Tanzania Personal Data Protection Act 2022 | Guide

Back to Regulations Guide

Key Facts

Effective Date

May 1, 2023

Enacted

November 27, 2022

Enforcing Authority

Personal Data Protection Commission

Consent Model

Opt-in

Applies To

All data controllers and processors operating within Tanzania

Overview

Tanzania's Personal Data Protection Act (PDPA) 2022 is the country's first comprehensive data protection legislation. Effective May 1, 2023, it established the Personal Data Protection Commission as the supervisory body. The law is notable for requiring mandatory DPO appointment for all controllers and processors, which is broader than most jurisdictions globally. Criminal penalties of up to 10 years imprisonment and administrative fines up to TZS 100 million apply for violations.

What This Means for Your Website

If your website collects personal data from Tanzanian users, you must process data lawfully with consent, appoint a Data Protection Officer, and conduct Data Protection Impact Assessments for high-risk processing. You need to ensure data is collected only for explicit, specified, and legitimate purposes, and you must have breach notification procedures in place.

Key Requirements

The PDPA requires all data controllers and processors to appoint a DPO. Personal data must be processed lawfully, fairly, and transparently. Data collection is limited to explicit, specified, and legitimate purposes. Breach notification to the Commission is mandatory. Data subjects have rights of access, correction, and deletion. DPIAs are required for high-risk processing activities.

How ConsentStack Handles This

ConsentStack provides a consent management platform that helps meet Tanzania's PDPA requirements. It delivers a compliant consent banner for lawful data collection, records all consent decisions with timestamps for audit purposes, and supports data subject rights workflows for access, correction, and deletion requests. ConsentStack's detailed logs help demonstrate compliance to the Personal Data Protection Commission.

Penalties

Administrative: up to TZS 100,000,000. Criminal: TZS 100,000-20,000,000 or up to 10 years imprisonment or both. Unlawful destruction/alteration: up to TZS 10,000,000 or 5 years imprisonment.

Maximum Fine

TZS 100,000,000 per violation

Key Requirements

Personal data must be processed lawfully, fairly, and transparently
Data collected for explicit, specified, and legitimate purposes only
Mandatory DPO appointment for all controllers and processors
Data breach notification requirements
Data subjects have rights of access, correction, and deletion
Data Protection Impact Assessments for high-risk processing

Notable Provisions

Mandatory DPO appointment for ALL controllers and processors — broader than most jurisdictions
Criminal penalties up to 10 years imprisonment
Implementing regulations published shortly after the Act came into force

Other Sub-Saharan Africa Regulations

POPIASouth Africa

Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.

NDPANigeria

One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.

Ghana Act 843Ghana

Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.

Kenya DPA 2019Republic of Kenya

Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.

Uganda DPPA 2019Republic of Uganda

Uganda's Data Protection and Privacy Act 2019 establishes the PDPO as an independent office under NITA-U. It prohibits processing personal data without prior consent and mandates accountability, lawful collection, data minimization, and purpose limitation. Criminal penalties of up to 10 years imprisonment make it one of the strictest enforcement regimes in East Africa.

Ivory Coast Law 2013-450Ivory Coast

Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does Tanzania's PDPA require a Data Protection Officer?

Yes, the PDPA mandates DPO appointment for ALL data controllers and processors, which is broader than most data protection laws globally.

What are the penalties under Tanzania's PDPA?

Administrative fines up to TZS 100 million, criminal penalties ranging from TZS 100,000 to 20 million, and imprisonment of up to 10 years.

When did Tanzania's PDPA take effect?

The Act was enacted November 27, 2022, became effective May 1, 2023, with implementing regulations effective July 4, 2023.

Does Tanzania's PDPA apply to foreign companies?

The PDPA applies to all data controllers and processors operating within Tanzania, including foreign entities processing personal data in the country.

Stay compliant with Tanzania PDPA 2022

ConsentStack helps you implement Opt-in consent for United Republic of Tanzania automatically.

Get started free