THE PARADOX OF DATA TRANSFER OUTSIDE TANZANIA

The Personal Data Protection Act Number 11 of 2022 (the "Act") was enacted on November 1, 2022. It is to be read in conjunction with the Personal Data Protection (Collection and Processing of Personal Data) Regulations, issued under Government Notice 449C of 2023 (the "Regulations"), which came into effect on July 4, 2023. This legislation applies to both Tanzania Mainland as well as Tanzania Zanzibar. Furthermore, these legislation provide guidelines on how data should be transferred outside Tanzania as follows: -

Transfer of personal data is not specifically defined in the legislation however, a simple definition can be taken from Article 44 of the European Union General Data Protection Regulation (GDPR) which defines personal data transfer as an intentional sending of personal data to another party or making the data accessible by it, where neither sender nor recipient is the data subject.

The transfer of personal data outside Tanzania is permitted solely by the Personal Data Protection Commission (the “Commission”) which allows personal data transfer outside Tanzania and issues the necessary permit for such transfers.

Generally, the transfer of personal data to other countries is prohibited according to section 31 (1) of the Act, however, this is permissible by the consent of the Commission pursuant to section 31(2) of the Act, provided that, among other things, the recipient county has adequate legal framework for personal data protection.

Procedures For Data Transfer Outside Tanzania

Regulation 20 (1) – (7) of the Regulations provides for the procedure in respect of personal data transfer from Tanzania. The procedure set out is as follows: (a) A data controller or processor must apply for a permit using Form Number 7 of the Regulations, (b) Applications for permit to transfer personal data shall include details such as particulars of the applicant and recipient, data subject, type of data, purpose of transfer, security measures, consent of data subjects, and other required information, (c) Applicants must show that the recipient country has ratified an international data protection agreement, there is an agreement between Tanzania and the recipient country about personal data protection and a contractual agreement between a requester in Tanzania and recipient abroad, (d) the Commission reviews applications within 14 days and if rejected, a written notice with reasons will be provided. Upon approval the Commission will issue the permit for data transfer outside Tanzania using Form Number 8.

Conditions for the Permit. Regulation 22 of the Regulations mandates that permits issued by the Commission require personal data to be transferred only to authorized recipients, used solely for its intended purpose, not accessible to others without the Commission’s approval, and processed in compliance with Tanzanian laws.

Non-compliance and penalties. Section 60 of the Act imposes penalties for unauthorized handling or disclosure of personal data: as Individuals disclosing personal data may face a fine up to TZS 20,000,000 or ten years in prison and corporations can be fined between TZS 1,000,000 and TZS 5,000,000,000 for unauthorized disclosure of personal data.

Conclusion. In summary, Tanzania’s legal regime for protecting personal data applies to all data subjects, however, it is still at its infancy stage. The passing of the Act is a positive and progressive step towards personal data protection for data subjects. However, it appears that most businesses and/or organisations are not aware of whether they fall within the definitions of data collectors and/or data processors, and what implications that this may have on their business.  

PREPARED BY:

EVELYN MFUNGAHEMA

LEGAL INTERN

NOTE; This is not a legal opinion, and the content hereof are not meant to be relied upon by any recipient unless our written consent is sought and explicitly obtained in writing.