Personal Data Protection Commission (PDPC) Privacy Notice

 

 

1. Introduction

Welcome to the Personal Data Protection Commission (PDPC) website (“we,” “our,” or “us”). The PDPC is established under the Personal Data Protection Act, Cap. 44 (the Act) to oversee and enforcing personal data protection and privacy in Tanzania.

We are committed to protecting your personal data and ensuring that it is handled lawfully, securely, and transparently. This Privacy Notice explains how we collect, use, disclose, store, and protect personal data when you visit and interact with our website: https://www.pdpc.go.tz

 

2. Data Protection Principles

PDPC processes personal data in accordance with the principles set out in the Act. Accordingly, personal data is:

1. Processed lawfully, fairly, and transparently.
2. Collected for specified, explicit, and legitimate purposes (purpose limitation).
3. Adequate, relevant, and limited to what is necessary (data minimization).
4. Accurate and kept up to date where necessary.
5. Retained only for as long as necessary (storage limitation).
6. Processed in a manner that respects data subject rights.
7. Protected through appropriate technical and organisational measures (integrity and confidentiality).
8. Subject to restrictions on transborder transfers, in accordance with the Act.

 

3. Information We Collect

Depending on your interaction with PDPC, we may process the following categories of personal data:

• Identification data: names, national identification numbers, passport numbers.
• Contact data: email address, telephone number, postal address.
• Professional data: employer, institution, job title, qualifications, DPO registration details.
• Complaint-related data: information provided by complainants, respondents, witnesses, and affected individuals.

• Training and event data: registration details, attendance records, certificates.
• Communication data: emails, correspondence, feedback, inquiries.
• Online and technical data: IP address, browser type, device information, cookies, system logs.
• Special categories of personal data: only where lawfully required and with appropriate safeguards (e.g. health or biometric data in complaints or investigations).
• Employment-related data: CVs, academic records, references, application documents.

4. Why We Collect Personal Information

PDPC processes personal data for the following purposes:

• Registering Data Protection Officers.
• Handling complaints, investigations, audits, and enforcement actions.
• Monitoring and enforcing compliance with the Act.
• Managing employment, secondment, and recruitment processes.
• Organising and administering trainings, workshops, and awareness activities.
• Communicating with stakeholders and the public.
• Managing PDPC’s website, online systems, and digital services.
• Ensuring security, preventing fraud, and maintaining system integrity.
• Complying with legal, regulatory, and statutory obligations.

 

5. How We Collect Personal Data

PDPC collects personal data through:

a) Direct collection

• Online forms on PDPC’s website (e.g. complaints, registration, applications).
• Emails sent to PDPC.
• Training and event registration.
• Employment and secondment applications.

b) Indirect collection

PDPC may receive personal data indirectly in the following situations:

• An organisation responding to a complaint provides your personal data.
• Personal data is included in data breach reports submitted to PDPC.
• A complainant refers to you in complaint correspondence.
• Personal data is included in whistleblowing reports.
• Personal data is seized or obtained during investigations.
• Evidence submitted during audits or suitability assessments.
• Information received through data subject access request–related processes.

 

5. Legal Basis for Processing

PDPC processes personal data based on one or more of the following legal grounds:

• Legal obligation under the Act.
• Performance of statutory duties carried out in the public interest.
• Consent, where required.
• Performance of a contract (e.g. employment or service arrangements).
• Legitimate interests, where such interests do not override data subject rights.

 

6. How We Use the Collected Personal Data

We use personal data to:

• Handle complaints and investigations.
• Register data controllers and processors.
• Conduct audits, inspections, and enforcement actions.
• Manage breach notifications and compliance reports.
• Process job applications, secondments, and transfers.
• Communicate with data subjects, organisations, and stakeholders.
• Improve our website and services.
• Fulfil legal, regulatory, and reporting obligations.

7. How We May Share the Personal Data

We may share personal data with:

• Courts, during the investigation of complaints, where required under the Act and its regulations.
• Service providers, acting strictly on our instructions.

Such sharing is carried out only where lawful, necessary, and proportionate.

 

8. Disclosure of Personal Data

Personal data may be disclosed:

• Where required by law or court order.
• For investigation, enforcement, or audit purposes.
• To protect public interest or national security.
• To comply with statutory or regulatory obligations.

All disclosures are subject to confidentiality and data protection safeguards.

 

9. Cross-Border Data Transfers

We may transfer personal data outside Tanzania only in accordance with the Act based on the adequacy decision, legal obligations, appropriate safeguards and transfers are limited to lawful and justified purposes.

 

10. Children’s Privacy

Our website is not intended for children under the age of 18.
We do not knowingly collect personal data from children. If a parent or guardian believes that a child’s personal data has been provided to PDPC, they should contact us immediately.

 

11. Where Personal Data May Be Held

Personal data may be stored:

• On our secure servers.
• In authorised government data centres.
• On approved secure cloud platforms.

Access is restricted to authorised personnel only.

 

12. How Long We Keep Your Personal Data (Data Retention)

Personal data is retained:

• Only for as long as necessary to fulfil the purposes outlined in this Privacy Notice.
• In accordance with different laws, regulations, and retention schedules in Tanzania.

Once retention periods expire, data is securely deleted or anonymised.

 

13. Your Rights as a Data Subject

Under the Act, you have the right to:

• Access your personal data.
• Request correction of inaccurate data.
• Request deletion/erasure.
• restriction of harmful processing.
• Automated decisions.
• Withdraw consent.
• Prevent direct marketing.
• Lodge a complaint with PDPC.

 

14. Security of the Collected Personal Data

We implement appropriate technical and organisational measures to protect personal data, including:

• Access controls and authentication mechanisms
• Encryption and secure storage
• Network and system security controls
• Staff confidentiality obligations

For security-related inquiries, contact: helpdesk@pdpc.go.tz.

 

15. Automated Decision-Making and Profiling

PDPC does not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on individuals.

 

16. Access to Your Personal Data

You may access or exercise your data protection rights by emailing helpdesk@pdpc.go.tz.

 

17. Third-Party Links

Our website may contain links to third-party websites. PDPC is not responsible for the privacy practices or content of those external websites. Users are encouraged to review their respective privacy notices.

 

18. Cookies and Tracking Technologies

PDPC may use cookies to improve website functionality and user experience.
You can manage or disable cookies through your browser settings.
Where applicable, additional details will be provided in our Cookie Policy.

 

19. How to Complain

If you have concerns about how your personal data is handled, you may submit it to PDPC helpdesk@pdpc.go.tz.

20. Changes to This Privacy Notice

This Privacy Notice may be updated from time to time. Any changes will be posted on this page with an updated effective date. Users are encouraged to review this notice periodically.

 

Effective Date: 1st March 2026