INTRODUCTION
Following, the enactment of the Personal Data Protection Act 2022 (Act No. 11 of 2022) which is the principal Act for the protection of the right to privacy and personal security, the Minister for Information Communication and Information Technology passed two Regulations namely the Personal Data Protection (Complaints Settlement and Procedures) Regulations, 2023, (Government Notice No. 449B of 2023) which deals with the procedures for settling complaints arising from the violation of personal data, and the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023, (Government Notice No. of 2023) which deals with data collection and processing. This publication, therefore, reviews and provides an overview of the Personal Data Protection (Complaints Settlement and Procedures) Regulations, 2023 that came into force on 04th July 2023.
APPLICATION OF THE PERSONAL DATA PROTECTION (COMPLAINTS SETTLEMENT PROCEDURES) REGULATIONS
According to Regulation 2, the Personal Data Protection (Complaints Settlement Procedures) Regulations shall apply to Mainland Tanzania as well as Tanzania Zanzibar save that in Tanzania Zanzibar these Regulations shall not apply to non-union matters.
KEY TERMS
The following are the key terms that have been defined in the Regulations.
- Board means the Board of Directors of the Commission established under the provisions of the Act.
- Committee means the Committee to hear the complaint appointed under regulation 17(2).
- Code of ethics for the protection of personal data means the code of ethics prepared by the data controller or data processor and approved by the Commission specifying, among other things, the ethics and conducts that should be observed during the collection or processing of personal data.
- Data Controller means a natural person, legal person, or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law, “data controller” is the natural person, legal person or public body designated as such by that law and it includes his representative.
- Complainant means a person who has filed a complaint to the Commission pursuant to these Regulations.
- Respondent means the data controller or data processor or any person against whom a complaint is filed.
- Third-party means a person who is not part of the complaint, but the respondent has a complaint against him.
- Mediator means an officer of the Commission who is assigned to mediate the parties to the complaint under regulation 14.
- Authorised representative means a person duly authorised in accordance with the Act, to represent the complainant or the respondent in a complaint under these Regulations.
- Penalty notice means a notice issued by the Commission requiring a defaulting person to take steps to rectify the deficiencies within seven days after receiving the notice.
- Enforcement notice means a notice issued by the Commission after the expiry of the Penalty Notice that forms part of the Award issued by the Commission in the relevant complaint.
- Award means the decision of the Commission in the underlying complaint and includes any previous decision.
FILING OF COMPLAINT
Regulation 4(1) of the Personal Data Protection (Complaints Settlement and Procedures) Regulations, 2023 provides that any person who considers there is a violation of personal data protection principles or is dissatisfied with the decision of the Data Controller or Data Processor regarding personal data may submit a complaint to the Commission.
SERVICE OF SUMMONS TO PRESENT DEFENCE
Regulation 6(1) requires the Commission to serve a summons to the Respondent for a period not exceeding 7 days after evaluating and being satisfied that the complaint submitted has met the requirements of the Act and these Regulations.
PRESENTATION OF DEFENCE TO COMPLAINT
The Regulations provide further that the Respondent shall, within a period not exceeding 21 days after receiving the summons, present a defence to the Commission under Regulation 7 (1).
REPLY TO DEFENCE
Further, the Regulations provide that the complainant may prepare and submit to the Commission a reply thereto within the time provided, after receipt of the defense from the respondent as provided under Regulation 7.
THIRD-PARTY PROCEDURE
The Regulation empowers the Respondent to file a claim in writing against another person who is not a party to the complaint. In this scenario, the Respondent may apply to the Commission to present a third-party notice (Regulation 9).
AMENDMENTS TO COMPLAINT, DEFENCE OR REPLY
The Complainant or Respondent may, upon providing sufficient cause in writing, be allowed to amend a complaint, defence, or reply to the defence and the other party shall be afforded an opportunity to make a response thereto within a reasonable time prior to the hearing of the Complain as it provided under the Regulations 12(1).
NOTICE OF INVESTIGATION OF COMPLAINT
The Commission shall, before commencing the investigation of the complaint under these Regulations, give the Respondent notice of investigation specifying the intention to conduct the investigation on the matter complained of.
MEDIATION
The Commission shall, as part of the investigation, attempt to resolve the complaint in an amicable manner within 30 days from the date of filing the complaint.
During mediation, the Commission shall appoint one of its officers to act as a mediator between the parties to the complaint.
The Mediator shall strive to mediate the parties and in doing so, he may call for mediation meetings at a place and time as may be agreed upon by the parties.
A settlement reached by the parties from the mediation meeting must be reduced in writing and signed by the parties and a copy submitted by the Mediator to the Commission.
Once the settlement is reached and adopted by the Commission, it shall be deemed the Award of the Commission. (Regulation 14)
ISSUANCE OF AWARD
Further, the Regulations provide that, The Commission shall, after adopting the settlement as its award, prepare and issue the award to the parties within twenty-one days from the date of receipt of the settlement.
FAILURE OF MEDIATION
Where, at any stage within 30 days period, it becomes clear that the parties cannot reach an amicable settlement, the Mediator shall refer the complaint to the Commission for hearing.
COMPLAINT HEARING PROCEDURE
Regulations 17 provides for the procedures for hearing complaints shall be quasi-judicial in nature whereby a Complaints Hearing Committee shall be appointed that shall be composed of three persons among people with expertise and experience in the field of law, personal data protection and ICT within the Commission. The Commission may invite any person with expertise related to the complaint to be heard.
Importantly, the Regulations allow a party to appear either in person or represented by an advocate or its principal officer or an authorized representative.
FAILURE TO APPEAR
Where neither party appears when the complaint is called for hearing, the Commission may make an order that the complaint be dismissed. Equally, if the Respondent does not appear, the Commission may proceed to hear the Complainant (Regulation 18).
AWARD
According to Regulation 21 upon receipt of the recommendations of the Committee, the Commission shall consider the recommendations and issue a written award in the relevant complaint.
ENFORCEMENT NOTICE
Regulation 22 provides that where the Commission is satisfied that a person has failed to comply with any of the provisions of the Act or these Regulations, the Commission may issue an enforcement notice to that person, to be attached to the award, requiring him to take steps to rectify the deficiencies within 7 days after receiving the notice. Among others the Commission may issue the following directions:
- rectify or change personal data;
- prevent or suspend collection or processing;
- erase or remove the personal data from the system;
- destroy personal data; or
- any other direction as the Commission may deem appropriate.
PENALTY NOTICE
Whereupon expiry of the enforcement period i.e. 7 days and the person fails to comply with the directions given, the Commission may issue a Penalty Notice.
ENFORCEMENT OF AWARD
According to Regulation 24 the award of the Commission shall be enforceable as the order of the High Court. However, the Award must be registered to the High Court as if the same has been issued under the Arbitration Act.
APPLICATION FOR REVIEW
According to Regulations 25 any party to the complaint who is not satisfied with the award of the Commission may, within 21 days, apply for review of the Award to the Commission of which the Commission shall review the award within 14 days.
APPEAL
Any party aggrieved by the decision of the Commission may, within a period of 21 days from the date of delivery of the Award, appeal to the High Court of Tanzania.
ISSUANCE OF COMPLIANCE ORDER
At any stage during the hearing of the complaint and where the Commission is satisfied that a person has breached or is likely to breach the provisions of the Act, the Commission may issue a compliance order as it may deem appropriate as provided under Regulations 28.
GENERAL PENALTY
Any person who contravenes these Regulations for which no specific penalty is prescribed, shall, on conviction, be liable to penalty as provided under the Act. It is pertinent to note that S. 61, 62, and 63 of the Personal Data Protection Act, 2022 imposes penalties between TZS 100,000 to TZS 5 billion or imprisonment of up to 5 years including an order for forfeiture of the devices containing the personal data connected with the commission of an offense.