Tanzania Data Privacy Laws: PDPA 2022 Guide (2026)

Tanzania governs personal data under the Personal Data Protection Act No. 11 of 2022 (in force 1 May 2023). The Act mandates registration with the Personal Data Protection Commission, a mandatory Data Protection Officer under Section 27(3), and lawful-processing compliance, with corporate fines reaching TZS 5 billion for violations.

Tanzania's Personal Data Protection Act of 2022 is now fully enforced. The Personal Data Protection Commission launched in April 2024, spent its first year building registration systems and issuing guidance, and commenced active enforcement on 9 April 2026 after successive deadline extensions failed to achieve full sector compliance. This guide covers every layer of Tanzania's data protection framework, from the constitutional foundations through the April 2026 enforcement milestone and the emerging case law.

For questions about recording consent laws in Tanzania, see the companion article on Tanzania recording laws.

Jurisdiction scope: This article addresses Tanzania's national data protection framework under the Personal Data Protection Act No. 11 of 2022 (Mainland Tanzania and, for Union Matters only, Zanzibar), the Electronic and Postal Communications Act 2010, and the Cybercrimes Act 2015. It does not address broader East African Community harmonization proposals or the laws of other EAC member states except for brief comparative context.

Quick Answer: Tanzania's Data Protection Framework

Tanzania's primary data protection law is the Personal Data Protection Act (PDPA), No. 11 of 2022. It came into force on 1 May 2023 and is enforced by the Personal Data Protection Commission (PDPC), which launched on 3 April 2024. The PDPA requires registration of all data controllers and processors, mandatory appointment of a Data Protection Officer, and compliance with lawful processing, data subject rights, and cross-border transfer rules. As of 9 April 2026, the PDPC began active enforcement against unregistered institutions, with corporate fines of up to TZS 5 billion. The Act applies to Mainland Tanzania and to Zanzibar only for Union Matters. Two provisions were found unconstitutionally vague by the High Court in May 2024 and remain subject to a government amendment order.

Constitutional Right to Privacy

The foundation of data protection in Tanzania rests on Article 16 of the Constitution of the United Republic of Tanzania, 1977. This article establishes the fundamental right to privacy that all subsequent data protection legislation builds upon.

Article 16(1) states that every person is entitled to respect and protection of their person, the privacy of their own person, their family and matrimonial life, and respect and protection of their residence and private communications.

Article 16(2) adds an important qualification. Any interference with a person's privacy must be justified and carried out in accordance with procedures laid down by law. This means the government cannot intrude on personal privacy without legal authority.

Legal scholars and courts have interpreted Article 16 as extending to personal data in digital environments. The passage of the PDPA in 2022 represents the legislative operationalization of this constitutional guarantee, giving the privacy right concrete rules and enforcement mechanisms in the digital age.

The Personal Data Protection Act of 2022

The Personal Data Protection Act (PDPA) No. 11 of 2022 is Tanzania's primary and most comprehensive data protection legislation. President Samia Suluhu Hassan signed the Act on 27 November 2022, and it came into force on 1 May 2023.

The PDPA applies to all processing of personal data within Tanzania, whether by automated or manual means. It also applies to data controllers and processors outside Tanzania who process personal data of individuals located in the country.

Core Data Protection Principles

The PDPA establishes several foundational principles that govern all personal data processing in Tanzania.

Personal data must be processed lawfully, fairly, and transparently. Controllers must ensure the security of personal data throughout processing. Data may only be collected for explicit, specified, and legitimate purposes and must not be further processed in ways contrary to those original purposes.

Data must be adequate, relevant, and limited to what is necessary for the purposes for which it is collected. Personal data must be accurate and, where necessary, kept up to date. Controllers must take reasonable steps to ensure inaccurate data is erased or rectified without delay.

Personal data should not be kept longer than is necessary for the purposes for which it was collected. Controllers must implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Lawful Bases for Processing

The PDPA provides several lawful grounds for processing personal data. Data controllers must rely on at least one of these grounds.

Consent of the data subject is the primary basis. The consent must be specific, informed, and freely given. For sensitive personal data, controllers must obtain prior written consent from the data subject.

Other lawful grounds include contractual necessity, compliance with a legal obligation, protection of vital interests, performance of a task carried out in the public interest, and legitimate interests of the controller or a third party (provided these do not override the data subject's rights).

Data Controllers and Processors

The PDPA distinguishes between data controllers and data processors. A data controller determines the purposes and means of processing personal data and bears primary compliance obligations, including registration, DPO appointment, and data subject rights management. A data processor processes personal data on behalf of a controller and must follow the controller's instructions, implement appropriate security measures, notify the controller of breaches without undue delay, and maintain records of processing activities.

Controllers who engage processors must do so under a written contract that binds the processor to the controller's data protection obligations.

Data Subject Rights

The PDPA grants data subjects a comprehensive set of rights that align broadly with international standards.

The right to be informed requires controllers to provide clear information about data processing activities, including the purposes of processing, the categories of data collected, and the identity of the controller.

The right of access allows data subjects to obtain confirmation of whether their personal data is being processed and to access copies of that data.

The right to rectification enables data subjects to request correction of inaccurate personal data.

The right to erasure (sometimes called the right to be forgotten) allows data subjects to request deletion of their personal data under certain circumstances.

The right to restrict processing permits data subjects to limit how their data is used.

The right to data portability allows data subjects to receive their personal data in a structured, commonly used format and to transmit that data to another controller.

The right to object gives data subjects the ability to oppose certain types of processing, including processing for direct marketing purposes.

The right not to be subjected to automated decision-making protects data subjects from decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant impacts.

Sensitive Personal Data

The PDPA provides heightened protections for sensitive personal data. This category includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification purposes, health data, and data concerning a person's sex life or sexual orientation.

Processing sensitive data requires prior written consent from the data subject and is subject to additional safeguards. Controllers processing sensitive data must implement enhanced security measures and may face stricter penalties for violations.

Data Protection Officers

Section 27(3) of the PDPA requires every data controller and data processor to appoint a Data Protection Officer (DPO). Section 3 defines a DPO as "an individual appointed by the data controller or data processor charged with ensuring compliance with the obligations provided for in the Act."

Unlike the EU's General Data Protection Regulation (GDPR), which exempts small organizations and certain processing types from the DPO requirement, the PDPA sets no organizational size thresholds or processing volume criteria. Every entity that qualifies as a controller or processor under the Act must have a DPO, regardless of scale.

DPO Responsibilities

The DPO's core duties under the PDPA and its regulations include:

• Monitoring the organization's compliance with the PDPA, its regulations, and internal data protection policies
• Identifying and reporting data protection violations and advising on corrective action
• Serving as the primary point of contact between the organization and the PDPC
• Managing data subject requests, complaints, and access requests
• Overseeing Data Protection Impact Assessments for high-risk processing activities
• Developing and delivering employee training and awareness programs
• Submitting quarterly compliance reports to the PDPC

Internal or External DPO

The DPO may be an internal employee or an external professional, provided that person has independence and sufficient understanding of the organization's data processing activities. Where a DPO is an internal employee, the organization must ensure the DPO's data protection role does not create a conflict of interest with other duties.

The PDPC has run training programs for DPOs across Tanzania since its launch, reflecting the importance the Commission places on building a competent DPO community.

The Personal Data Protection Commission (PDPC)

The PDPA establishes the Personal Data Protection Commission (PDPC) as the independent supervisory authority responsible for overseeing compliance with data protection law in Tanzania.

Establishment and Launch

The PDPC was officially launched on 3 April 2024, marking the beginning of active data protection enforcement in Tanzania. The Commission operates as an independent corporate body with its own legal personality.

The PDPC is headed by a Director General (Dr Emmanuel Lameck Mkilia as of 2026) and a Commissioner appointed by the President, supported by staff with expertise in data protection, information technology, and law.

Powers and Functions

The PDPC holds broad regulatory and enforcement powers. It is mandated to monitor compliance with the PDPA and its regulations, register data controllers and processors, receive and investigate complaints of alleged violations, conduct inspections and audits, issue guidance and codes of practice, and impose administrative penalties.

The Commission can issue enforcement notices directing violators to remedy breaches within a specified period. If the violation is not remedied, the Commission can issue penalty notices with financial sanctions.

The PDPC also has the power to order the deletion of personal data if a controller or processor is found in violation of the PDPA.

Registration Requirements

All organizations that process personal data in Tanzania must register with the PDPC. Registration requires providing details about data processing activities, the types of personal data handled, the identity of the appointed DPO, and the security measures in place. Upon approval, the PDPC issues a certificate of registration valid for five years.

The registration deadline went through three stages: a presidential grace period running to 31 December 2024 (announced by President Samia Suluhu Hassan at the PDPC launch on 3 April 2024), a first extension to 30 April 2025 announced by the PDPC on 10 January 2025, and a final extension to 8 April 2026 announced by Minister Angella Jasmine Mbelwa Kairuki on 8 January 2026. Dr Mkilia confirmed at a press conference in Dodoma on 26 March 2026 that full enforcement would commence on 9 April 2026 with no further extensions.

Sectors specifically targeted for enforcement include government ministries and agencies, banks, insurance companies, microfinance institutions, educational and healthcare facilities, telecommunications companies and internet service providers, e-commerce platforms, data centres, manufacturing, transport, tourism, legal and accounting firms, media outlets, political parties, and religious organizations.

Enforcement and Complaints

The PDPC follows a structured enforcement procedure. When a violation is identified, the Commission first issues an enforcement notice directing the violator to remedy the breach within a specified period. If the violation is not remedied within the given timeframe, the Commission may issue a penalty notice imposing financial sanctions.

The Commission may also order compensation to data subjects who suffered harm due to violations. This compensation mechanism provides a direct remedy for individuals affected by data protection breaches.

Zanzibar and the PDPA

The PDPA's territorial scope is defined in Section 2, which provides that the Act "shall apply to Mainland Tanzania as well as Tanzania Zanzibar, except that in Tanzania Zanzibar, the Act does not apply to non-union matters."

The Union Matters Framework

Tanzania's constitutional structure reflects the 1964 merger of the Republic of Tanganyika and the People's Republic of Zanzibar. The Constitution of the United Republic of Tanzania, 1977 divides governmental authority between Union Matters (listed in the First Schedule) and non-union matters, which remain subject to Zanzibar's own governance.

The First Schedule identifies 22 Union Matters, including: the national constitution and government of the United Republic; foreign affairs and defence; citizenship and immigration; banking, currency, and exchange control; customs duties; income tax; posts and telecommunications; civil aviation; higher education; mineral oil and natural gas; meteorology; statistics; and registration of political parties.

Practical Implications for Businesses in Zanzibar

A business operating in Zanzibar must assess whether its data processing activities relate to Union Matters. If the activity touches a Union Matter (for example, telecommunications, banking, or customs), the PDPA applies in full. If the activity is a purely non-union matter under Zanzibar's jurisdiction (for example, local land registry administration), the PDPA may not apply.

Zanzibar does not currently have its own separate data protection legislation. The PDPC has indicated that further guidance on the Act's application in Zanzibar will be issued. Until that guidance is published, businesses operating in Zanzibar should seek qualified legal advice on whether their specific processing activities fall within the Union Matters scope.

Watch out: The Union Matters limitation is not a blanket Zanzibar exemption. Most commercial data processing activities -- banking, telecommunications, insurance, e-commerce -- touch Union Matters and are therefore subject to the PDPA in Zanzibar.

Penalties and Enforcement

The PDPA and related enforcement actions establish a tiered penalty structure that includes both administrative and criminal sanctions.

Penalty Summary Table

Compensation for Data Subjects

There is no ceiling on the compensation the PDPC can award to affected data subjects. Organizations could face significant financial exposure beyond the administrative fine caps through compensation orders.

Enforcement Process

When a violation is identified, the Commission first issues an enforcement notice directing the violator to remedy the breach within a specified period. If the violation is not remedied, the Commission issues a penalty notice imposing financial sanctions. The Commission may also order data deletion and compensation to affected data subjects.

The Electronic and Postal Communications Act (EPOCA) 2010

Before the PDPA, the Electronic and Postal Communications Act (EPOCA) of 2010 served as one of the primary instruments for data protection in Tanzania's telecommunications sector. EPOCA remains in force and provides sector-specific protections that supplement the PDPA.

Confidentiality Obligations

Section 98 of EPOCA imposes a duty of confidentiality on licensees of network services and their agents who may encounter personal information of customers. This means telecommunications operators, internet service providers, and their employees cannot disclose customer data without authorization.

Section 99 extends this prohibition further, restricting the disclosure of subscriber information by service providers. Information may only be disclosed when required by law enforcement, a court of law, or another lawfully constituted tribunal.

Protection Against Interception

Section 120 of EPOCA prohibits unlawful interception of communications. This provision protects individuals from unauthorized monitoring or surveillance of their electronic communications, including phone calls, text messages, and internet activity.

Violations of these interception prohibitions carry significant penalties, reinforcing the importance the Tanzanian legislature places on communications privacy.

Consumer Protection Regulations

The Electronic and Postal Communications (Consumer Protection) Regulations of 2018, made under EPOCA, require licensees to protect consumer information against improper or accidental disclosure. Regulation 6 specifically addresses the duty to safeguard personal data collected in the course of providing communications services.

Cross-Border Data Transfers Under EPOCA

EPOCA restricts transfers of personal data (including transfers outside Tanzania) by electronic communications and postal services licensees. Such data may only be transferred if the transfer is in accordance with terms agreed with the data subject and either the Tanzania Communications Regulatory Authority (TCRA) has approved the transfer or the transfer is required by applicable law.

These provisions gave Tanzania an early framework for controlling international data flows, which the PDPA has since expanded to cover all sectors.

SIM Card Registration and Biometric Data

The Electronic and Postal Communications (SIM Card Registration) Regulations of 2020 require SIM card registration using biometric data. Under Regulation 20, licensees, dealers, and their agents are prohibited from misusing registered data. Violations carry penalties of not less than TZS 5 million (approximately USD 1,800 at May 2026 exchange rates) or imprisonment for at least 12 months, or both.

This biometric registration requirement makes EPOCA relevant to discussions about mass data collection and surveillance, as it means the government holds biometric identifiers for a large portion of the population.

The Tanzania Communications Regulatory Authority (TCRA)

The TCRA is the regulatory authority responsible for overseeing the postal, electronic communications, and broadcasting industries in Tanzania. While the PDPC now handles general data protection oversight, the TCRA retains an important role in sector-specific data protection for telecommunications.

Regulatory Functions

The TCRA is tasked with promoting effective competition and economic efficiency while safeguarding the interests of consumers in the communications sector. Its data protection responsibilities include enforcing the confidentiality provisions of EPOCA, overseeing SIM card registration compliance, maintaining the Central Equipment Identification Register (CEIR), and approving cross-border data transfers by telecommunications licensees.

Under Section 84 of EPOCA, the TCRA must establish and maintain the CEIR, which contains information about all devices collected by licensees from their subscribers, including mobile numbers and International Mobile Equipment Identity (IMEI) numbers.

Relationship with PDPC

Since the establishment of the PDPC, a regulatory overlap exists between the two bodies. The TCRA handles sector-specific telecommunications data protection under EPOCA, while the PDPC oversees general data protection under the PDPA. Organizations in the telecommunications sector must comply with both regulatory frameworks.

The Cybercrimes Act 2015

The Cybercrimes Act of 2015 was enacted on 25 April 2015 and addresses criminal offenses related to computer systems, networks, and electronic data. While primarily a criminal statute, it contains provisions relevant to data protection.

Data Protection Provisions

The Cybercrimes Act provides penal sanctions to deter privacy and data protection abuses. Service providers face restrictions on monitoring customer data and must follow prescribed procedures for sharing information with authorities.

The Act criminalizes unauthorized access to computer systems and data, illegal interception of data transmissions, and unauthorized disclosure of protected information. These provisions create criminal liability for data breaches that go beyond accidental loss or negligence.

Section 16 of the Cybercrimes Act applies to CCTV surveillance: entities that install surveillance cameras to collect personal data without registering with the PDPC risk fines of up to TZS 50 million, imprisonment of up to three years, or both. The PDPA (Sections 14 and 21) additionally requires CCTV operators to display clear signage informing the public of surveillance and to position cameras within their own premises only.

Criticisms and Concerns

The Cybercrimes Act has faced significant criticism from civil society and rights organizations. Critics argue that the Act grants law enforcement excessive surveillance powers with insufficient judicial oversight.

The Act authorizes the Minister responsible for information and communication technology to require service providers to inform authorities of alleged illegal activities and provide customer identity information. Search and seizure powers under the Act are broad, raising concerns about potential abuse.

Rights groups contend that while the Cybercrimes Act purports to protect data, some of its provisions may actually facilitate government surveillance and undermine individual privacy rights.

Implementing Regulations

The PDPA is supported by several implementing regulations issued in 2023 that provide detailed procedural requirements.

Personal Data Collection and Processing Regulations 2023

The Personal Data Protection (Personal Data Collection and Processing) Regulations, GN No. 449C of 2023, came into effect on 4 July 2023. These regulations detail how data controllers and processors must handle personal data, including requirements for privacy notices, consent mechanisms, data retention policies, and security measures.

Complaints Settlement Procedures Regulations 2023

The Personal Data Protection (Complaints Settlement Procedures) Regulations of 2023 establish the process for filing and resolving data protection complaints with the PDPC. They outline how data subjects can bring complaints, the investigation procedures the Commission will follow, and the remedies available.

Cross-Border Transfer Requirements

The regulations establish detailed requirements for transferring personal data outside Tanzania. Under Section 31 of the PDPA, personal data may only be transferred to countries with adequate data protection frameworks.

The regulations outline the permit application process under Regulation 20. Data controllers must demonstrate that the recipient country has ratified an international agreement providing data protection requirements, a bilateral agreement exists between Tanzania and the recipient country, or a contractual agreement between the applicant and the foreign recipient provides adequate protections.

The Commission and the Minister of Communications hold broad discretion over whether to approve cross-border transfers. Even when the formal conditions are met, approval is not guaranteed. This gives Tanzanian authorities significant control over international data flows.

Data Breach Notification

The PDPA requires data controllers to notify the PDPC of any personal data security breach. A security breach encompasses negligent loss or unauthorized modification, destruction, disclosure, access, or processing of personal data. If a data processor becomes aware of a breach, it must notify the data controller without undue delay.

The PDPA does not specify a fixed notification timeline, in contrast to frameworks such as the GDPR's 72-hour window. Controllers must notify "promptly," but what this means in practice is not yet defined by PDPC guidance as of mid-2026. Organizations are advised to treat 72 hours as a working target until the PDPC issues specific guidance.

Controllers must also maintain breach detection, handling, and response procedures as part of their security obligations under the PDPA.

Recent Developments (2024-2026)

PDPC Launch (April 2024)

The Personal Data Protection Commission was formally launched on 3 April 2024, approximately 11 months after the PDPA came into force. The launch marked the transition from legislation-on-paper to active regulatory oversight, with the PDPC beginning to accept registrations, issue guidance, and build its enforcement capacity.

Constitutional Challenge: Magoti v. Attorney General (May 2024)

On 8 May 2024, the High Court of Tanzania in Dar es Salaam issued a significant ruling on the constitutionality of the PDPA. Human rights advocate Tito Magoti petitioned the court challenging 13 provisions of the Act as incompatible with fundamental rights under the Constitution.

The three-judge panel ruled that most sections were constitutional but identified two provisions as unconstitutionally vague:

• Section 22(3) (on unlawful means for collecting and processing personal data): the court found the provision "wide and vague" with a "lack of clarity" about what acts or omissions constitute unlawful collection.
• Section 23(3)(c)(e) (on exceptions to data subject consent): the court found the provision "ambiguous, unclear and without prescribed procedures."

The court ordered the government to amend both provisions within one year to provide "certainty as to what acts or omissions shall be regarded as unlawful." If amendments are not completed, those provisions are to be struck from the law. The one-year amendment window expired in May 2025; the status of any parliamentary amendments should be verified against official records from parliament.go.tz.

Registration Deadline Extensions and Final Enforcement (2024-2026)

The PDPA's registration requirement went through four enforcement milestones before active penalties began:

1. December 31, 2024: initial grace period set by President Samia Suluhu Hassan at the PDPC launch on 3 April 2024. All public and private sector data controllers and processors were directed to register by year-end 2024.
2. April 30, 2025: first extension, announced by PDPC Director General Dr Mkilia on 10 January 2025 to allow more time for compliance infrastructure to reach smaller organizations.
3. April 8, 2026: final deadline, announced on 8 January 2026 by Minister Angella Jasmine Mbelwa Kairuki at a DPO training ceremony in Arusha. Minister Kairuki stated: "No exemptions will be granted, and enforcement actions will be taken against all offenders."
4. April 9, 2026: PDPC Director General Dr Emmanuel Lameck Mkilia confirmed full enforcement began, with compliance audits planned across all targeted sectors.

DPO Training Programs

Since its launch, the PDPC has run a series of Data Protection Officer training programs across Tanzania. These programs reflect the Commission's approach to building compliance culture before escalating to punitive enforcement, and the DPO training appears to have preceded the final enforcement deadline.

Tanzania in the East African Data Protection Landscape

Tanzania's data protection framework exists within the broader context of rapidly evolving privacy regulation across East Africa.

Regional Comparison

All major East African Community members have now adopted data protection legislation modeled in part on the GDPR. Kenya's Data Protection Act of 2019, Uganda's Data Protection and Privacy Act of 2019, and Tanzania's PDPA of 2022 share common features including independent supervisory authorities, consent-based processing models, and restrictions on cross-border transfers.

Kenya currently leads the region in data protection enforcement maturity, with its Office of the Data Protection Commissioner (ODPC) having been operational since 2020. Uganda's Personal Data Protection Office operates under the National Information Technology Authority. Tanzania's PDPC, while newer, moved quickly to establish registration requirements and began enforcement in 2026.

Harmonization Challenges

Despite the similarities in their legislative frameworks, the three East African nations differ in scope, provisions, and enforcement capacity. A unified approach across the East African Community has not yet emerged, creating compliance challenges for organizations operating across borders in the region.

Regional collaboration is growing. Tanzania has participated in knowledge-sharing initiatives with other African data protection authorities, and there are ongoing discussions about developing common standards within the EAC.

African Union Convention

Tanzania is also influenced by the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention), adopted in 2014. While ratification across the continent has been slow, the convention provides a continental framework that shapes national legislation in AU member states, including Tanzania.

Practical Compliance Guidance

Organizations operating in Tanzania or processing the personal data of Tanzanian residents should address each of the following areas.

Registration

The 8 April 2026 registration deadline has passed. Any organization that has not yet registered with the PDPC is now operating illegally and faces enforcement action. The PDPC has announced active compliance audits across all sectors. Registration requires providing details about your data processing activities, categories of data processed, the identity of your DPO, and security measures in place. Certificates of registration are valid for five years.

Data Protection Officer Appointment

Appoint a DPO under Section 27(3) of the PDPA if you have not already done so. The DPO may be an internal employee or an external professional. Document the appointment, define the DPO's independence, and ensure the DPO has access to the PDPC's training resources. DPOs must submit quarterly compliance reports to the PDPC.

Consent Mechanisms

Review and update consent collection practices. Consent must be specific, informed, and freely given. For sensitive personal data, written consent is mandatory. Note that Section 23(3)(c)(e) (consent exceptions) was found unconstitutionally vague by the High Court in May 2024; consult qualified counsel on relying on those exception categories until the government issues amendments.

Cross-Border Transfers

If you transfer personal data outside Tanzania, confirm that you have obtained the necessary permit from the PDPC under Regulation 20 of the 2023 Regulations. Prepare documentation demonstrating that the recipient country provides adequate data protection or that appropriate contractual safeguards are in place.

Data Security

Implement appropriate technical and organizational measures to protect personal data. The PDPA requires encryption, secure storage, access restrictions, and other safeguards proportionate to the sensitivity of the data you process. DPOs should oversee Data Protection Impact Assessments for high-risk processing activities.

Data Subject Requests

Establish procedures for handling data subject rights requests, including requests for access, rectification, erasure, and data portability. Respond to requests within a reasonable timeframe.

Breach Response

Develop a data breach response plan that includes procedures for notifying the PDPC and affected data subjects. In the absence of a specific PDPC timeline, treat 72 hours as a working target. Identify the personnel responsible for managing breach responses.

CCTV Surveillance

If your organization operates CCTV cameras that capture personal data, register those systems with the PDPC under PDPA Sections 14 and 21. Display clear signage. Position cameras only within your own premises. Failure to register CCTV systems carries penalties under both the PDPA and the Cybercrimes Act (Section 16).

---

Disclaimer: This article provides general legal information about Tanzania's data privacy laws as of May 2026. It is not legal advice. Data protection laws change frequently and enforcement positions evolve. Consult a qualified attorney licensed in Tanzania for guidance on your specific situation.