The Personal Data Protection Commission (PDPC) has issued a final warning to all public and private institutions handling personal data to complete their registration by April 8, 2026, noting that enforcement will begin immediately after, including legal action and penalties. Speaking on March 26, 2026, Director General Emmanuel Lameck Mkilia emphasized that the government has provided sufficient preparation time since 2024, when the registration window was officially opened following the launch of the Commission by President Samia Suluhu Hassan, and stressed that institutions must now comply with the established data protection requirements.
Any institution that collects or processes personal data must now be officially registered. Failure to comply with registration requirements in the PDPC system will result in legal accountability.
He noted that, according to the Personal Data Protection Law, the penalty for an individual is a fine of up to 20 million shillings or imprisonment of up to 10 years. For institutions and companies, the penalty ranges from a fine of 1 million shillings up to 5 billion shillings, depending on the nature of the violation.
The Personal Data Protection Commission in the country was officially established on May 1, 2023, following the enactment of the Personal Data Protection Act No. 11, 2022. A law passed to regulate how personal data is collected, used, stored, and shared. This marked a major step for Tanzania, placing it among countries that formally recognize data privacy as a legal right.
The government established the PDPC to ensure that personal data is protected and that institutions are held responsible for how they use it. The law applies broadly. Any organization, public or private, that collects or processes personal data falls under the authority of the PDPC. This includes companies, government institutions, NGOs, hospitals, schools, and digital platforms.
This move also aligns Tanzania with global standards, as many countries require strict data protection frameworks to support digital trade and international partnerships.
At its core, the Commission operates on clear principles. Personal data must be collected for legitimate purposes, limited to what is necessary, kept accurate, stored only as long as needed, and protected against misuse. These principles guide how institutions manage information.
The PDPC applies strong security measures, including restricted access, encryption, and secure storage systems. Personal data may only be shared or disclosed when legally required, such as during court proceedings or official investigations, and even then, strict safeguards apply. Any transfer of data outside Tanzania is tightly controlled under the law.
The law also gives individuals clear rights over their data. People can access their information, request corrections or deletion, withdraw consent, and file complaints if they believe their data is being misused. These rights are central to building trust between institutions and the public.
In general, the PDPC ensures that as Tanzania’s digital landscape grows, personal data remains protected, controlled and respected, making privacy a guaranteed right.
