Data protection & privacy laws in Tanzania (2026)

The National Assembly passed the PDPA on 27 November 2022; it entered into force on 1 May 2023 (Government Notice No. 395B of 13 June 2023). The Act applies to all public and private bodies that collect or process personal data in Tanzania.

The Personal Data Protection Commission (PDPC) is the statutory supervisory body established under Part 2 of the PDPA. It was formally inaugurated on 3 April 2024 and holds powers to register data controllers/processors, conduct audits, investigate complaints, issue enforcement notices, and impose fines.

The Minister issued the Personal Data Protection (Collection and Processing) Regulations (GN No. 449C of 2023) and the Complaints Settlement Procedures Regulations (GN No. 449B of 2023) in 2023, detailing registration procedures, data-subject rights mechanisms, and inter-agency complaint handling.

All data controllers and processors must register with the PDPC before collecting or processing personal data; certificates are valid for five years. Registration fees are tiered by organisation size (TZS 100,000–1,000,000). The PDPC extended the grace-period deadline to 30 April 2025 via a January 2025 press release, and in April 2026 the Minister issued a final three-month ultimatum for remaining non-compliant entities.

The PDPA grants data subjects rights of access, correction, deletion, and objection. Data controllers must observe purpose limitation, data minimisation, and lawful-basis requirements (including consent). Certain controllers/processors must appoint a Data Protection Officer (DPO).

Individuals in breach face fines of TZS 100,000–20,000,000 or up to 10 years' imprisonment. Corporate entities face fines of TZS 1,000,000–5,000,000,000 (approx. USD 400–2,000,000). Failure to register alone attracts a fine of up to TZS 5,000,000.