Tanzania Data Privacy Laws: Current Framework & Developments (2026)

Tanzania has built a growing data protection framework that reflects the country's increasing digital connectivity and its role within the East African Community. With the Personal Data Protection Act of 2022 now fully operational and the PDPC actively pursuing enforcement, Tanzania has moved from a fragmented regulatory landscape to a structured data protection regime.

This guide covers every layer of Tanzania's data privacy framework, from constitutional foundations through sector-specific regulations and the newest enforcement developments.

Constitutional Right to Privacy

The foundation of data protection in Tanzania rests on Article 16 of the Constitution of the United Republic of Tanzania, 1977. This article establishes the fundamental right to privacy that all subsequent data protection legislation builds upon.

Article 16(1) states that every person is entitled to respect and protection of their person, the privacy of their own person, their family and matrimonial life, and respect and protection of their residence and private communications.

Article 16(2) adds an important qualification. Any interference with a person's privacy must be justified and carried out in accordance with procedures laid down by law. This means the government cannot intrude on personal privacy without legal authority.

Legal scholars and courts have interpreted Article 16 as extending to personal data in digital environments. The passage of the PDPA in 2022 represents the legislative operationalization of this constitutional guarantee, giving the privacy right concrete rules and enforcement mechanisms in the digital age.

The Personal Data Protection Act of 2022

The Personal Data Protection Act (PDPA) No. 11 of 2022 is Tanzania's primary and most comprehensive data protection legislation. President Samia Suluhu Hassan signed the Act on 27 November 2022, and it came into force on 1 May 2023.

The PDPA applies to all processing of personal data within Tanzania, whether by automated or manual means. It also applies to data controllers and processors outside Tanzania who process personal data of individuals located in the country.

Core Data Protection Principles

The PDPA establishes several foundational principles that govern all personal data processing in Tanzania.

Personal data must be processed lawfully, fairly, and transparently. Controllers must ensure the security of personal data throughout processing. Data may only be collected for explicit, specified, and legitimate purposes and must not be further processed in ways contrary to those original purposes.

Data must be adequate, relevant, and limited to what is necessary for the purposes for which it is collected. Personal data must be accurate and, where necessary, kept up to date. Controllers must take reasonable steps to ensure inaccurate data is erased or rectified without delay.

Personal data should not be kept longer than is necessary for the purposes for which it was collected. Controllers must implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Lawful Bases for Processing

The PDPA provides several lawful grounds for processing personal data. Data controllers must rely on at least one of these grounds.

Consent of the data subject is the primary basis. The consent must be specific, informed, and freely given. For sensitive personal data, controllers must obtain prior written consent from the data subject.

Other lawful grounds include contractual necessity, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest, and legitimate interests of the controller or a third party (provided these do not override the data subject's rights).

Data Subject Rights

The PDPA grants data subjects a comprehensive set of rights that align broadly with international standards.

The right to be informed requires controllers to provide clear information about data processing activities, including the purposes of processing, the categories of data collected, and the identity of the controller.

The right of access allows data subjects to obtain confirmation of whether their personal data is being processed and to access copies of that data.

The right to rectification enables data subjects to request correction of inaccurate personal data.

The right to erasure (sometimes called the right to be forgotten) allows data subjects to request deletion of their personal data under certain circumstances.

The right to restrict processing permits data subjects to limit how their data is used.

The right to data portability allows data subjects to receive their personal data in a structured, commonly used format and to transmit that data to another controller.

The right to object gives data subjects the ability to oppose certain types of processing, including processing for direct marketing purposes.

The right not to be subjected to automated decision-making protects data subjects from decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant impacts.

Sensitive Personal Data

The PDPA provides heightened protections for sensitive personal data. This category includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification purposes, health data, and data concerning a person's sex life or sexual orientation.

Processing sensitive data requires prior written consent from the data subject and is subject to additional safeguards. Controllers processing sensitive data must implement enhanced security measures and may face stricter penalties for violations.

The Personal Data Protection Commission (PDPC)

The PDPA establishes the Personal Data Protection Commission (PDPC) as the independent supervisory authority responsible for overseeing compliance with data protection law in Tanzania.

Establishment and Launch

The PDPC was officially launched on 3 April 2024, marking the beginning of active data protection enforcement in Tanzania. The Commission operates as an independent corporate body with its own legal personality.

The PDPC is headed by a Commissioner appointed by the President and is supported by staff with expertise in data protection, information technology, and law.

Powers and Functions

The PDPC holds broad regulatory and enforcement powers. It is mandated to monitor compliance with the PDPA and its regulations, register data controllers and processors, receive and investigate complaints of alleged violations, conduct inspections and audits, issue guidance and codes of practice, and impose administrative penalties.

The Commission can issue enforcement notices directing violators to remedy breaches within a specified period. If the violation is not remedied, the Commission can issue penalty notices with financial sanctions.

The PDPC also has the power to order the deletion of personal data if a controller or processor is found in violation of the PDPA.

Registration Requirements

All organizations that process personal data in Tanzania must register with the PDPC. The initial registration deadline was 10 October 2024, but this was extended to 30 April 2025.

Institutions that fail to register by the deadline face legal consequences, including fines and potential criminal prosecution. The registration process requires organizations to provide details about their data processing activities, the types of personal data they handle, and their security measures.

Early Enforcement Actions

The PDPC has already begun exercising its enforcement powers. In Complaint No. PDPC/CMP/002/2025, the Commission issued a decision concerning the protection of children's personal data, signaling that it will actively pursue violations involving vulnerable populations.

These early enforcement actions demonstrate the Commission's willingness to use its powers and establish precedents for data protection compliance in Tanzania.

Penalties and Enforcement

The PDPA establishes a tiered penalty structure that includes both administrative and criminal sanctions.

Administrative Fines

The PDPC can impose administrative fines of up to TZS 100 million (approximately USD 42,600) through penalty notices. There is no ceiling on the compensation the Commission can award to affected data subjects, meaning organizations could face significant financial exposure beyond the administrative fine caps.

Criminal Penalties

The PDPA imposes criminal sanctions for certain violations. Unlawful disclosure or misuse of personal data can result in fines ranging from TZS 100,000 to TZS 20 million, imprisonment for up to 10 years, or both.

Unlawful destruction, deletion, concealment, or alteration of personal data carries penalties of up to TZS 10 million or imprisonment for up to 5 years, or both.

For other contraventions where no specific penalty is provided, offenders face fines between TZS 100,000 and TZS 5 million, imprisonment for up to 5 years, or both.

Enforcement Process

The PDPC follows a structured enforcement procedure. When a violation is identified, the Commission first issues an enforcement notice directing the violator to remedy the breach within a specified period. If the violation is not remedied within the given timeframe, the Commission may then issue a penalty notice imposing financial sanctions.

The Commission may also order compensation to data subjects who suffered harm due to violations. This compensation mechanism provides a direct remedy for individuals affected by data protection breaches.

The Electronic and Postal Communications Act (EPOCA) 2010

Before the PDPA, the Electronic and Postal Communications Act (EPOCA) of 2010 served as one of the primary instruments for data protection in Tanzania's telecommunications sector. EPOCA remains in force and provides sector-specific protections that supplement the PDPA.

Confidentiality Obligations

Section 98 of EPOCA imposes a duty of confidentiality on licensees of network services and their agents who may encounter personal information of customers. This means telecommunications operators, internet service providers, and their employees cannot disclose customer data without authorization.

Section 99 extends this prohibition further, restricting the disclosure of subscriber information by service providers. Information may only be disclosed when required by law enforcement, a court of law, or another lawfully constituted tribunal.

Protection Against Interception

Section 120 of EPOCA prohibits unlawful interception of communications. This provision protects individuals from unauthorized monitoring or surveillance of their electronic communications, including phone calls, text messages, and internet activity.

Violations of these interception prohibitions carry significant penalties, reinforcing the importance the Tanzanian legislature places on communications privacy.

Consumer Protection Regulations

The Electronic and Postal Communications (Consumer Protection) Regulations of 2018, made under EPOCA, require licensees to protect consumer information against improper or accidental disclosure. Regulation 6 specifically addresses the duty to safeguard personal data collected in the course of providing communications services.

Cross-Border Data Transfers Under EPOCA

EPOCA restricts transfers of personal data (including transfers outside Tanzania) by electronic communications and postal services licensees. Such data may only be transferred if the transfer is in accordance with terms agreed with the data subject and either the Tanzania Communications Regulatory Authority (TCRA) has approved the transfer or the transfer is required by applicable law.

These provisions gave Tanzania an early framework for controlling international data flows, which the PDPA has since expanded to cover all sectors.

SIM Card Registration and Biometric Data

The Electronic and Postal Communications (SIM Card Registration) Regulations of 2020 require SIM card registration using biometric data. Under Regulation 20, licensees, dealers, and their agents are prohibited from misusing registered data. Violations carry penalties of not less than TZS 5 million (approximately USD 2,150) or imprisonment for at least 12 months, or both.

This biometric registration requirement makes EPOCA relevant to discussions about mass data collection and surveillance, as it means the government holds biometric identifiers for a large portion of the population.

The Tanzania Communications Regulatory Authority (TCRA)

The TCRA is the regulatory authority responsible for overseeing the postal, electronic communications, and broadcasting industries in Tanzania. While the PDPC now handles general data protection oversight, the TCRA retains an important role in sector-specific data protection for telecommunications.

Regulatory Functions

The TCRA is tasked with promoting effective competition and economic efficiency while safeguarding the interests of consumers in the communications sector. Its data protection responsibilities include enforcing the confidentiality provisions of EPOCA, overseeing SIM card registration compliance, maintaining the Central Equipment Identification Register (CEIR), and approving cross-border data transfers by telecommunications licensees.

Under Section 84 of EPOCA, the TCRA must establish and maintain the CEIR, which contains information about all devices collected by licensees from their subscribers, including mobile numbers and International Mobile Equipment Identity (IMEI) numbers.

Relationship with PDPC

Since the establishment of the PDPC, a regulatory overlap exists between the two bodies. The TCRA handles sector-specific telecommunications data protection under EPOCA, while the PDPC oversees general data protection under the PDPA. Organizations in the telecommunications sector must comply with both regulatory frameworks.

The Cybercrimes Act 2015

The Cybercrimes Act of 2015 was enacted on 25 April 2015 and addresses criminal offenses related to computer systems, networks, and electronic data. While primarily a criminal statute, it contains provisions relevant to data protection.

Data Protection Provisions

The Cybercrimes Act provides penal sanctions to deter privacy and data protection abuses. Service providers face restrictions on monitoring customer data and must follow prescribed procedures for sharing information with authorities.

The Act criminalizes unauthorized access to computer systems and data, illegal interception of data transmissions, and unauthorized disclosure of protected information. These provisions create criminal liability for data breaches that go beyond accidental loss or negligence.

Criticisms and Concerns

The Cybercrimes Act has faced significant criticism from civil society and rights organizations. Critics argue that the Act grants law enforcement excessive surveillance powers with insufficient judicial oversight.

The Act authorizes the Minister responsible for information and communication technology to require service providers to inform authorities of alleged illegal activities and provide customer identity information. Search and seizure powers under the Act are broad, raising concerns about potential abuse.

Rights groups contend that while the Cybercrimes Act purports to protect data, some of its provisions may actually facilitate government surveillance and undermine individual privacy rights.

Implementing Regulations

The PDPA is supported by several implementing regulations issued in 2023 that provide detailed procedural requirements.

Personal Data Collection and Processing Regulations 2023

The Personal Data Protection (Personal Data Collection and Processing) Regulations, GN No. 449C of 2023, came into effect on 4 July 2023. These regulations detail how data controllers and processors must handle personal data, including requirements for privacy notices, consent mechanisms, data retention policies, and security measures.

Complaints Settlement Procedures Regulations 2023

The Personal Data Protection (Complaints Settlement Procedures) Regulations of 2023 establish the process for filing and resolving data protection complaints with the PDPC. They outline how data subjects can bring complaints, the investigation procedures the Commission will follow, and the remedies available.

Cross-Border Transfer Requirements

The regulations establish detailed requirements for transferring personal data outside Tanzania. Under Section 31 of the PDPA, personal data may only be transferred to countries with adequate data protection frameworks.

The regulations outline the permit application process under Regulation 20. Data controllers must demonstrate that the recipient country has ratified an international agreement providing data protection requirements, a bilateral agreement exists between Tanzania and the recipient country, or a contractual agreement between the applicant and the foreign recipient provides adequate protections.

The Commission and the Minister of Communications hold broad discretion over whether to approve cross-border transfers. Even when the formal conditions are met, approval is not guaranteed. This gives Tanzanian authorities significant control over international data flows.

Data Breach Notification

The PDPA requires data controllers to notify the PDPC and affected data subjects in the event of a personal data breach. If a data processor becomes aware of a breach, they must notify the data controller without undue delay.

While the PDPA establishes these notification obligations, the specific timelines and procedural requirements for breach notification are less detailed than frameworks like the GDPR's 72-hour notification window. The PDPC may issue further guidance on breach notification procedures as its enforcement activities mature.

Tanzania in the East African Data Protection Landscape

Tanzania's data protection framework exists within the broader context of rapidly evolving privacy regulation across East Africa.

Regional Comparison

All major East African Community members have now adopted data protection legislation modeled in part on the GDPR. Kenya's Data Protection Act of 2019, Uganda's Data Protection and Privacy Act of 2019, and Tanzania's PDPA of 2022 share common features including independent supervisory authorities, consent-based processing models, and restrictions on cross-border transfers.

Kenya currently leads the region in data protection enforcement maturity, with its Office of the Data Protection Commissioner having been operational for several years. Uganda's Personal Data Protection Office operates under the National Information Technology Authority. Tanzania's PDPC, while newer, has moved quickly to establish registration requirements and begin enforcement.

Harmonization Challenges

Despite the similarities in their legislative frameworks, the three East African nations differ in scope, provisions, and enforcement capacity. A unified approach across the East African Community has not yet emerged, creating compliance challenges for organizations operating across borders in the region.

Regional collaboration is growing, however. Tanzania has participated in knowledge-sharing initiatives with other African data protection authorities, and there are ongoing discussions about developing common standards within the EAC.

African Union Convention

Tanzania is also influenced by the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), adopted in 2014. While ratification across the continent has been slow, the convention provides a continental framework that shapes national legislation in AU member states, including Tanzania.

Practical Compliance Guidance

Organizations operating in Tanzania or processing the personal data of Tanzanian residents should take several steps to ensure compliance.

Registration

Register with the PDPC immediately if you have not already done so. The 30 April 2025 deadline has passed, and unregistered organizations risk fines and legal action. Registration requires providing details about your data processing activities, categories of data processed, and security measures in place.

Consent Mechanisms

Review and update your consent collection practices. Consent must be specific, informed, and freely given. For sensitive personal data, written consent is mandatory. Ensure data subjects understand what they are consenting to at every stage of data collection and processing.

Cross-Border Transfers

If you transfer personal data outside Tanzania, confirm that you have obtained the necessary permit from the PDPC. Prepare documentation demonstrating that the recipient country provides adequate data protection or that appropriate contractual safeguards are in place.

Data Security

Implement appropriate technical and organizational measures to protect personal data. The PDPA requires encryption, secure storage, access restrictions, and other safeguards proportionate to the sensitivity of the data you process.

Data Subject Requests

Establish procedures for handling data subject rights requests, including requests for access, rectification, erasure, and data portability. Respond to these requests within a reasonable timeframe.

Breach Response

Develop a data breach response plan that includes procedures for notifying the PDPC and affected data subjects. Identify the personnel responsible for managing breach responses and ensure they understand their notification obligations.

Disclaimer: This article provides general information about Tanzania's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Tanzania for guidance on your specific situation.