Tanzania’s new data rules are real when PDPC turns law into daily practice

Monday 11th August 2025

Par inAfrika Reporter

At Julius Nyerere International Convention Centre last year, a quiet but important switch was flipped: the Personal Data Protection Commission (PDPC) and its registration-and-complaints system went live. Since then, Tanzania’s data law has moved from promise to practice—deadlines announced, portals opened, officers trained, and institutions told plainly what “compliance” now means.

The legal anchor is the Personal Data Protection Act, 2022 (Cap. 44). It applies across Mainland and Zanzibar (except non-union matters) and sets out familiar modern principles: collect data for clear purposes, keep it accurate and secure, limit retention, respect data-subject rights, and don’t ship data abroad unless safeguards exist. It also creates the PDPC, with a Board and Director General, to register data controllers and processors, investigate complaints, educate the public, and cooperate with other regulators. In other words: rules with an umpire.

PDPC’s early choices made the law usable. A national portal now handles registration for data controllers and processors, and the Commission has made the expectation unambiguous: if you collect or process personal data in Tanzania, you register. The collection and processing regulations go further, making registration a precondition to processing, setting a five-year validity for the certificate, and requiring updates when particulars change. The same regulations codify “privacy by design/default,” DPO duties, data-subject request procedures, and when to run a data protection impact assessment (DPIA). This is the everyday grammar of compliance—forms, timelines, evidence.

The Commission has paired paperwork with public signals. It has repeatedly called on public and private bodies to register, communicated cut-off dates, and used outreach to explain that the Act supports, not stifles, press freedom and access-to-information—privacy and openness can live together if everyone minds the rules. In parallel, PDPC has run practical training across the country for data protection officers (DPOs), drilling home the basics: keep a Record of Processing Activities (ROPA), plan DPIAs before rolling out new systems, and embed risk management in daily work. When a regulator spends its time in rooms with practitioners, enforcement later feels less like a surprise.

Enforcement isn’t abstract either. The Act gives PDPC a clean sequence—enforcement notice, penalty notice, then administrative fines—with explicit factors for sizing penalties. The headline number matters for boards: the maximum administrative fine is TZS 100 million. There’s also a route to compensation for harmed data subjects. None of this requires a courtroom every time; it does require that organizations can show their homework: who the controller is, what the lawful basis was, how long data was kept, who had access, when the DPIA was done, and what the DPO signed off.

Just as important is what PDPC is building around the rules. The Commission has begun issuing registration certificates to major public bodies—signaling that government will meet the same standard it asks of the private sector—and it keeps adding blocks to an ecosystem: a help desk, a complaints lane, public notices, and regular news about expectations. Recent guidance and news posts keep nudging practice in the right direction: consent must be freely given; DPIAs are not optional where risk is high; and DPOs must treat ROPA as a living log, not a binder. There is also a plan to introduce DPO certification, moving the role from a title to a profession with verified skills. That will raise the floor on competence quickly.

What does a credible next step look like for institutions over the coming year? Three simple moves. First, finish registration (or renew on time) and make sure the scope you declared matches reality; PDPC’s register is a promise, and promises can be checked. Second, institutionalize DPIA—run one before any new product, data lake, HR system, or citizen app goes live, and keep the risk log tied to technical controls. Third, treat cross-border transfers as design decisions, not afterthoughts: map destinations, pick transfer tools that fit the Act, and be ready to show PDPC why a transfer is lawful whether the destination is “adequate” or not. Organizations that do these three will barely notice compliance; they’ll just notice fewer incidents and better trust.

For policymakers and partners, the Commission’s trajectory is encouraging. The launch by the President gave legitimacy; the law and regulations gave tools; the portal, training calendar and public calls gave momentum. The test now is consistency: determinations published, statistics on complaints and outcomes, and a cadence of audits that keeps everyone honest without freezing innovation. If PDPC keeps mixing law, service, and steady supervision, Tanzania’s data-protection regime will feel less like a hurdle and more like a hygiene factor—the way a clinic refrigerator hums in the background so vaccines don’t spoil. That’s how you know an institution has arrived.