Extension of deadline of registration of Personal Data Controllers and Data Processors

On 3 April 2024, The Personal Data Protection  Commission (PDPC) was launched in Tanzania  following the enactment of the Personal Data Protection Act, Cap 44 of 2022. The  Commission was established with the main aim  of enforcing data privacy and compliance in  Tanzania.

The Act defines a Data Controller as a natural person, legal person or public body which alone  or jointly with others determines the purpose  and means of processing of personal data; and  where the purpose and means of processing  are determined by law.

While a Data Processor is defined as a natural person, legal person or public body which  processes personal data for and on behalf of  the controller and under the data controller’s  instruction, except for the persons who,  under the direct authority of the controller, are authorised to process the data, and it includes  his representatives.

Personal Data means data or information about and identifiable person that is recorded in any form, including: 

• personal data relating to the race, national or  ethnic origin, religion, age or marital status of  the individual;
• personal data relating to the education,  medical, criminal or employment history;
• any identifying number, symbol or other  particular assigned to the individual;
• the address, fingerprints or blood type of the individual;
• the name of the individual appearing on  personal data of another person relating to  the individual or where the disclosure of the  name itself would reveal personal data about  the individual; and
• correspondence sent to a data controller by  the subject that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the  contents of the original correspondence and  the views or opinions of any other person  about the data subject.

While sensitive personal data includes:

• genetic data, data related to children, data  related to offences, financial transactions of  the individual, security measure or biometric  data;
• if they are processed for what they reveal,  personal data revealing racial or ethnic  origin, political opinions, religious or  philosophical beliefs, affliation, trade-union  membership, gender and data concerning  health or sex life; and
• any personal data otherwise considered  under the laws of the country as presenting  a major risk to the rights and interests of the  data subject.
   

The Act also defines a data protection offcer as an individual appointed by the data controller  or data processor charged with ensuring  compliance with the obligations provided for in  the Act.