Legal UpdateThe Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023

INTRODUCTION

The Advancement of science and technology has made the environment susceptible to data breaches, leading to numerous complaints about violations of data privacy. As a response to this situation, the Parliament of Tanzania enacted the Data Protection Act of 2023. Among others, the Act empowers the Minister to make regulations under Section 54 of the Data Protection Act, 2022. Thus, on 04^th July 2023 the Minister for Communication and Information Technology issued the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023 (Government Notice No. 449C of 2023) that came into force on 04^th July 2023. These regulations provide the procedures for the registration of data collectors and data producers, procedures for enforcing data rights, procedures for the transfer of personal data outside the country, and the principles of data processing. These regulations can be cited as.

KEY TERMS

The following are the key terms that have been defined in the Regulations.

• Data Processor means a natural person, legal person or public body which processes personal data for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct authority of the controller, are authorised to process the data and it includes his representative.
• Data Controller means a natural person, legal person, or public body which alone or jointly with others determines the purpose and means of processing personal data; and where the purpose and means of processing are determined by law, “data controller” is the natural person, legal person or public body designated as such by that law and it includes his representative.
• Data Subject means the subject of Personal Data which are processed under this Act.
• Register means the register established by the Commission under section 15 of the Act.
• Commission means the Personal Data Protection Commission established under section 6.

REGISTRATION OF DATA COLLECTORS AND DATA PRODUCERS

Section 14 of the Act provides that any individual is prohibited from collecting or processing data without first registering. In that regard, the regulations set out how the registration for Data Collectors and Data Processors shall be conducted.

According to Regulation 4, those wishing to become registered data collectors or data processors must apply to the Personal Data Protection Commission. Alongside the application, they must provide identity documents, such as a National Identity card, certificate of incorporation, or any other documents as required by the commissioner. Upon verification of documents, the commission may accept the application.

Furthermore, Regulation 7 provides that the registration granted will remain valid for a period of 5 years. Nonetheless, the commission retains the authority to cancel any registration as permitted under Regulation 12 of the regulations. Thus, the registration granted to the data collector or data processor is not absolute.

RENEWAL OF REGISTRATION CERTIFICATE

The Regulations allow the Data Controller or Data Processor to renew the registration certificate by submitting an application for renewal to the Commission within a period of three months before the date of expiry of the registration period.

REGISTER

Further, Regulations 9(1) provide that the Commission shall keep and maintain a register of registered Data Controllers and Data Processors.

PROCEDURE FOR ENFORCING DATA RIGHTS

Part V of the Act delineates various rights accorded to data subjects, this includes the right to access to personal data, prohibition of personal data processing for direct marketing, rights in relation to automated decision-making, and entitlements to compensation, rectification, blocking, erasure, and destruction of personal data.

Equally, Regulation 15 enables a data subject to petition the Data Controller or Processor for the suspension or non-initiation of personal data collection or processing, especially if such processing is anticipated to cause harm.

Moreover, Regulation 15(4) empowers the Data Processor and Controller, upon receipt of such a request, to temporarily eliminate personal data from the system, restrict third-party access to it, and temporarily remove the data subject’s prevented personal data from the associated website.

CANCELLATION OF REGISTRATION

Further, the Regulations provide that, the Commission may cancel the registration after satisfying itself that the data processor or data controller has given false or misleading information in relation to the provisions of registration, has violated the terms and conditions of registration provided under the Act, has repeated the Commission of the offense; or has refused to pay the fine imposed in accordance with the Act or these Regulations.

The Commission shall, before canceling the registration in accordance with Regulation 12, issue a written notice within fourteen days to the Data Controller or Data Processor whose registration is canceled instructing him to give reasons why the registration should not be canceled.

APPEAL

Regulations provide that, a data controller or data processor who is aggrieved by the decision of the Commission upon Cancelation for Registration may submit an appeal in writing to the Minister within 7 days from the date of the decision of the Commission. The decision of the Minister shall be final.

PREVENTION OF COLLECTION OR PROCESSING OF PERSONAL DATA

The Data Subject may apply to the data controller or data processor to suspend or not to begin the collection or processing of any Personal Data concerning him if the collection or processing is likely to cause substantial damage to him or to another person.

RECTIFICATION OF PERSONAL DATA

Data subject may apply to the Data Controller or Data Processor to rectify the personal data which are not correct, changed, outdated, incomplete, or misleading.

PROCEDURE FOR ENSURE OR DESTRUCTION OF PERSONAL DATA

Regulation 17 (1) provides that, the Data Subject may apply to the Data Controller or Data Processor to erase or destroy the personal data held by the Data Controller or Data Processor where such personal data are no longer required for the intended purpose, the data subject has withdrawn the consent that gives the data controller or Data Processor the right to retain the personal data, the data subject is no longer interested to continue with the processing, the processing of Personal Data is for commercial purposes and the data subject is unwilling for his Personal Data to be used commercially, the processing of personal data has violated the law, erasure or destruction of personal data is necessary according to law.

PROCEDURE TO TRANSFER PERSONAL DATA OUTSIDE TANZANIA

The general rule is Personal Data shall not be transferred to another country. However, section 31 of the Data Protection Act, 2022 provides circumstances in which the transfer of data may be allowed. The Regulations also provides that a data controller or data processor who intends to transfer personal data outside Tanzania shall submit an application for permit to the Commission.

REASONS TO REJECT TRANSFER PERSONAL DATA OUT OF THE COUNTRY

Under Regulation 21, The Commission may reject applications for permits to transfer personal data outside Tanzania for various reasons such as, the transfer of personal data endangers national security, the Commission has satisfied that there is no adequate protection of personal data in the country of recipient, the transfer of personal data is restricted by other written laws, application for permit to the transfer of Personal Data does not meet the requirements prescribed by the law, other reasonable grounds which the Commission may deem necessary for the public interest.

CONDITION FOR PERMISSION

The permit issued by the Commission shall be subject to various conditions such as, the Personal Data shall be transferred to the recipient authorised in the permit, personal data transferred shall be processed for the intended purpose only, personal data shall not be disclosed or transferred to another recipient without the approval of the Commission, and the processing of personal data transferred outside the country shall not violate the laws of the country.

PROTECTION OF PERSONAL DATA BY DESIGN OR BY DEFAULT

The Regulations provide that, the data controller or data processor in the processing of personal data, shall establish the personal data protection mechanism or design technical measures to safeguard and implement the principles of protection of personal data.

DATA PROTECTION IMPACT ASSESSMENT

Regulation 33(1) provides that, where the data controller or data processor determines that the processing of personal data is likely to affect the rights and freedom of the data subject, he shall, before carrying out such processing, conduct an impact assessment on the processing of the relevant personal data.

Moreover, under Regulation 34(1), if the outcome of the assessment reveals that an impact has indeed occurred, the Data Processor or Data Controller are required to seek guidance from the commission by submitting the assessment report alongside with request for instructions.

PRINCIPLES OF DATA PROTECTION

Part V of the Regulations provides for the principles of Data Processors and Data Controllers that must be adhered to. These include:

1. The Principle of Rights of the Data Subject. The Data Controller or Data Processor must ensure the rights of the Data Subject are always maintained and respected. According to Regulation 31 the Data Processor and Data Controller while processing data must ensure the Data Subject has an autonomous right to control his personal data, allowing the Data Subjects to communicate Data Controller or Data Processor must also eliminate any discrimination against Data Subject.
2. Principle of Storage Limitation of Personal Data. According to Regulation 30, in implementing data processing or data controlling must consider several factors, including having clear internal procedures for deletion and destruction of personal data, internal retention statements for implementation and ensuring there is a possibility to recover the deleted personal data.
3. Principle of the Accuracy of Personal Data.  As provided under Regulation 29, the Data Controller and Data Processor must ensure the sources of the personal data are reliable. Also, the available data are accurate, giving the avenue for rectifying and erasing the uncorrected data, and the original purpose of its collection.
4. Principle of Security of Personal Data. As prescribed under Regulation 27, the data processor and the data controller must adopt measures to ensure the data are well-secured and protected. The measures include having policies and procedures for information security, assessing risks against the security of personal data, securing the storage against unauthorized users, and ensuring the transfer is secured from unnecessary interception.
5. Principle of a Specific Purpose. As provided under Regulation 26, It is pertinent for the data controller or data processor to specify the purpose for each processing of data. Also, the purpose must be legitimate, and if there is a new purpose it must be compatible with the original purpose.
6. The Principle of Lawfulness, as outlined in Regulation 25, mandates that both the Data Controller and Data Processor handle Personal Data in strictness in accordance with the provisions stipulated in the Data Protection Act. This requires, that data is processed solely for its intended purpose. This principle further empowers the Data Subject by granting them the right to control their own data, with processing requiring explicit consent, and full comprehension of the consent ensuring that Personal Data is consistently updated to align with the law.