Legal and Compliance Requirements for Cross-Border Personal Data Transfers Under Tanzania’s Personal Data Protection Framework

As the global exchange of information becomes increasingly prevailing, safeguarding personal data during cross-border transfers is essential. The Personal Data Protection Act (No. 11 of 2022) and the Personal Data Protection (Personal Data Collection and Processing) Regulations, GN No. 449C of 2023, provide a detailed legal framework that governs the transfer of personal data outside the United Republic of Tanzania.

​​

Legal Framework Governing Cross-Border Personal Data Transfers

The PDP Act sets strict requirements to ensure that personal data is protected during cross-border transfers. The legal framework distinguishes between transfers to countries / states with adequate personal data protection and those without such adequate protection – we have further expounded on this below.

Transfers to Countries with Adequate Personal Data Protection

Section 31 of the PDP Act authorises the transfer of personal data to countries that have established a legal framework providing adequate personal data protection. This determination is based on several factors, including the legal environment in the recipient country and the necessity of the data transfer. The recipient must demonstrate that the transfer is necessary for tasks carried out in the public interest or pursuant to the lawful functions of a data controller and that the transfer will not compromise the legitimate interests of the data subject. Despite the PDP Act authorising transfer of personal data to such countries, the transfer will be subject to obtaining a permit from the Personal Data Protection Commission (the Commission) as further expounded below. 

Transfers to Countries Without Adequate Personal Data Protection

Section 32 of the PDP Act imposes additional requirements for personal data transfers to countries / states that do not provide adequate data protection. This is aimed at ensuring that the data subject’s rights and freedom are protected regardless of the country to which data is transferred. The conditions under which such transfers may be permitted include:

• Adequate protection in the recipient country: The recipient country must provide an adequate level of protection. Adequacy is assessed by considering factors such as the nature of the personal data (e.g., sensitive data), the purpose, and duration of processing, the recipient country, relevant laws in force in the recipient country that govern personal data protection, and the professional rules and security measures adhered to within the recipient country. 
• Specific grounds for transfer: Even in cases where the recipient country does not meet adequate protection standards, personal data transfers may still occur under particular circumstances as provided under section 32(4) of the PDP Act. These include instances where:
  
  
  
  

1. the data subject has consented to the proposed transfer;
2. the transfer is necessary for the performance of a contract between the data subject and the data controller, or the implementation of pre-contractual measures taken in response to the data subject’s request;
3. the transfer is necessary for reasons of public interest, institution, trial, or defence of legal claims;
4. the transfer is necessary to protect the legitimate interests of the data subject; and
5. the transfer is made in accordance with the law and is intended to provide information to the public and is open for consultation by the public in general or any person who can demonstrate a legitimate interest.

Application Process for Cross-Border Personal Data Transfers

The PDP Regulations outline the procedural requirements for obtaining permission to transfer personal data outside Tanzania. In particular, regulation 20 of the PDP Regulations details the application process that data controllers and data processors must follow to secure a permit from the Commission to transfer personal data outside Tanzania.

An application to the Commission for a permit to transfer personal data must be in a prescribed form and must include the following information:

• particulars of the applicant;
• particulars of the recipient;
• particulars of the data subject;
• the type of personal data to be transferred;
• the purpose and necessity of transferring personal data;
• details of the security of personal data in the recipient country;
• consent of the data subject;
• date and time of sending personal data; and
• any other information as may be required by the Commission.

An applicant must also submit evidence demonstrating that:

• the recipient country has ratified an international agreement providing requirements for personal data protection;
• a bilateral agreement exists between the URT and the recipient country regarding personal data protection; or
• there is a contractual agreement between the applicant and the recipient who is outside Tanzania.

Conditions and Restrictions on Personal Data Transfers

Even where a permit to transfer personal data is granted, the transfer of personal data is subject to several strict conditions, including:

• personal data must only be transferred to the recipient specified in the permit;
• personal data must be used exclusively for the purposes outlined in the application i.e. the intended purpose;
• personal data cannot be further transferred to another recipient without the Commission’s approval; and
• the processing of transferred personal data must not violate the laws of the URT.

Conclusion

Cross-border transfer of personal data is a complex and highly regulated process under the Tanzanian personal data protection laws. The PDP Act and PDP Regulations provide a robust framework designed to protect personal data, including in instances when it is transferred outside Tanzania. By understanding and adhering to these legal requirements, businesses or entities can ensure that personal data transfers are secure, lawful, and fully compliant with Tanzanian data protection standards.

--

Read the original publication at Clyde & Co.