Navigating Data Privacy Compliance in Tanzania: A Guide to Registration Under the Personal Data Protection Act, 2022
Highlight Notes:
● Mandatory Registration: Under Tanzania’s Personal Data Protection Act, 2022, all data controllers and processors must register with the Personal Data Protection Commission (PDPC).
● Strict Enforcement: The PDPC oversees compliance, making it illegal to collect or process personal data without registration.
● Key Deadlines: Businesses must register by October 10, 2024, to avoid penalties, which may include fines and imprisonment.
● Registration Process: The process involves submitting Form No. 1, along with necessary documents and fees, through the PDPC’s Registration and Complaints Management Information System (RCMIS).
● Penalties for Non-Compliance: Failure to comply can result in fines ranging from TZS 100,000 to TZS 5,000,000 or imprisonment for up to five years.
INTRODUCTION
With the operationalization of the Personal Data Protection Commission (PDPC) in Tanzania, the enforcement of the Personal Data Protection Act, 2022, has gained significant momentum. It marks the beginning of a notable shift in data privacy enforcement in Tanzania having an impact in various industries, including telecommunications, finance, and beyond. Under this legal framework, the registration of data controllers and data processors is mandatory. The PDPC plays a crucial role in ensuring Data Privacy Compliance in Tanzania by monitoring the lawful processing of personal data and protecting individual privacy rights. The Commission’s functions include monitoring compliance with the Act, registering data controllers and processors, handling complaints related to data privacy, educating the public, conducting research, ensuring Data Privacy Compliance in Tanzania and cooperating with international data protection authorities.
According to Part III of the Personal Data Protection Act, 2022, it is illegal for any person to collect or process personal data without being registered as a data controller or processor. Section 14(1) of The Personal Data Protection Act 2022 explicitly states, “A person shall not collect or process personal data without being registered as a data controller or a data processor under this Act.” To ensure Data Privacy Compliance in Tanzania, entities that handle personal data must apply for registration with the PDPC. The PDPC is responsible for reviewing these applications and, within a specified period, either granting or rejecting them. If approved, the Commission issues a certificate of registration, which is valid for five years from the date of issuance. Additionally, the PDPC maintains a register of all registered data controllers and processors, which can be inspected by the public upon payment of a prescribed fee. Given the deadline of October 10, 2024, it’s essential for businesses to be proactive. Assessing your data handling practices and registering with the PDPC demonstrates a commitment to responsible data management and helps you avoid potential penalties. This, in turn, fosters trust with customers and stakeholders, which is crucial in today’s privacy-conscious environment.
This article outlines the registration process, detailing the steps to follow and the legal implications for businesses and individuals handling personal data.
WHO IS A DATA CONTROLLER?
The term “data controller” might sound like it only applies to large corporations, but under the Personal Data Protection Act, many businesses and organizations could be acting as data controllers. Here are some activities that would make a person a data controller:
● Collecting customer information during transactions, This could range from names and addresses for online orders to phone numbers collected at a local store or even membership details at a sports club.
● Maintaining a mailing list i.e. storing customer data for rewards programs or promotional purposes.
● Keeping employee records i.e. Employee information such as names, contact details, and payroll data, is considered personal data under the Act. This applies to businesses of all sizes, from major companies to small private practices.
● Running a school or religious organization i.e. Information about students or members is classified as personal data under the Act.
THE REGISTRATION PROCESS
To facilitate the registration process, and to ensure Data Privacy Compliance in Tanzania the PDPC has implemented the Registration and Complaints Management Information System (RCMIS). The following steps outline the registration process for data controllers and processors:
1) Preparation of documents:
a) Form No. 1: Form No 1 can be found on the PDPC website or from the PDPC Office, The Applicant is required to complete and submit it. This form gathers details about the organization and its data-handling practices.
b) a valid government-issued ID (NIDA) will be required as proof of identity for sole proprietor or an individual,
c) Copy of Certificate of Incorporation for Registered companies
d) Additional Requests: The PDPC may ask for further documentation depending on your specific situation. It is advisable to check directly with the PDPC for the latest requirements.
2) Submit Your Application and Fees
Once you have gathered your documents, submit Form No. 1 and the necessary attachments to the PDPC. You will also need to pay the registration fee, which varies according to your organization’s category:
Fee Structure:
Non-Commercial/Religious Institutions: Charitable and religious organizations benefit from a reduced registration fee of TZS 100,000, with a renewal fee of TZS 50,000 every five years.
Small-Scale Data Controllers/Processors: Organizations with 1-49 employees and annual revenue below TZS 100 million must pay a registration fee of TZS 100,000. The renewal fee, due every five years, is TZS 50,000.
Medium-Scale Data Controllers/Processors: For organizations with 50-99 employees and annual revenue between TZS 100 million and TZS 500 million, the registration fee is TZS 200,000.
Large-Scale Data Controllers/Processors: Organizations with 100 or more employees and revenue exceeding TZS 500 million are subject to a registration fee of TZS 1,000,000.
Public Institutions: Government bodies, regardless of their size, pay a registration fee ranging from TZS 100,000 to TZS 500,000. Renewal fees range between TZS 50,000 and TZS 300,000 every five years, as determined by the PDPC.
3) Application Review (7 Days)
After submitting your application, the PDPC will review your documents within seven days. They may reach out to request additional information if anything is unclear or missing.
4) PDPC’s Decision
Following the review, the PDPC will take one of the following actions:
● Approve: If all requirements are met, the PDPC will register your organization as a data controller or processor and issue a registration certificate (Form No. 2).
● Request Corrections: If there are issues, the PDPC will notify you of the necessary changes and allow you to resubmit your application.
● Reject: In rare instances, the PDPC may reject an application that fails to comply with Personal Data Protection (Personal Data Collection and Processing) Regulation 2023, providing a written explanation for the decision within 14 days.
5) Maintaining Your Registration (5-Year Validity)
Once your registration is approved, your certificate will be valid for five years from the date it is issued.
CONCLUSION
The introduction of the Personal Data Protection Commission (PDPC) and the enforcement of the Personal Data Protection Act, 2022, marks a pivotal moment for data privacy in Tanzania. For businesses and organizations of all sizes, understanding and complying with the registration requirements is not just a legal obligation but a critical step in safeguarding the personal data they handle. By ensuring data privacy compliance in Tanzania through proper registration as data controllers or processors, businesses can avoid penalties including fines ranging from 100,000 Tsh to 5,000,000 Tsh and/or imprisonment for a term not exceeding 5 years. Additionally, businesses may foster trust with their customers and demonstrate a commitment to responsible data management. As the October 2024 deadline approaches, it is essential for all entities handling personal data to proactively assess their practices and complete the registration process. Compliance with the Act will not only protect organizations legally but also enhance their reputation in an increasingly data-conscious world.
Disclaimer: This article is authored by Husna Fulwala, a legal intern from Rive & Co, a new and innovating law firm as a result of the partnership between ABC Attorneys, Stallion Attorneys and Sepia Attorneys, built on the foundation of trust, credibility, and novelty, offering expert legal solutions. This Article is for informational purposes only and should not be construed as legal advice. It is recommended to consult with a qualified legal professional for advice specific to your situation.