victory Attorneys & Consultants shall not be responsible for any loss in the event this Article is relied upon without seeking our professional advice firs