Archivos de la etiqueta: biometric data

10Mar/24

Data Protection Act , 2020, Malawi 16 december 2021

Data Protection Act , 2020, Malawi 16 december 2021

MEMORANDUM

As the Malawi economy becomes increasingly reliant on digital technologies, there is a need to protect personal data of individuals collected, generated, stored and utilized by public and private sector institutions including in the provision of healthcare, health and other types of insurance, education, banking and financial services, hospitality services, civil registration, voting, immigration, national ID and delivery of social programmes.

Such personal data can be stolen, lost, disclosed, misused and abused by those who collect, generate, store and utilize it, resulting in identity theft, unwarranted or embarrassing disclosures, loss of information and unwarranted marketing and solicitation.

In recognition of the dangers posed to individuals by the unregulated or uncontrolled collection and use of personal data and the critical role that the integrity of data, including personal data, plays in the modernization of the Malawi economy, this Bill seeks to provide a comprehensive legislative framework for the protection and security of personal data, consolidate data protection provisions currently found in various Acts of Parliament, and protect the digital privacy of individuals without hampering social and economic development in Malawi.

The Bill is divided into ten parts.

Part I contains preliminary provisions, namely, the short title of the Bill, the definitions of various terms or expressions used in the Bill and the objectives of the Bill. The overall objective of this Bill is to regulate matters relating to personal data.

Part I also provides for the scope of the application of the Bill. The Bill applies where the data controller or data processor, as defined in the Bill, is domiciled, ordinarily resident, or ordinarily operating in Malawi, is processing personal data withing Malawi, or, subject to some limitations, is processing personal data of a data subject who is in Malawi. The Bill does not apply to the collection or processing of personal data for personal, recreational or household purposes, or for security, law enforcement or public health purposes.

In Part II, the Bill designates the Malawi Communications Regulatory Authority as the Authority to regulate and monitor personal data protection and digital privacy in Malawi and oversee the implementation of and be responsible for the enforcement of the Bill. A Data Protection Office is established within the Authority responsible for the activities relating to data protection under the Bill. Part II also describes various administrative processes relating to the Authority’s data protection duties, functions and powers.

Part III provides for the principles governing the processing of personal data. It requires a data controller or data processor to process data fairly and in a transparent manner and only where (a) the data subject has given and not withdrawn his consent, and (b) the data are required for legitimate purposes outlined in the Bill. The Bill further limits the processing of sensitive personal data. All processing of personal data must adhere to internationally recognized data protection principles set out in Part III.

Part III also requires a data controller or data processor to obtain the consent of a parent or legal guardian where the processing of personal data relates to a person below the age of eighteen years of age. Further, Part III requires a data controller and data processor to carry out a data protection impact assessment where processing is likely to result in high risk to the rights and freedoms of a data subject and to notify the Malawi Communication Regulatory Authority of the results.

Part IV grants a data subject individual rights with respect to personal data, including the right to freely (a) obtain from a data controller or data processor copies of his personal data in a commonly used electronic format and demand correction of any inaccurate information or deletion of inaccurate, incomplete or misleading information, and (b) object, or withdraw his consent previously given, to the processing of his personal data.

Part V deals with data security. It compels a data controller or dataprocessor to implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protection against accidental or unlawful destruction, loss, misuse or alteration and unauthorized disclosure or access.

The Bill sets out obligations of the data controller to report any personal data breaches to the Malawi Communication Regulatory Authority and, where the breach is likely to affect rights and freedoms of individuals, to the data subject.

Part VI restricts a data controller or data processor from transferring personal data from Malawi to another country except in the circumstances outlined therein.

Part VII provides for the registration of data controllers or data processors of major importance as defined in section 2 of the Bill. The Authority shall maintain a register published on its website of duly registered data controllers or data processors of major importance and prescribe annual fees to be paid by them.

Part VIII deals with provisions for the enforcement of compliance by data controllers and data processors with the requirements of this Bill. It empowers a data subject who is aggrieved by the decision, action or inaction of a data controller or data processor in violation of this Bill and or regulations, rules or other subsidiary legislation or orders to lodge a complaint with the Authority.

Part VIII also obliges the Authority to initiate an investigation on its own accord or upon reference by the data subject in accordance with rules and procedures published in the Gazette, and make appropriate compliance and enforcement orders against the violating data controller or data processor. A data controller or data processor who fails to comply with a compliance or enforcement order is liable a fine of K5,000,000 and imprisonment for two years.

Part IX deals with miscellaneous matters. It provides for exceptions to the application of the obligations and rights under Parts III, IV, V, VI, VII and VIII when a data controller or data processor is processing personal data for the purposes of the prevention, detection or prosecution of criminal offences; promotion of public health or control of epidemic; national security; or is carried out in connection with licensed credit reference bureau under the Credit Reference Bureau Act, Cap. 46:09. Part IX also empowers the Minister responsible for personal data protection and security to make, on the recommendation of the Malawi Communication Regulatory Authority, regulations for the better carrying out of the Bill.

Parliament is informed that in order to implement the mechanics of this Bill and make this Bill the umbrella law on the protection and security of personal data in Malawi, it is necessary to amend or repeal, as the case may be, provisions related to personal data protection in two existing Acts of Parliament, namely, Access to Information Act, 2017 and Electronic Transactions and Cyber Security Act, Cap 74:02. The amendments or repeals will be effected in two separate amending Bills and presented to Parliament simultaneously with this Bill. The proposed amendments and repeals will eliminate inconsistencies between this Bill and the said two Acts of Parliament.

THE DATA PROTECTION BILL, 2021

A BILL

entitled

An Act to make provision for protection of personal data, for regulation of the processing of personal data, and for matters connected therewith or incidental thereto.

ENACTED by the Parliament of Malawi as follows:

PART I—PRELIMINARY PROVISIONS

Short title and commencement

1. This Act may be cited as the Data Protection Act, 2020, and shall come into operation on such date as the Minister may appoint, by notice published in the Gazette.

Interpretation

2. In this Act, unless the context otherwise requires:

“Authority” means the Malawi Communications Regulatory Authority established under section 4 of the Communications Act;

“binding corporate rules” means personal data protection policies and procedures adhered to by the members of a group of firms under common control with respect to the transfer of personal data among such members and containing provisions for the protection of such personal data;

“biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allow or confirm the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition and deoxyribonucleic acid (DNA) analysis;

“certification mechanism” means certification by an official or professional third-party entity that evaluates the personal data protection policies and procedures of data controllers and data processors according to recognised standards;

“child” means an individual below eighteen years of age;

“consent” means any freely given, specific, informed, and unambiguous indication, whether by a written or oral statement or an affirmative action, of an individual’s agreement to the processing of personal data relating to him or to another individual on whose behalf he has the authority to provide such consent;

“data controller” means an individual, private entity, public authority or agency or any other body who or which, alone or jointly with others, determines the purposes and means of the processing of personal data;

“data controller or data processor of major importance” means a data controller or data processor that is domiciled, ordinarily resident, or ordinarily operating in Malawi and processes or intends to process personal data of more than 10,000 data subjects who are within Malawi, or a greater number of data subjects prescribed by the Authority in rules published in the Gazette, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Malawi as the Authority may designate;

“data processor” means an individual, private entity, public authority or agency or any other body who or which processes personal data on behalf of or at the direction of a data controller or another data processor;

“data subject” means an individual to whom personal data relates;

“Director General” means the Director General of the Authority as described in the Communications Act;

“filing system’” means any structured set of personal data which is accessible by reference to a data subject or according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

“personal data” means any information relating to an individual who can be identified or is identifiable, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual;

“personal data breach” means a breach of security of a data controller or data processor leading to or reasonably likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“processing” means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and “sensitive personal data” means personal data relating to an individual’s:

  • biometric data;
  • race or ethnic origin;
  • religious or similar beliefs, such as those reflecting conscience or philosophy;
  • health status;
  • sex life or sexual orientation;
  • political opinions or affiliations; or
  • any other personal data prescribed by the Authority as sensitive personal data pursuant to section 19(2).

Objectives

3. The objectives of this Act are to:

a) ensure that the processing of personal data complies with principles of data protection, including digital privacy and data security;

b) provide individuals with rights with respect to the processing of personal data relating to them;

c) set standards for the transmission of personal data outside of Malawi;

d) establish an institutional mechanism to promote and enforce the principles, rights and obligations provided for in this Act; and

e) provide a legal foundation to promote the digital economy of Malawi and its participation in the regional and global economies through the beneficial uses of personal data.

Applicatioon of this Act

4.

(1) This Act applies to the processing of personal data wholly or partly by automated means and processing other than by automated means of personal data which form or are intended to form part of a filing system.

(2) This Act applies only where:

a) the data controller or data processor is domiciled, ordinarily resident, or ordinarily operating in Malawi;

b) the processing occurs within Malawi, provided that the mere transiting of data through Malawi shall not constitute data processing occurring in Malawi; or

c) the processing relates to the targeted offering of goods or services to the data subject in Malawi, or the monitoring of the behaviour of the data subject as far as his behaviour takes place within Malawi.

(3) This Act shall be without prejudice to the application of Part IV of the Electronic Transactions and Cyber Security Act with respect to intermediary service providers and online content editors.

(4) For purposes of this section, a “filing system” is a structured set of personal data which are accessible according to specific criteria.

Exemptions

5.

(1) This Act does not apply to the processing of personal data to the extent it is carried out by one or more individuals solely for personal, recreational or household purposes.

(2) Data controllers and data processors that are domiciled, ordinarily resident, or ordinarily operating in Malawi and are not data controllers or data processors of major importance are exempt from the provisions of this Act until the second anniversary of the date on which it comes into force.

PART II— ADMINISTRATION

Duties, functions and Powers of the Authority

6.

(1) The Authority shall promote the protection of personal data and regulate the processing of personal data throughout Malawi and oversee the implementation of and be responsible for the enforcement of this Act.

(2) Notwithstanding the generality of subsection (1), the Authority shall:

a) promote public awareness and understanding of personal data protection and the risks to personal data, including the rights granted and obligations imposed under this Act;

b) promote awareness of data controllers and data processors of their obligations under this Act;

c) encourage the introduction of technological and administrative measures to enhance personal data protection;

d) foster the development of personal data protection technologies in accordance with recognized international standards and applicable international law;

e) participate in international fora and engage with other national and regional authorities responsible for data protection with a view to developing consistent and efficient approaches to regulation of cross-border transfers of personal data;

f) advise the government on policy issues relating to personal data protection;

g) submit legislative proposals to the Minister, including amending existing laws, with a view to strengthening personal data protection in Malawi;

h) collect and publish information with respect to personal data protection, including personal data breaches;

i) receive complaints relating to violations of this Act or regulations issued thereunder;

j) conduct investigations of potential violations by a data controller or a data processor of any requirement under this Act or any regulations, rules or other subsidiary legislation or orders made hereunder;

k) impose penalties in case of violations of the provisions of this Act or any regulations, rules or other subsidiary legislation or orders made hereunder;

l) designate countries, regions, sectors or standard contractual clauses as affording or not affording adequate personal data protection standards for cross-border transfers;

m) ensure compliance with national and international personal data protection standards and obligations laid down by international agreements and treaties to which Malawi is a party;

n) render technical assistance on personal data protection matters to the Minister;

o) register and levy fees on data controllers and data processors of major importance;

p) submit proposals to the Minister for regulations to be made under this Act;

q) issue directives and opinions, make recommendations and rules and publish guidance as provided under this Act; and

r) generally implement the provisions of this Act and do all such things as are necessary, incidental or conducive to the better carrying out of the functions of the Authority.

(3) Without prejudice to any functions or powers granted or duties imposed on it under the Communications Act, the Electronic

Transactions and Cyber Security Act or any other written law, the

Authority shall perform such functions, exercise such powers and

undertake such duties as are conferred by this Act.

The Date Protection Office

7. There is hereby established the Data Protection Office, which shall be a unit under the Authority responsible for the activities of the Authority in relation to data protection under this Act.

Governance Powers of the Authority

8. Without prejudice to the generality of section 6, the Authority shall have the power to:

a) issue guidance, and give directions to the Director General;

b) approve strategic plans, action plans and budget support programmes submitted by the Director General;

c) approve annual reports and financial reports submitted by the Director General;

d) hire consultants to assist the Authority in the discharge of its functions, where necessary; and

e) issue rules, directives, opinions and make recommendations on any recurrent question related to the regulated missions of the Authority as defined under this Act.

Committees of the Authority

9.

(1) The Authority may for the purpose of performing its functions under this Act, establish committees of the Authority, and delegate to any such committees any of its functions as it considers necessary.

(2) The Chairperson of every committee shall be a person who is a member of the Authority, but an ex-officio member shall not be a Chairperson.

(3) The Chairperson of the Authority shall not be a member of a committee.

(4) The Authority shall pay a member of a committee, from the funds of the Authority, an allowance that the Minister responsable for public service may, on recommendation of the Board of the Authority, approve for attendance at meetings of the committee.

(5) Subject to the general or special directions of the Authority and to the provisions of this Act, every committee of the Authority shall have the power to determine its own procedure.

Advisor fora

10.

(1) The Authority shall establish consultative or advisory fora comprising representatives of the interests of data controllers, data processors and data subjects, and experts in data protection or another relevant field to assist the Authority with the discharge of its functions under this Act.

(2) The Authority shall contribute out of its annual budget to the expenses of any forum established under subsection (1).

Consultation with other bodies

11.

(1) The Authority shall consult and coordinate with the Human Rights Commission established under Chapter XI of the Constitution with respect to the application of this Act and the Access to Information Act and personal data to which both apply.

(2) The Authority shall consult and coordinate with ministries, departments and agencies responsible for the management and regulation of information including personal data in order to promote understanding of this Act, encourage the adoption of Good data protection practices and procedures, and resolve any uncertainties about the application of this Act and rules and regulations made hereunder.

Rules of the Authority

12.

(1) In exercise of its functions under this Act, the Authority may make such rules as are necessary for the better carrying out of the provisions of this Act.

(2) The Authority shall , before making rules:

a) consult with relevant ministries, departments and agencies and with, data controllers and, data processors, and interested parties and the public, before making such rules.; and

b) Before making rules, the Authority shall publish by notice in the Gazette of a draft form of the rules it proposes to make, and shall provide the persons listed in subsection at least public with a period of not less than thirty (30) days thereafter to provide comments thereon comment on the draft rules.

(3) The Authority shall publish in the Gazette rules made under this Act.

(4) The Authority shall, within twenty-eight days after the publication in Gazette of the rules, inform the public, through the print and electronic media, of the publication of the rules.

(2) Rules made under subsection (1) may prescribe how the provisions of this Act shall apply given the features of any particular use of personal data or any particular sector of the economy or society, including:

a) health;

b) education;

c) financial services;

d) employment;

e) electronic commerce;

f) digital identification;

g) membership of particular groups and associations;

h) historical, statistical or scientific research; and

i) any other matter that the Authority may prescribe.

(3) Consultation under subsection (2) shall where appropriate consider the costs and benefits of the proposed rules.

Good practices and codes of conduct

13.

(1) The Authority may publish guidance on good practices in, and development of, codes of conduct on data protection and compliance with this Act.

(2) The Authority may issue and publish in the Gazette, a code of conduct, on the Authority’s own initiative or by application from one or more interested parties.

(3) PriorThe Authority shall, prior to issuance of a code of conduct, the Authority shall give notice in the Gazette of the proposed code of conduct and provide the public nowith a period of not less than thirty (30) days thereafter to provide commentscomment on the proposed code of conduct.

(4) The absence of a code of conduct issued by the Authority shall not preclude data controllers or data processors from, alone or together with others, adopting codes of conduct on data protection and compliance with this Act.

Confidentiality

14.

(1) A member of the Authority, employee, consultant, adviser or sub-contractor of the Authority shall not publish or disclose to any person, other than in the course of his duties, the contents of any document, communication or information which has come to his knowledge in the course of his duties under this Act.

(2) Any member of the Authority, employee, consultant, adviser or sub-contractor of the Authority who holds confidential information, or any person who has, directly or indirectly, obtained any such information from a member of the Authority, employee, consultant, adviser or sub-contractor of the Authority, whom that person knows or has reasonable cause to believe held the information by virtue of his office, and who:

a) deals in any contract or proposed contract to which the information relates and in which the Authority is involved;

b) counsels or instigates anyone else to deal in any such contract or proposed contract, knowing or having reasonable cause to believe that the other entity would deal in such contract or proposed contract; or

c) communicates to anyone else the information held or, as the case may be, obtained by him if he knows or has reasonable cause to believe that such other entity or any other entity would make use of the information for the purpose of dealing in, or counselling or causing anyone else to deal in, any contract or proposed contract to which the information relates, and in which the Authority is involved,

commits an offence and is liable to a fine of K5,000,000 and imprisonment for five years.

(3) This section shall apply to any information that:

a) a member of the Authority, employee, consultant, adviser or sub-contractor of the Authority holds by virtue of his office or dealings with the Authority;

b) would not be expected, or would not be reasonable for it, to be disclosed by a member of the Authority, employee, consultant, adviser or sub-contractor of the Authority except in the proper performance of the functions of his office; or

c) the member of the Authority, employee, consultant, adviser or sub-contractor of the Authority holding the information knows or ought to know that it is unpublished information in relation to any contract or proposed contract of the Authority.

(4) The provisions of this section shall continue to apply to any member of the Authority, employee, consultant, adviser or subcontractor of the Authority, notwithstanding the expiry or termination of the term of office of the member or the employment of the employee, consultant, adviser or subcontractor of the Authority, as the case may be.

Delegation of powers

15.

(1) The Authority may delegate some of its functions under this Act to the Director General of the Authority, any member of the Authority, the head of the Data Protection Office or any other member of staff of the Authority.

(2) The Director General of the Authority may, with the approval of the Authority, delegate any power or function assigned to him under this Act, to any member of staff of the Authority.

Funds of the Authority

16.

(1) The operational and financial costs of the Authority of carrying out its duties, functions and powers under this Act shall be provided through:

a) fees, levies and other moneys payable to the Authority under this Act;

b) fines payable to the Authority in respect of violations of this Act;

c) grants or donations received by the Authority;

d) such moneys as are from time to time appropriated to the Authority by Parliament; and

e) proceeds from the sale by the Authority of any of its assets or equipment to which it has title.

(2) The Authority may charge fees in respect of publications, seminars, documents, and other services provided by the Authority.

(3) Subject to the Public Finance Management Act, the Authority may borrow such amounts as it may require for the performance of its functions under this Act.

(4) The Authority may invest, on short term deposit with any bank or financial institution in Malawi, any of its moneys that are not immediately required for the performance of its functions under this Act.

Consultations with interested parties

17.

(1) Where the Authority intends to take a decision in accordance with this Act, it shall consult with any interested party, and shall give such interested party at least thirty (30) days from the date of issuance of notice from the Authority to comment on the proposed decision.

(2) The Authority shall publish the results of any consultation launched publicly and the results shall be made available through such means as the Authority considers appropriate in the circumstances, except in the case of information that the Authority considers to be confidential.

PART III— PRINCIPLES GOVERNING PROCESSING OF PERSONAL DATA

Lawfulness of data processing

18.

(1) A data controller shall ensure that personal data is processed, by such data controller or any data processor processing personal data on its behalf, fairly, in a transparent manner and in accordance with subsection (2) and section 19.

(2) A data controller shall neither process nor permit a data processor to process on its behalf, personal data unless:

a) the data subject has given and not withdrawn his consent for the specific purpose or purposes for which it will be processed;

b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) the processing is necessary for compliance with a legal obligation to which the data controller or data processor is subject;

d) the processing is necessary in order to protect the vital interests of the data subject or another individual;

e) the processing is authorised by law and carried out by a competent public authority or agency in furtherance of its legal mandate;

f) the processing is required by or under any written law or order of a court;

g) the processing is necessary for the implementation of a specific economic development or humanitarian initiative;

h) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of oficial authority vested in the data controller or data processor;

i) the processing is necessary for the purposes of the legitimate interests pursued by the data controller or data processor or by a third party to whom the data is disclosed, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject;

j) the processing is necessary to comply with disclosure requirements mandated under the Access to Information Act; or

k) the processing is necessary for archiving purposes in the public interest, or for the purpose of historical, statistical or scientific research.

(3) Further processing of personal data other than for the purpose for which it was originally collected shall be compatible with the purpose for which the data was collected.

Processing of sensitive personal data

(4) Compatibility in subsection (3) shall be assessed in light of relationship between the original purpose and the purpose of the intended further processing, the nature of the personal data concerned, the consequences of the further processing, how the personal data has been collected, and the existence of appropriate safeguards.

19.

(1) A data controller or data processor shall not process, nor shall it permit a data processor to process on its behalf, sensitive personal data unless one of the conditions of Section 18(2) has first been met and:

a) the data subject has given and not withdrawn his consent to the processing for the specific purpose or purposes for which it will be processed;

a) the processing is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent;

b) the processing is necessary for the purposes of exercising or performing rights or obligations of the data controller or of the data subject under employment or social security laws or any other similar laws;

c) the processing is carried out for purposes of medical care or community welfare and is undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality;

d) the processing is necessary for reasons of public health and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

e) the processing is necessary for reasons of substantial public interest, on the basis of a law which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

f) the processing is necessary for the establishment, exercise or defence of a legal claim, obtaining legal advice or conduct of a legal proceeding;

g) the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a charitable, educational, literary, artistic, philosophical, religious or trade union aim and:

(i) the processing relates solely to the members or former members of the entity or to individuals who have regular contact with it in connection with its purposes; and

(ii) the sensitive personal data is not disclosed outside of the entity without the explicit consent of the data subject;

h) the processing is necessary for archiving purposes in the public interest, or historical, statistical or scientific research, in each case on the basis of a law, which shall be proportionate to the aim pursued, and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; or

(i) the data subject has intentionally made such sensitive personal data public.

(2) The Authority may prescribe in rules published in the Gazette further categories of personal data that may be classified as sensitive personal data, further grounds on which they may be processed, and safeguards that may apply, having regard to:

a) the risk of significant harm that may be caused to a data subject or class of data subjects by the processing of such category of personal data;

b) the reasonable expectation of confidentiality attached to such category of personal data; and

c) the adequacy of protection afforded to personal data generally.

Children

20.

(1) When a data subject is a child or an individual lacking the legal capacity to consent, a data controller shall obtain consent of a parent or other appropriate legal guardian of the child or other individual, as applicable, to rely on consent under section 18(2)(a).

(2) A data controller or data processor shall apply appropriate mechanisms, including presentation of government approved identification documents, to verify age and consent.

(3) Subsection (1) does not apply to a data controller or data processor when:

a) the processing is necessary to protect the vital interests of the child or individual lacking the legal capacity to consent; or

b) the processing is carried out for purposes of medical or social care and is undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality.

Conditions of consent

21.

(1) A data controller shall bear the burden of proof for establishing a data subject’s consent (or in the case of a data subject who is a child, the consent of a parent or legal guardian of the data subject) to anything requiring consent under this Act.

(2) In determining whether consent was freely given, account shall be taken of whether performance by a third party of a contract between the data subject and such third party is conditioned on the processing of personal data of the data subject and such processing would not be necessary for such performance.

Provisiono f information to the data subject

22.

(1) When a data controller collects personal data directly from a data subject, the data controller shall provide the data subject with:

a) the identity of, and means of contacting, the data controller and its representative, if any;

b) the specific basis of processing under section 18(2) or 19(1) and the purposes of the processing for which the personal data are intended;

c) third parties with which the data will be shared and where feasible the means of contacting such third parties;

d) the existence of the rights of the data subject under Part IV; and

e) the right to lodge a complaint with the Authority in accordance with Section 39(1).

When a data controller collects personal data other tan directly from the data subject, it must inform the data subject of the items set out in subsection (1), unless the data subject already has been provided such information or provision of such information is impossible or would involve a disproportionate effort or expense.

Purpose specification data minimisation, retention and accuracy

23.

A data controller shall ensure that personal data is:

a) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

b) adequate, relevant and limited to what is the mínimum necessary for the purposes for which the personal data was collected or further processed;

c) retained for no longer than is necessary to achieve the purpose for which the personal data was collected or further processed except where:

(i) such retention is required or authorised by law; or

(ii) the data subject has consented to such retention; and

d) accurate, complete, not misleading and, where necessary, kept up to date having regard to the purposes for which the personal data was collected or is further processed.

Data protection impact assesment

24.

(1) Where processing is likely to result in high risk to the  rights and freedoms of a data subject by virtue of its nature, scope, context and purposes, a data controller shall, prior to the processing, carry out a data protection impact assessment.

(2) The data impact assessment report shall be submitted to the Authority prior to the processing of personal data.

(3) The data controller or data processor shall consult the Authority prior to the processing if, notwithstanding the measures envisaged under subsection (6)(d), the data protection impact assessment indicates that the processing of the data would result in a high risk to the rights and freedoms of the data subject.

(4) The Authority shall publish in the Gazette:

a) guidelines for carrying out data impact assessments; and

b) lists of the kinds of processing which are, and which are not, subject to the requirement for a data protection impact assessment pursuant to subsection (1).

(5) This section shall not apply until the second anniversary of

the date on which this Act enters into force.

(6) For purposes of this section, a “data protection impact assessment” is an assessment of the impact of the envisaged processing on the protection of personal data comprising:

a) a systematic description of the envisaged processing and its purpose, including where applicable the legitimate interest pursued by the data controller, data processor or third party;

b) an assessment of the necessity and proportionality of the processing in relation to the purposes the personal data would be processed;

c) an assessment of the risks to the rights and freedoms of data subjects; and

d) the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.

(7) The Authority may by publication in the Gazette exempt categories of data controllers or data processors from the obligations under this section.

Obligations of the data controller and data processor

25.

(1) Where a data controller engages the services of a data processor, or any data processor engagesthe services of another data processor, the data controller or data processor shall take reasonable measures to ensure that the engaged data processor shall:

a) comply with the principles and obligations set out in section 23 applicable to the data controller;

b) assist the data controller or data processor, as the case may be, by appropriate technical and organisational measures, where practical, in the fulfilment of the data controller’s obligations to honour the individual rights of data subjects under Part IV;

c) implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal information as required in Part V, with due regard to section 32;

d) provide the data controller or data processor, as applicable, with any information it reasonably requires to comply and demonstrate compliance with this Act; and

e) notify the data controller or data processor, as the case may be, when any new data processors are engaged.

(2) Reasonable measures under subsection (1) include a written agreement between the data controllers and the data processor or between data processors, as the case may be.

(3) The Authority may prescribe such measures in rules published in the Gazette.

PART IV—RIGHTS OF A DATA SUBJECT

Rights of the data subject

26. A data subject has the right to obtain from a data controller, without constraint or unreasonable delay and at no expens:

a) confirmation as to whether or not the data controller, or a data processor operating on its behalf, is storing or otherwise processing personal data relating to the data subject and the source of such personal data;

b) a copy of such personal data in a commonly used electronic format except to the extent that providing such data would impose unreasonable costs on the data controller;, in which case the data subject may be required by the data controller to bear some or all of such costs;

c) correction, or if correction is not feasible or suitable, deletion of any such personal data that is inaccurate, out of date, incomplete or misleading; and

d) deletion of any such personal data which the data controller is not entitled to retain.

Withdrawak of consent

27.

(1) A data subject has the right to withdraw his consent to processing of personal data under section 18(2)(a) or section 19(1)(a) at any time.

(2) The data controller shall ensure that it is as easy for the data subject to withdraw as to give consent.

Right to object

28.

(1) A data subject has the right to object on grounds relating to his particular situation to the processing of personal data relating to him based on section 18(2)(e) or (i), including profiling, if he can demonstrate that:

a) such processing is causing or is likely to cause substantial damage or substantial distress to him or to another person; and

b) such distress or damage is or would be unwarranted.

(2) The data controller may no longer process such data unless it demonstrates a public interest or other legitimate grounds which outweigh any unwarranted distress or damage demonstrated.

Automated decisión-making

29.

A data subject has the right not to be subject to a decisión based solely on automated processing of personal data, including profiling, which produces legal or similar significant effects concerning him, except where such decisions are:

a) necessary for entering into, or performance of, a contract between the data subject and a data controller;

b) authorized by a written law which establishes suitable measures to safeguard the fundamental rights and the interests of the data subject; or

c) authorized by the consent of the data subject.

Data portability

30.

(1) The Authority may make rules and procedures published in the Gazette establishing a right of personal data portability.

(29) Any such right of data portability established by the Authority shall entitle the data subject to:

a) receive from a data controller personal data concerning them in a structured, commonly used and machine-readable format;

b) transmit the data obtained under paragraph (a) to another data controller without any hindrance; and

c) where technically possible, have the personal data transmitted directly from one data controller to another.

(3) The Authority may prescribe the circumstances in, and conditions on, which such a right would apply to a data subject and the obligations it would impose on a data controller or data processor, or categories of data controllers or data processors, including questions of costs and timing.

PART V—DATA SECURITY

Security integrity and confidentiality

31.

(1) Each data controller and data processor shall implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse or alteration, unauthorized disclosure or access, taking into account:

a) the amount and sensitivity of the personal data;

b) the degree and likelihood of harm to data subjects that could result from the loss, disclosure or other misuse of the personal data;

c) the extent of the processing;

d) the period of data retention; and

e) the cost of any technologies, tools or other measures to be implemented relative to the size of the data controller or data processor.

(2) Measures implemented under subsection (1) may include:

a) pseudonymization or other methods of de-identification of personal data;

b) encryption of personal data;

c) processes to ensure security, integrity, confidentiality, availability and resilience of processing systems and services;

d) processes to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;

e) periodic assessments of risks to processing systems and services, including without limitation where the processing involves the transmission of data over an electronic communications network;

f) regular testing, assessing and evaluation of the effectiveness of the measures implemented against current and evolving risks identified; and

g) regular updating of the measures and introduction of new measures to address shortcomings in effectiveness and accommodate evolving risks.

Appropriateness

32.

In determining the appropriateness of the measures to be implemented under section 31, a data controller or data processor shall take into account:

a) available technologies and systems;

b) the cost of implementing the security measures; and

c) the relative risks inherent in the nature, scope, context and purposes of the processing and the likely harms to the rights and freedoms of the data subjects.

Personal data breaches

33.

(1) When a personal data breach has occurred with respect to personal data being stored or otherwise processed by a data processor, the data processor shall:

a) notify the data controller or data processor that engaged it within seventy-two hours after becoming aware thereof, describing the nature of the personal data breach including, where possible, the categories and approximate numbers of data subjects and personal data records concerned; and

b) respond without undue delay to all information requests from the data controller or data processor that engaged it as they may require to comply with their obligations under this section.

(2) When a personal data breach has occurred with respect to personal data being stored or otherwise processed by a data controller or a data processor acting on its behalf and is likely to result in a risk to the rights and freedoms of individuals, the data controller shall notify the Authority of the breach within seventytwo hours after having become aware of it, describing the nature of the personal data breach including, where possible, the categories and approximate numbers of data subjects and personal data records concerned.

(3) When such a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject:

a) the data controller shall communicate the personal data breach to the data subject without undue delay in plain and clear language, including advice about measures the data subject could take to mitigate effectively the possible adverse effects of the data breach; and

b) if a direct communication to the data subject under paragraph (a) would involve disproportionate effort or expense or is otherwise not feasible, the data controller may instead make a public communication in one or more widely-used media sources such that data subjects are likely to be informed.

(4) The notifications and communications referred to in subsections (1), (2) and (3) shall, in addition to the requirements of those subsections, at least:

a) communicate the name and contact details of a point of contact of the data controller where more information can be obtained;

b) describe the likely consequences of the personal data breach; and

c) describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(5) The data controller may extend the seventy-two-hour period set out in subsection (2) to accommodate the legitimate needs of law enforcement or as reasonably necessary to implement measures required to determine the scope of the breach, provided that the data controller provides to the Authority evidence of the reasonsgrounds for such extension, including supporting evidence.

(6) The Authority may at any time make a public communication about a personal data breach notified to it under subsection (2) if it considers the steps of the data controller to inform data subjects inadequate.

(7) The Authority shall issue and publish in the Gazette guidance on the steps to be taken by a data controller to adequately inform data subjects of a personal data breach for purposes of subsection (6).

(8) In evaluating whether a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject under subsection (3), the data controller and the Authority may take into account:

a) the likely effectiveness of any technical and administrative measures implemented to mitigate the likely harm resulting from the personal data breach, including any encryption or deidentification of the data;

b) any subsequent measures taken by the data controller to mitigate such risk; and

c) the nature, scope and sensitivity of the personal data involved.

(9) The data controller and data processor shall keep a record of all personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken in a manner that enables the Authority to verify compliance with this section.

(10) Where, and in so far as, it is not possible to provide information under this section at the same time, the information may be provided in phases without undue further delay.

(11) This section shall not apply until the second anniversary of the data on which this Act enters into force.

PART VI—CROSS-BORDER TRANSFERS OF PERSONAL DATA

Basis for crossborder transfer of personal data

34.

(1) A data controller or data processor shall not transfer personal data from Malawi to another country unless:

a) the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with section 35; or

b) one of the conditions set forth in section 36 applies.

(2) A data controller or data processor shall record the basis for transfer of personal data to another country under section 34(1) and the adequacy of protection under section 35, if applicable.

(3) The Authority may make rules requiring data controllers and data processors to notify it of the measures in place under section 34(1) and to explain their adequacy in terms of section 35, if applicable.

Adequacy of protection

35.

(1) A level of protection is adequate for the purposes of section 34(1)(a) if it upholds principles that are substantially similar to the conditions for processing of the personal data provided for in this Act, including in relation to the onward transfer of personal data to other countries.

(2) The adequacy of protection referred to in subsection (1) shall be assessed taking into account:

a) the availability of enforceable data subject rights, the ability of data subjects to enforce their rights through administrative or judicial redress, and the rule of law generally;

b) the existence of any legally binding instrument between the Authority and a relevant public authority in the recipient country addressing elements of adequate protection referred to in subsection (1);

c) the access of a public authority to personal data;

d) the existence of an effective data protection law;

e) the existence and functioning of an independent, competent data protection or similar supervisory authority with adequate enforcement powers; and

f) international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.

(3) The Authority may from time to time, by notice in the Gazette, designate any country, region or specified sector within a country, or standard contractual clauses as affording or as not affording an adequate level of protection under subsection (1).

(4) The Authority may approve binding corporate rules, codes of conduct or certification mechanisms proposed to it by a data controller, where the Authority determines that the aforesaid meets the adequacy requirements of subsection (1).

(5) The absence of a determination by the Authority under subsection (3) or (4) with respect to a country, territory, sector, binding corporate rule, contractual clause, code of conduct or certification mechanism shall not imply the adequacy or inadequacy of the protections afforded by it.

(6) The Authority may make a determination under subsection (3) based on adequacy decisions made by competent data protection authorities of other jurisdictions where such decisions have taken into account factors similar to those listed in subsection (2).

Other bases for transfer of personal data outside Malawi

36.

In the absence of adequacy of protection under section 35, a data controller or data processor shall only transfer personal data from Malawi to another country if:

a) the data subject has given and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections;

b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and a third party; or

d) the transfer is for the benefit of the data subject and:

(i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and

(ii) if it were reasonably practicable to obtain such consent, the data subject would likely give it.

PART VII—REGISTRATION AND FEES

Registration of data controllers and data processors of major importance

37.

(1) Data controllers and data processors of major importance shall register with the Authority.

(2) Registration under subsection (1) shall be made by notifying the Authority of:

a) name and address, or name and address of any representative;

b) a description of the personal data and the categories and number of data subjects to which the personal data relate;

c) the purposes for which the personal data is processed;

d) the categories of recipients to whom the data controller or data processor intends or is likely to disclose the personal data;

e) the name and address, or name and address of any representative of any data processor operating directly or indirectly on its behalf;

f) any country to which the data controller or data processor intends, directly or indirectly, to transfer the personal data;

g) a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the personal data; and

h) any other information required by the Authority.

(3) The data controller or data processor of major importance shall:

a) notify the Authority of any significant change to the information submitted under subsection (2) within 90 days after such change; and

b) provide the Authority with a full updated registration no later than the third anniversary of its previous registration.

(4) The Authority shall maintain and publish on its website a register of data controllers and data processors of major importance that have duly registered with it under this section.

(5) The Authority shall remove a data controller or data processor from the register if it notifies the Authority that it is no longer a data controller or data processor of major importance.

(6) The Authority may exempt a class of data controller or data processor of major importance from the registration requirement of this section where it considers such requirement to be unnecessary or disproportionate.

Fees and levies

38.

(1) The Authority may prescribe annual fees or levies which shall be paid by data controllers and data processors of major importance.

(2) The Authority may prescribe annual fees or levies under subsection (1) applicable to different classes of data controllers or data processors of major importance.

(3) The Government, statutory bodies and any other body appointed by the Government to carry out public functions shall not be subject to the annual fees or levies under subsection (1).

(4) Any fees or levies prescribed under subsection (1) shall be set with a view not to exceed the anticipated costs of the activities of Authority relating to data protection under this Act for the next financial year to the extent that such costs are not anticipated to be funded from other sources.

PART VIII—ENFORCEMENT

Complaints

39.

(1) A data subject who is aggrieved by the decision, action or inaction of a data controller or data processor in violation of this Act, subsidiary legislation or orders may lodge a complaint with the Authority.

(2) The Authority shall investigate any complaint referred to it where it appears to the Authority that:

a) the complainant has an interest in the matter to which the complaint relates; and

b) the complaint is not frivolous or vexatious.

(3) The Authority may initiate an investigation of its own Accord where it has reason to believe a data controller or data processor has or is likely to violate this Act or any regulations, rules or other subsidiary legislation or orders.

(4) The Authority may, for the purpose of an investigation, order any person to:

a) attend at a specific time and place for the purpose of being examined orally in relation to a complaint;

b) produce such document, record or article as may be required with respect to any matter relevant to the investigation, which the person is not prevented by any other written law from disclosing; or

c) furnish a statement in writing made under oath or an affirmation setting out all information which may be required under the order.

(5) Where material to which an investigation relates consists of information stored in any mechanical or electronic device, the Authority may require the person named to produce or give Access to it in a form in which it is visible and legible in a structured, commonly used and machine-readable format.

(6) The Authority may, where necessary, make representations to the data controller or data processor on behalf of a complainant Complaints or to a complainant on behalf of relevant the data controller or data processor, as the Authority may deem appropriate.

(7) The Authority shall establish a section of the Data Protection Office that shall receive and follow up on complaints from data subjects and conduct investigations.

(8)The Authority shall adopt rules and procedures published in the Gazette on handling complaints and conducting investigations referred to it under this Act.

Compliance orders

40.

(1) Where the Authority is satisfied that a data controller or data processor has violated or is likely to violate any requirement under this Act or any regulations, rules or other subsidiary legislation or orders issued thereunder, the Authority may make an appropriate compliance order against that data controller or data processor.

(2) The order made by the Authority under subsection (1) may include any of the following:

a) a warning that certain acts or omissions are likely to be a violation of one or more provisions under this Act or any subsidiary legislation or orders issued thereunder;

b) a requirement that the data controller or data processor complies with such provisions, including complying with the requests of a data subject to exercise one or more rights under this Act; or

c) a cease and desist order requiring the data controller or data processor to stop or refrain from doing an act which is in violation of this Act, including stopping or refraining from processing personal data that is the subject of the order.

(3) An order made under this section shall be in writing and shall specify:

a) the provisions of this Act that the data controller or data processor has violated or is likely to violate;

b) in the case of an actual violation, specific measures to be taken by the data controller or data processor to avoid, remedy or eliminate the situation which has resulted in the violation;

c) in the case of an actual violation, a period not less than 30 days in which to implement such measures; and

d) in the case of an actual violation, a right to judicial review under section 43.

Enforcement orders

41.

(1) Notwithstanding any criminal sanctions under this Act, if the Authority, after completing an investigation under Section 39, is satisfied that a data controller or data processor has violated any provision of this Act, or any regulation, rule or other subsidiary legislation made thereunder, it:

a) may make any appropriate enforcement order or impose a sanction on the data controller or data processor; and

b) shall inform the data controller or data processor, and if applicable, any data subject who lodged a complaint leading to the investigation, in writing of its decision.

(2) Notwithstanding section 21(e) of the General Interpretation Act, an enforcement order made or sanction imposed under subsection (1) may include the following:

a) requiring the data controller or data processor to remedy the violation;

b) ordering the data controller or data processor to pay compensation to a data subject who suffers injury, loss or harm as a result of a violation;

c) ordering the data controller or data processor to account for the profits made out of the violation; or

d) ordering the data controller or data processor to pay a fine of K5,000,000.

Offence

42.

A data controller or data processor who fails to comply with any order made under section 41 commits an offence for which such data controller or data processor is liable to a fine of K5,000,000 and imprisonment for two years.

Judicial review

43.

A person who is not satisfied with an order of the Authority may apply to the High Court within thirty days after the date the order was made for judicial review thereof.

Civil remedies

44.

A data subject who suffers injury, loss or harm as a result of a violation of this Act or regulations made hereunder by a data controller or data processor, or a recognized consumer organization acting on behalf of such a data subject, may recover damages by way of civil proceedings in the High Court from such data controller or data processor.

PART IX—MISCELLANEOUS

Exceptions

45.

(1)

The obligations and rights under Parts III, IV, V, VI, VII and VIII do not apply to a data controller or data processor when processing of personal data is:

a) carried out by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

b) carried out by competent authorities for the purposes of prevention or control of a national public health emergency;

c) carried out by competent authorities as necessary for national security; or

d) carried out in connection with licensed credit reference bureau business under the Credit Reference Bureau Act;

so long as such processing as is carried out uses suitable measures to safeguard the fundamental rights and the interests of the data subject.

(2) The obligations and rights under Parts III, IV, VI, VII and VIII do not apply to data processing carried out with a view to publication in the public interest for the purposes of journalism, educational purposes, artistic purposes or literary purposes to the extent that such obligations and rights would be incompatible with such purposes.

Joint and vicarious liability

46.

(1) Where a data controller or data processor charged with an offence under this Act is a body corporate, any person who, at the time the offence was committed was a chief executive officer, manager or officer of such body corporate, may be charged jointly in the same proceedings with the body corporate, if the person was party to the offence committed.

(2) A person who is a partner in a firm shall be jointly and severally liable for acts or omissions of other partners in the firm so far as the acts or omissions relate to the firm.

(3) Each data controller and data processor shall be vicariously liable for the acts or omissions of its agent, clerk, servant or other person, in so far as the acts or omissions relates to its business.

Regulations

47.

(1) The Minister may, on the recommendation of the Authority, make regulations for the better carrying out of the purposes of this Act.

(2) Without prejudice to the generality of subsection (1), the regulations may provide for:

a) the financial management of the affairs of the Authority;

b) the protection of personal data and data subjects;

c) the manner in which the Authority may exercise any power or perform any duty or function under this Act;

d) any matter that under this Act is required or permitted to be prescribed; or

e) any matter that the Minister considers necessary or expedient to give effect to the objectives of this Act.

(3) Notwithstanding section 21(e) of the General Interpretation Act, the regulations made under this Act may create offences in respect of any contravention to the regulations, and may for any such contravention impose a fine of up to K5,000,000 and to imprisonment for up to five years.

OBJECTS AND REASONS

The principal object of this Bill is to consolidate into a single and effective legislative framework and strengthen the provisions currently found in various Acts of Parliament for the protection and security of personal data used by data controllers and data processors as defined in the Bill in the provision of their services to the public.

CHIKOSA M. SILUNGWE

Attorney General

07Mar/24

Personal Data Protection Act (PDPA), 2022 13th June, 2023 

Personal Data Protection Act (PDPA), 2022 13th June, 2023 

GOVERNMENT NOTICE Nº 395B published on 13/6/2023

THE UNITED REPUBLIC OF TANZANIA

CHAPTER 44

THE PERSONAL DATA PROTECTION ACT

This version of the Personal Data Protection Act, Chapter 44 has been translated into English Language, and is published pursuant to section 84(4) of the Interpretation of Laws Act, Chapter 1.

Dodoma, ELIEZER MBUKI FELESHI

13th June, 2023 Attorney General

THE UNITED REPUBLIC OF TANZANIA

Supplement No. 21 13th JUNE, 2023

SPECIAL SUPPLEMENT

To The Special Gazette of the United Republic of Tanzania No. 15 Vol. 104 Dated 13th June, 2023

Printed by The Government Printer, Dodoma by Order of Government

CHAPTER 44

THE PERSONAL DATA PROTECTION ACT

An Act to provide for principles of protection of personal data so as to establish minimum requirements for the collection and processing of personal data; to provide for establishment of Personal Data Protection Commission; to provide for improvement of protection of personal data processed by public and private bodies; and to provide for matters connected therewith.

[1st May, 2023]

Act Nº 11 of 2022

PART I. PRELIMINARY PROVISIONS

Short title 1. This Act may be cited as the Personal Data Protection Act, 2022.

Application 2. This Act shall apply to Mainland Tanzania as well as Tanzania Zanzibar save that in Tanzania Zanzibar this Act shall not apply to non-union matters.

Interpretation 3. In this Act, unless the context otherwise requires-

“data protection officer” means an individual appointed by the data controller or data processor charged with ensuring compliance with the obligations provided for in this Act;

“code of ethics” means data-use charters which regulates the conduct of a data controller or data processor prepared in accordance with section 65;

“court” means the court of competent jurisdiction;

“data processor” means a natural person, legal person or public body which processes personal data for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct authority of the controller, are authorised to process the data and it includes his representative;

“data subject” means the subject of personal data which are processed under this Act;

“Director General” means the Director General of the Commission appointed under section 11;

“data controller” means a natural person, legal person or public body which alone or jointly with others determines the purpose and means of processing of personal data; and where the purpose and means of processing are determined by law,

“data controller” is the natural person, legal person or public body designated as such by that law and it includes his representative;

“recipient” means a natural person, legal person, public body or any other person who receives personal data from a data controller;

“health professional” means a person providing health care services and recognised as such by the relevant law;

Cap. 13 “child” has the meaning ascribed to it under the Child Act;

“third party” means any natural or legal person, or public body other than-

(a) the data subject;

(b) the data controller or data processor; and

(c) any person who is authorised to process personal data;

“document” means any medium in which data is recorded, whether printed or on tape or film or by electronic means or otherwise and includes any map, diagram, photograph, film, microfilm, video-tape, sound recording or machine-readable record or any record which is capable of being produced from a machine-readable record by means of equipment or a programme, or a combination of both, which is used by the data controller for record purposes;

“register” means the register established by the Commission under section 15;

“personal data” means data about an identifiable person that is recorded in any form, including-

(a) personal data relating to the race, national or ethnic origin, religion, age or marital status of the individual;

(b) personal data relating to the education, the medical, criminal or employment history;

(c) any identifying number, symbol or other particular assigned to the individual;

(d) the address, fingerprints or blood type of the individual;

(e) the name of the individual appearing on personal data of another person relating to the individual or where the disclosure of the name itself would reveal personal data about the individual;

(f) correspondence sent to a data controller by the data subject that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence, and the views or opinions of any other person about the data subject;

“sensitive personal data” includes-

(a) genetic data, data related to children, data related to offences, financial transactions of the individual, security measure or biometric data;

(b) if they are processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life; and

(c) any personal data otherwise considered under the laws of the country as presenting a major risk to the rights and interests of the data subject;

“genetic data” means any personal data stemming from a Deoxyribonucleic acid (DNA) analysis;

“Commission” means the Personal Data Protection Commission established under section 6;

“processing” means analysis of personal data, whether or not by automated means, such as obtaining, recording or holding the data or carrying out any analysis on personal data, including:

(a) organization, adaptation or alteration of the personal data;

(b) retrieval or use of the data; or

(c) alignment, combination, blocking, erasure or destruction of the data;

“transborder flow” means any international cross-border flows of personal data by means of electronic transmission or other means;

“Minister” means the Minister responsible for communication.

Objectives of Act 4. The objectives of this Act are to-

(a) regulate the collection and processing of personal data;

(b) ensure that the collection and processing of personal data of a data subject is guided by the principles set out in this Act;

(c) protect the privacy of individuals;

(d) establish a legal and institutional mechanism to protect personal data; and

(e) provide data subjects with rights and remedies to protect their personal data from collection and processing that is not in accordance with this Act.

Principles of personal data protection

5. A data controller or data processor shall ensure that personal data is-

(a) processed lawfully, fairly and transparently;

(b) collected for explicit, specified and legitimate purposes and not further processing in a manner incompatible with those purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

(d) accurate and where necessary, kept up to date, with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay;

(e) stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;

(f) processed in accordance with the rights of a data subject;

(g) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against any loss, destruction or damage, using appropriate technical or organisational measures; and

(h) not transferred abroad contrary to the provisions of this Act.

PART II. PERSONAL DATA PROTECTION COMMISSION

Establishment of Personal Data Protection Commission

6.-

(1) There is established a Commission to be known as the Personal Data Protection Commission.

(2) The Commission shall be a body corporate with perpetual succession and a common seal and, shall in its own name be capable of-

(a) acquiring and holding movable and immovable property, to dispose of property and to enter into any contract or other transaction;

(b) suing and being sued; and

(c) performing any other acts which a body corporate may lawfully perform, for the proper performance of its functions under this Act.

Functions of Commission

7. The functions of the Commission shall be to-

(a) monitor compliance by data controllers and data processors of the provisions of this Act;

(b) register data controllers and data processors in accordance with this Act;

(c) receive, investigate and deal with complaints about alleged violations of the protection of personal data and privacy of persons;

(d) inquire into and take measures against any matter, that appears to the Commission to affect the protection of personal data and infringe privacy of the individuals;

(e) educate the public as may be appropriate to the implementation of objectives of this Act;

(f) undertake research and to monitor technological developments in data processing;

(g) establish mechanisms of cooperation with other data protection authorities from other countries, and advise the Government on matters relating to implementation of this Act; and

(h) perform other functions of the Commission for better implementation of the provisions of this Act.

Establishment of Board

8.-

(1) There is hereby established a Board to be known as the Board of Personal Data Protection Commission which shall be the governing body of the Commission and shall consist of seven members as follows:

(a) a Chairman and Vice-Chairman; and

(b) five other members.

(2) The Chairman and the Vice-Chairman shall be appointed by the President on basis of the principle that where the Chairman hails from one part of the United Republic, the Vice-Chairman shall be a person who hails from the other part of the United Republic.

(3) The other five members under subsection (1)(b) shall be appointed by the Minister from among persons with qualification and experience in ICT, law, engineering, finance or administration.

(4) In order to maintain impartiality of the Commission and for the purpose of avoiding conflict of interest, a person shall not be qualified for appointment as a member of the Authority if owing to the nature of the office he holds, is likely to exert influence on the Commission.

(5) Director-General of Commission shall be the secretary to the Board.

(6) The provisions relating to the Board and its proceeding shall be as set out in the Schedule.

Functions of Board

9.-

(1) The Board shall oversee the performance of the Commission so as to ensure adherence to the governing laws and procedures.

(2) Without prejudice to the generality of subsection (1), the Board shall-

(a) provide strategic guidance and formulate policies for operation and management of the Commission;

(b) conduct oversight on the activities and performance of management of the Commission;

(c) ensure efficient use of resources, including approval of annual work plan, annual Budget and supplementary budget;

(d) approve investment plans of the Commission;

(e) approve performance reports of the Commission;

(f) approve code of conduct for staff of Commission;

(g) approve and oversee financial regulations and staff rules;

(h) approve the disposal of assets of the Commission; and

(i) perform any other functions as it may consider necessary for the achievement of its goals in accordance with this Act.

Committees of Board

10. The Board may, for the purpose of efficient performance of its functions, form and appoint from among its members, such number of committees as it considers necessary.

Appointment of Director General

11.-

(1) There shall be the Director General of the Commission who shall be appointed by the President.

(2) A person shall be qualified for appointment as Director General if he-

(a) is a graduate of a recognised university with a bachelor’s degree or above in the fields of ICT, engineering, law, economics, finance or administration;

(b) has experience of not less than ten years of service in either of the fields referred in paragraph (a); and

(c) expresses knowledge and expertise in the field of personal data protection.

Tenure of office of Director General

12. The Director General shall hold office for aperiod of five years and may be reappointed for one further term.

Staff of Commission

13.-

(1) The Commission shall, subject to the laws governing public service, employ other officers and employees of such number as may be necessary for the effective discharge of the functions of the Commission.

(2) The Commission may appoint consultants and experts in various disciplines on such terms and conditions as the Commission may determine.

PART III. REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS

Registration of data controllers and data processors

14.-

(1) A person shall not collect or process personal data without being registered as a data controller or a data processor under this Act.

(2) A person who intends to collect or process personal data shall apply to the Commission for registration.

(3) The Commission may, within a period specified in the regulations, grant or reject the application submitted under subsection (2).

(4) The Commission shall issue a certificate of registration to the data controller or data processor who has fulfilled the prescribed requirements and registered under this section.

(5) Where the Commission rejects an application it shall inform the applicant in writing and give reasons for the decision.

Register of data controllers and data processors

15.-

(1) The Commission shall establish and maintain a register of data controllers and data processors registered in accordance with this Act.

(2) The register shall contain such particulars as may be prescribed in the regulations.

(3) A data controller or data processor may, at any time, apply to the Commission to update or change any particulars in the register.

Duration of registration

16.-

(1) The period of registration shall be five years from the date of issuance of certificate of registration.

(2) The application for renewal shall be submitted within the period of three months before expiry in the manner prescribed in the regulations.

Inspection of registered particulars

17. Subject to the procedures as may be prescribed in the regulations and upon payment of prescribed fees, the Commission may permit any person to inspect and extract any entry in the register.

Deregistration 18. The Commission may deregister any registration under this Act as may be prescribed in the regulations.

Offences relating to registration

19. Any person who contravenes the provisions of this Part or furnishes false or misleading information during registration or renewal, commits an offence and upon conviction shall be liable for a penalty specified under section 63.

Appeal relating to registration

20. Any person who is aggrieved by the decisión of the Commission under this Part may appeal in writing to the Minister.

Registration of public institutions

21. Immediately after commencement of this Act, public institutions which collect and process personal data shall be deemed as registered with the Commission under this Act and shall be required to comply with the provisions of this Act.

PART IV. COLLECTION, USE, DISCLOSURE AND RETENTION OF PERSONAL DATA

Collection of 22.-

(1) This Part shall be applicable to personal data (a) any collection and processing of personal data performed wholly or partly by manual or automated means;

(b) the processing of personal data carried out in the performance of activities of a controller domiciled in United Republic or in a territory where the laws of the United Republic apply by virtue of international public law; and

(c) the processing of personal data by a data controller or data processor who is not domiciled in the United Republic, if the processing of the personal data is in United Republic and such processing is not for the purposes of mere transit of personal data through Tanzania to another country.

(2) A data controller shall collect personal data if-

(a) the personal data is collected for a lawful purpose related to a function of the data controller; and

(b) the collection of the data is necessary or incidental or directly related to the lawful purpose.

(3) A data controller shall not collect personal data by unlawful means.

Source and notification of personal data

23.-

(1) Subject to subsection (3), a data controller shall collect personal data directly from the data subject concerned.

(2) Before collecting data, a data controller shall ensure that the data subject is aware of-

(a) the purposes for which the personal data is collected;

(b) the fact that collection of the personal data is for authorised purposes; and

(c) any intended recipients of the personal data.

(3) A data controller is not obliged to comply with subsection (1) where

(a) the personal data is publicly available;

(b) the data subject concerned authorises the collection of the personal data from a third party;

(c) compliance is not reasonably practicable in the circumstances of the particular case;

(d) non-compliance is necessary for compliance with other written laws; or

(e) compliance would prejudice the lawful purpose of the collection.

Accuracy of personal data

24. Subject to the purpose for which the personal data are intended to be used, a data controller who holds personal data shall not use that personal data without taking such steps as are, in the circumstances, reasonable to ensure that, the data is complete, accurate, relevant and not misleading.

Personal data to be used for intended purpose

25.-

(1) Personal data collected under this Act shall be used for the intended purposes.

(2) Where a data controller holds personal data that was collected in connection with a particular purpose, he may use that personal data for other purposes if-

(a) the data subject authorises the use of the personal data for that other purpose;

(b) use of the personal data for that other purpose is authorised or required by law;

(c) the purpose for which the personal data is used is directly related to the purpose for which the personal data was collected;

(d) the personal data is used-

(i) in a form in which the data subject is not identified; or

(ii) for statistical or research purposes and shall not be published in a form that could reasonably be expected to identify the data subject;

(e) the data controller believes on reasonable grounds that use of the personal data for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the data subject or other person, or to public health or safety; or

(f) use of personal data for that other purpose is necessary for compliance with the laws.

Limitations on disclosure of personal data

26. Where data controller holds personal data, he shall not disclose the personal data to a person, other than the data subject except in the circumstances specified under section 25.

Security of personal data

27.-

(1) A data controller and his representatives shall ensure that personal data is protected, by such security safeguards that is reasonable in the circumstances necessary for the personal data protection against negligent loss or unauthorised destruction, alteration, access or processing of the personal data.

(2) Security measures taken in accordance with subsection (1) shall ensure an appropriate level of security taking into account-

(a) the state of technological advancement and the cost of implementing the measures; and

(b) the nature of the personal data to be protected and the potential risks to the data subject.

(3) The data controller and data processor, as the case may be, shall appoint a data protection officer who shall ensure that the control and security measures are in place to protect the personal data collected or being processed.

(4) Implementation of activities of the data processor shall be governed by a contract which associates the data processor to the data controller to the effect that the data processor acts under instructions of the data controller and that the data processor is additionally, responsible for ensuring compliance of the security standards as provided by this Act.

(5) The data controller shall notify the Commission, without any undue delay, of any security breach affecting personal data being processed by or on behalf of the data controller.

Retention and disposal of personal data

28.-

(1) Where a data controller uses personal data for a specified purpose as specified under section 25, he shall retain that personal data for a period specified in the relevant laws or a period prescribed in the regulations in order to ensure that the data subject has a reasonable opportunity to access the personal data where need arises.

(2) Subject to subsection (1), the Minister may, by regulations prescribe the retention and disposal of personal data held by a data controller in accordance with the purpose of retention.

Correction of personal data

29.-

(1) Where a document or file to which access has been given under this Act contains personal data and that data subject claims that the personal data-

(a) is incomplete, incorrect or misleading; or (b) not relevant to the purpose for which the document is held, the data controller may, subject to procedures as may be prescribed in the regulations and upon receiving and being satisfied with the application of the data subject, amend the personal data.

(2) The data controller shall, when making an amendment to personal data in a document under this section, ensure that he does not permanently delete the record of the text of the document as it existed prior to the amendment.

(3) Where a data controller is not satisfied with the reasons for an application under subsection (1), he may refuse to make any amendment to the personal data and inform the applicant of the reasons for refusal.

Prohibition on processing of sensitive personal data

30.-

(1) A person shall not process sensitive personal data without obtaining prior written consent of the data subject.

(2) The consent under subsection (1) may be withdrawn by the data subject at any time and without any explanation or charges.

(3) The Minister may, by regulations, determine circumstances in which the prohibition to process the personal data referred to in this section cannot be removed even with the data subject’s consent.

(4) Where the data subject from whom consent is sought for the purpose of this Act, is a minor, a person of unsound mind or any other person unable to consent, such person’s consent shall be sought from his parents, guardian, heirs, attorneys or any other person recognised by law to be acting on behalf of the person whose consent is to be sought.

(5) Subsection (1) shall not apply where-

(a) the processing is necessary for compliance with other written laws;

(b) the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is incapable of giving his consent or is not represented by his legal representative;

(c) the processing is necessary for the institution, trial or defence of legal claims;

(d) the processing relates to personal data which has apparently been made public by the data subject;

(e) the processing is necessary for the purposes of scientific research and the Commission has, by special guidelines, specified the circumstances under which such processing may be carried out; or

(f) the processing is necessary for the purposes of medical reasons in the interest of the data subject, and the sensitive personal data concerned, is processed under the supervisión of a health professional in accordance with the law governing such health care services.

PART V. TRANSBORDER DATA FLOW

Transfer of personal data to state with adequate personal data protection

31.-

(1) The Commission may, subject to the provisions of this Act, prohibit the transfer of personal data to a place outside the country.

(2) Personal data shall be transferred to country that has a legal framework that provides for adequate data protection, if-

(a) the recipient establishes that the personal data is necessary for the performance of a task carried out in the public interest or pursuant to the lawful functions of a data controller; or

(b) the recipient establishes the necessity of having the data transferred and there is no reason to assume that the data subject’s legitimate interests might be prejudiced by the transfer or the processing in the recipient country.

(3) The data controller shall, notwithstanding subsection (2), be required to make a provisional evaluation of the necessity for the transfer of the personal data.

(4) The recipient shall ensure that the necessity for the transfer of the personal data can be subsequently verified.

(5) The data controller shall ensure that the recipient shall process the personal data for the purposes for which it was transferred.

Transfer of personal data to state without adequate personal data

32.-

(1) Personal data may be transferred to recipients states other than those referred to under section 31, if an adequate level of protection is ensured in the country of the recipient and the personal data is protection transferred solely to permit processing authorised to be undertaken by the controller.

(2) The adequacy of the level of protection afforded by the relevant third country shall be assessed in the light of-

(a) all the circumstances surrounding the relevant personal data transfer;

(b) nature of the personal data;

(c) the purpose and duration of the proposed processing;

(d) the recipient’s country;

(e) the relevant laws in force in the third country; and

(f) the professional rules and security measures which are complied within that recipient’s country.

(3) The Minister shall, after consultation with Commission and by regulations, specify categories of processing for which and the circumstances in which the transfer of personal data to countries outside the United Republic is not authorised.

(4) Notwithstanding the provisions of subsection (3), a transfer of personal data to a recipient in a country outside the country or to a country which does not have adequate level of protection may take place in one of the following cases-

(a) the data subject has consented to the proposed transfer;

(b) the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of precontractual measures taken in response to the data subject’s request;

(c) the transfer is necessary for the conclusion or performance of a contract concluded or to be concluded between the data controller and a third party in the interest of the data subject;

(d) the transfer is necessary or legally required on public interest grounds, or for the institution, trial or defence of legal claims;

(e) the transfer is necessary in order to protect the legitimate interests of the data subject; and

(f) the transfer is made in accordance with the law, and is intended to provide information to the public, and is open for consultation either by the public in general or by any person who can demonstrate a legitimate interest, to give his opinion in accordance with the conditions provided under the law.

(5) Without prejudice to the provisions of this Act, the Commission may authorise a transfer of personal data to a recipient country or any other country which does not have adequate level of protection in its laws, if the data controller satisfies the Commission that there is adequate safeguards with respect to the protection of personal data, fundamental rights and freedoms of the data subject and the exercise of the data subject’s rights, and that such safeguards can be appropriated through adequate legal and security measures and contractual clauses in particular.

PART VI. RIGHTS OF DATA SUBJECTS

Right of Access to personal data

33.-

(1) Subject to the provisions of this Act, a data subject shall be entitled-

(a) to be informed by any data controller whether his personal data are being processed by or on behalf of that data controller;

(b) to be given by the data controller a description of

(i) the personal data of which that individual is the data subject;

(ii) the purposes for which they are being processed; and

(iii) the recipients or classes of recipients to whom they are or may be disclosed;

(c) where the processing of personal data by automatic means for the purpose of evaluating matters relating to him has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision making.

(2) Notwithstanding the provisions subsection (1), a data controller is not obliged to inform the data subject where the personal data-

(a) are not accurate;

(b) are involved in any investigation in accordance with the laws; or

(c) have been prohibited by court order.

Right to prevent processing likely to affect data subject

34.-

(1) Subject to subsection (2), a data subject is entitled to require a data controller through procedures prescribed in the regulations, to suspend or not to begin, processing of any personal data in respect of which he is the data subject, if the processing of such personal data is likely to cause substantial damage to him or to another person.

(2) Subsection (1) shall not apply in the exceptions provided under this Act.

Right to prevent processing of personal data for direct marketing purposes

35.-

(1) A data subject may, through the procedures prescribed in the regulations, require the data controller to stop processing his personal data for purposes of direct marketing.

(2) Subject to subsection (1), a data subject may enter into agreement with a data controller for purposes of using or processing his personal data for pecuniary benefits.

(3) In this section “direct marketing” includes the communication by whatever means of any advertising or marketing material which is directed at an individual.

Rights in relation to automated decision making

36.-

(1) A data subject may, through the procedures prescribed in the regulations, require the data controller to ensure that any decision taken by or on behalf of the data controller which significantly affects data subject shall not base solely on the processing by automatic means.

(2) Without prejudice to subsection (1), where a decision which significantly affects a data subject is based solely on automated processing-

(a) the data controller shall, as soon as practicable, notify the data subject that the decision was taken on that basis; and

(b) the data subject may require the data controller to reconsider the decision.

(3) This section shall not apply if the decision is-

(a) necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) authorised by any written law; or

(c) based on the data subject’s explicit consent.

Right to compensation

37.-

(1) A data subject who suffers damage by reason of any contravention of any of the requirements of this Act by a data controller or data processor shall be entitled to compensation from the data controller or data processor for that damage.

(2) The data subject whose rights have been infringed by reason of any contravention of any of the requirements of this Act shall be entitled to compensation from the data controller or data processor, if-

(a) the complainant is the affected data subject or a representative of a data subject where the data subject is a child or a person of unsound mind;

(b) the data subject’s rights have been infringed by reason of the contravention; and (c) the damage relates to the processing of personal data in contravention of the provisions of this Act.

(3) Where the Commission is satisfied on the application of a data subject-

(a) that he has suffered damage by reason of contravention of any of the requirements of this Act by a data controller or data processor in respect of any personal data, in circumstances entitling him to compensation under this section; and

(b) that there is a substantial risk of further contravention in respect of the personal data in such circumstances,

the Commission may order the rectification, blocking, erasure or destruction of any of the personal data.

(4) The Commission may, where it makes an order under subsection (3), and where it considers it reasonable, order the data controller or data processor to notify third parties to whom the personal data have been disclosed of the rectification, blocking, erasure or destruction.

(5) In determining whether it is reasonably practicable to require the notification in subsection (4), the Commission shall have regard, in particular, to the number of persons who need to be notified.

Rectification, blocking, erasure and destruction of personal data

38.-

(1) Where the Commission is satisfied on the application of a data subject that his personal data is inaccurate, the Commission may order the data controller or data processor to rectify, block, erase, or destroy the personal data.

(2) Subsection (1) shall apply whether or not the personal data is an accurate record of information received or obtained by the data controller from the data subject or a third party.

(3) Where the personal data is not accurate record of the information, the Commission may direct the data controller or processor to correct the personal data as it considers appropriate.

(4) Where the personal data complained of has been rectified, blocked, updated, erased or destroyed under this section, the data controller or data processor shall be required to notify third parties to whom the personal data has been previously disclosed of the rectification, blocking, updating, erasure or destruction.

PART VII. INVESTIGATION OF COMPLAINTS

Complaints against violation of personal data protection principles

39.-

(1) Any person who considers that a data controller or data processor has infringed personal dataprotection principles may file a complaint to the Commission.

(2) Where the Commission is satisfied that there are reasonable grounds to investigate a matter under this Act, the Commission may initiate an investigation in respect thereof.

(3) A complaint made under this section shall be investigated and concluded within ninety days from the date of receipt.

(4) The Commission may, taking into account the circumstances of the complaint, extend the time provided under subsection (3) up to a period not exceeding ninety days.

Notice of investigation

40. Before commencing an investigation of a complaint under this Act, the Commission shall, in a form prescribed in the regulations, notify the data controller or data processor concerned of the substance of the complaint and intention to carry out the investigation.

Investigation confidentiality

41.-

(1) Investigation of a complaint under this Act shall be conducted confidentially.

(2) The Director General or any person acting on his behalf who receives personal data relating to any investigation under this Act or any other written law shall satisfy any security requirements by taking any oath of secrecy required to be taken by persons undertaking tasks of the similar nature.

Powers of Commission in carrying out investigations

42.-

(1) In the course of carrying out investigation of any complaint, the Commission shall have power to-

(a) summon a person before the Commission;

(b) receive and accept such evidence and other information, whether on oath or by affidavit or otherwise;

(c) enter any premises occupied by any data controller or data processor for satisfying security requirements of the premises;

(d) interrogate any person or take any device with personal data in any premises entered pursuant to paragraph (c); and

(e) examine or obtain copies of, or extracts from, books, documents or other records found in any premises entered pursuant to paragraph

(c) containing any matter relevant to the investigation.

(2) In the course of an investigation of a complaint under this section, the complainant and the data controller or data processor concerned may be given an opportunity to make representations to the Commission.

(3) Notwithstanding any other written law, the Commission may examine any personal data recorded in any form held by a data controller or data processor and in doing so, no personal data shall be withheld from the Commission.

(4) Any document or articles produced pursuant to this section by data controller or data processor or any person shall be returned by the Commission within ten working days after a request is made to the Commission by the data controller or data processor or that person, but nothing in this subsection precludes the Commission from again requiring its production in accordance with this section.

Obstruction of Commission

43. A person who, in relation to the exercise of a power conferred by this Act-

(a) obstructs or impedes the Commission in the exercise of its powers;

(b) fails to provide assistance or information requested by the Commission;

(c) refuses to allow the Commission to enter any premises or to take any document or device with personal data; or

(d) gives to the Commission any information which is false or misleading; commits an offence and shall be liable on conviction to a fine of not less than one hundred thousand shillings but not exceeding five million shillings or imprisonment to a term of not more than two years, or both.

Seeking assistance of any person or authority

44.-

(1) For the purpose of gathering information or for any investigation under this Act, the Commission may cooperate with or use any person or other authority as it considers necessary to assist the Commission in the discharge of its functions.

(2) The person or another authority that will be involved or used by the Commission under subsection (1) shall have the same power as that of the Commission in exercising investigation powers under this Act.

Enforcement notice

45.-

(1) Where the Commission is satisfied that a person has failed to comply with any provision of this Act, the Commission may serve an enforcement notice on that person requiring such person to rectify the failure within such period as may be specified in the notice.

(2) An enforcement notice served under subsection (1) shall-

(a) specify the provision of this Act which has been contravened;

(b) specify the measures to be taken to remedy or eliminate the situation that leads to such contravention;

(c) specify a period that shall not be less tan twenty-one days within which such measures shall be implemented; and

(d) state any right to appeal.

Notice of penalty

46.-

(1) Where the Commission is satisfied that a person has failed or is failing to comply with the enforcement notice issued under section 45, the Commission may issue a penalty notice requiring the person to pay a fine to the Commission of an amount specified in the notice.

(2) In deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commission shall, so far as relevant, have regard to-

(a) the nature, gravity and duration of the failure;

(b) the intentional or negligent character of the failure;

(c) any action taken by the data controller or data processor to mitigate the damage suffered by data subjects including technical and organisational measures;

(d) any relevant previous failures by the data controller or data processor;

(e) the degree of co-operation with the Commission, in order to remedy the failure and mitigate the possible adverse effects of the failure;

(f) the categories of personal data affected by the failure;

(g) the manner in which the failure became known to the Commission, including whether the data controller or data processor notified the Commission of the failure;

(h) the extent to which the data controller or data processor has complied with previous enforcement notices or penalty notices;

(i) adherence to codes of ethics or terms and conditions of registration;

(j) whether the penalty would be effective; and

(k) any other aggravating or mitigating factor applicable to the case, including financial benefits gained, or losses suffered, as a result of the failure, whether directly or indirectly.

Administrative fines

47. The maximum amount of the penalty that may be imposed by the Commission in a penalty notice in relation to contravention of provisions of this Act is one hundred million shillings.

Review of decision

48.-

(1) The Commission may, upon application or on its own motion, review its decision or direction given in accordance with the provisions of this Part.

(2) After review of the decision under subsection (1), the Commission may reverse, alter or revoke its decision or direction previously issued.

Right of appeal 49. A person who is aggrieved with the administrative action taken by the Commission, including the directions given in the enforcement notice or penalty imposed in the penalty notice, may appeal to the High Court.

Payment of compensation

50.-

(1) Subject to the provisions of section 37, the Commission may, in addition to any penalty given under this Act, order a data controller or data processor who causes damages to the data subject following contraventions of any provisions of this Act to pay compensation to the data subject.

(2) Subject to subsection (1)-

(a) a data controller involved in processing of personal data shall be liable for damage caused by the processing; and

(b) a data processor involved in processing of personal data shall be liable for damage caused by the processing if the processor-

(i) has not complied with an obligation under the Act specifically directed to data processors; or

(ii) has acted contrary to the data controller’s lawful instructions.

(3) A data controller or data processor shall not be liable in the manner specified in subsection (2) if the data controller or data processor proves that he is not in any way responsible for the event caused the damage.

(4) In this section, “damage” includes financial loss and damage not involving financial loss.

PART VIII. FINANCIAL PROVISIONS

Sources of funds of Commission

51. The funds of the Commission shall consist of-

(a) such sums of moneys as may be appropriated by the Parliament;

(b) money accruing from services, consultancy or other payments;

(c) money received from donations, gifts or subsidies;

(d) loans; and

(e) such other income as derived from performance of functions under this Act.

Financial management

52. The funds of the Commission shall be managed and administered by the Board in accordance with financial laws and shall be utilised to defray expenses in connection with performance of functions of the Commission under this Act.

Estimates of income and expenditure and financial control

53.-

(1) The Director General shall, not less tan three months before the end of each financial year, prepare and submit to the Board for approval the Budget that includes the estimates of income and expenditure for the next financial year.

(2) Subject to the provision of subsection (1), the Commission shall submit a copy of the budget to the Minister for approval.

(3) The Minister may require the Commission to revise the budget if in his opinion the budget does not represent a fair and reasonable projection of income and expenditure.

Expenditure of funds

54. An expenditure shall not be incurred from the funds of Commission unless that expenditure is part of the expenditure approved by the Board under section 53(1) in respect of the financial year to which the expenditure relates.

Supplementary budget

55.-

(1) The Board may, at any time before the end of the current financial year, prepare and submit to the Minister for approval any estimates supplementary to the estimates of the current year.

(2) Without prejudice to subsection (1), the Director General may, where exigencies occur in relation to the performance of the functions of the Commission, incur expenditure not approved by the Board in which case the Director General shall, within three months following such expenditure, seek approval of the Board.

Accounts and audit

56.-

(1) The Commission shall keep books of account and maintain proper records of its operations in accordance with accounting standards.

(2) The Commission shall, within six months after the end of each financial year, prepares a report on the performance of its functions during that financial year, and one copy of such report together with a copy of the audited accounts shall be submitted to the Minister.

Cap. 286

(3) The accounts of the Commission shall be audited by the Controller and Auditor General or such other person registered as an auditor under the Auditors and Accountants (Registration) Act, appointed by the  Controller and Auditor General for that purpose.

Annual reports and performance agreements

57.-

(1) The Director General shall, within two months after he has received audited accounts and auditor’s report on those accounts, submit to the Minister an annual report in respect of that year containing-

(a) a copy of the audited accounts of the Commission, together with the auditor’s report on those accounts;

(b) a report on performance against key targets and any other related information;

(c) a report on operations of the Commission during that financial year; and

(d) such other report as the Minister may require.

(2) The Minister shall lay before the National Assembly a copy of the annual report of the Commission within two month’s or at the next meeting of the National Assembly.

PART IX. MISCELLANEOUS PROVISIONS

Exceptions from application of provisions of this Act

58.-

(1) Nothing under this section shall exempt the data controller or the data processor from the responsibility of complying with the principles of the law in collection and processing of personal data and taking necessary measures to ensure protection and security of the personal data.

(2) Without prejudice to subsection (1), processing of personal data may be exempted from the provisions of this Act if such processing is held

(a) by the data subject for his personal use;

(b) in accordance with any law or court order;

(c) for purpose of safeguarding national safety and security and public interest;

(d) for the purpose of prevent or detect crimes;

(e) for the purpose of detect or prevent tax evasion;

(f) for the purpose of investigation of misappropriation of public funds;

(g) for purposes of vetting for appointment to any public service position.

(3) The Minister may prescribe other instances in which the provisions of this Act may be exempted and other provisions regarding implementation of this section.

Preservation order

59.-

(1) The Commission may apply to a court for a preservation order for the expeditious preservation of any personal data including traffic personal data, where there is reasonable ground to believe that the personal data is vulnerable to loss or modification.

(2) Where the court is satisfied under subsection (1), that an order may be made under this subsection, it shall issue a preservation order specifying a period which shall not be more than ninety days during which the order shall remain in force.

(3) The court may, on application by the Commission, extend the period specified in subsection

(2) for such time as the court thinks fit.

Offences of unlawful disclosure of personal data

60.-

(1) A data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such personal data has been collected commits an offence.

(2) A data processor who, without lawful excuse, discloses personal data processed by the data processor without the prior authority of the data controller commits an offence.

(3) Subject to subsection (4), a person who-

(a) obtains personal data, or obtains any information constituting personal data, without prior authority of the data controller or data processor by whom the personal data is kept; or

(b) discloses personal data to third party, commits an offence.

(4) A person who offers for sale personal data of another person obtained in breach of subsection (1) commits an offence.

(5) For the purposes of subsection (4), an advertisement indicating that personal data is or may be for sale, constitutes an offer for sale of the personal data.

(6) A person who commits an offence under this section shall, upon conviction, be liable to-

(a) in the case of an individual, a fine of not les than one hundred thousand shillings but not exceeding twenty million shillings or to imprisonment for a term not exceeding ten years or both; and

(b) in the case of a company or corporation, a fine of not less than one million shillings but not exceeding five billion shillings.

Offences of unlawful destruction, deletion, concealment or alteration of personal data

61. A person who unlawfully destroys, deletes, misleads, conceals or alters personal data commits an offence and shall, upon conviction, be liable to a fine of not less than one hundred thousand shillings but not exceeding ten million shillings or to imprisonment for a term not exceeding five years or both.

Offences by company or corporation

62. Where an offence under this Act is committed by a company or corporation, the company or corporation and every officer of the company or corporation who knowingly and willfully authorises or permits the contravention shall be liable for the offence.

General penalty

63.-

(1) Any person who contravenes a provision under this Act commits an offence and where no penalty is specifically provided, shall, upon conviction, be liable to a fine of not less than one hundred thousand shillings but not exceeding five million shillings or imprisonment for a term not exceeding five years or to both.

(2) After conviction of a person for any offence under this Act, the court may order for forfeiture of the devices containing the personal data connected with the commission of an offence.

Regulations

64.-

(1) The Minister may make regulations for giving effect to the provisions of this Act.

(2) Notwithstanding the generality of subsection (1), regulations made under this section may prescribe-

(a) instances which may be exempted from the provisions of this Act;

(b) registration procedures under this Act;

(c) functions of the data protection officer in relation to personal data protection;

(d) functions of the data controller’s representative when collecting and processing personal data on behalf of the data controller;

(e) procedures of enforcing rights under this Act;

(f) procedures for submission of complaints under this Act;

(g) conditions for processing sensitive personal data;

(h) appropriate standards relating to security of information to be met by data controllers;

(i) various fees to be imposed in respect of implementation of the provisions of this Act;

(j) procedures for retention and disposal of personal data held by data controllers;

(k) categories of processing and cases in which transborder data flow may not be allowed;

(l) anything which is necessary or proper for the better carrying out of the provisions of this Act.

Code of ethics for personal data protection

65.-

(1) Every data controller shall draw and put in place a code of ethics or policy for personal data protection which shall prescribe for ethics and conduct to be complied with during collection or processing of personal data.

(2) Such codes or policies shall be submitted to the Commission for consideration and approval.

(3) In considering the codes of ethics or policies, the Commission shall ascertain, among other things, whether the drafts submitted to it have complied with the provisions of this Act and the relevant sector and where it considers necessary, seek the views of data subjects or their representatives and consult with the data controller concerned for the purposes of undertaking necessary amendments prior to the approval.

SCHEDULE

(Made under section 8(6))

PROCEEDINGS OF THE BOARD

Tenure of appointment members

1.-

(1) The tenure of members of the Board shall be as follows:

(a) a Chairman and Vice-Chairman – four years; and

(b) other members – three years.

(2) Each member shall be eligible for reappointment for one further term and thereafter shall not be eligible for reappointment.

(3) Any member may at any time resign by giving notice in writing to the appointing authority and from the date specified in the notice or if no date is so specified, from the date of receipt of the notice by the appointing authority, he shall cease to be a member.

Cessation of members

2. A member of the Board may at any time cease from his office on the following reasons:

(a) inability to perform the functions of his office arising from infirmity of body or mind;

(b) misbehaviour or misconduct in a manner which bring or is likely to bring the Board into disrepute;

(c) absence from three consecutive meetings of the Board without notification;

(d) resigning; and

(e) death.

Absence from meetings of Board

3.-

(1) Where any member absents himself from three consecutive meetings of the Board without notification, the Board shall advise the appointing authority of the fact and the appointing authority may terminate the appointment of the member and appoint another member in his place.

(2) Where any member is by reason of illness, infirmity or absence from the United Republic unable to attend any meeting of the Board, the Minister may appoint a temporary member in his place and any such temporary member shall cease to hold office on the resumption of office of the substantive member.

Proceeding not to be invalid by reason of irregularity

4. The proceedings of the Board shall not be invalid by reason only of any defect in the appointment of any member or of the fact that any member was at the time disqualified or disentitled as such.

Meetings of Board

5.-

(1) The Board shall meet in quarterly basis at such times and places as it deems necessary for the transaction of its business.

(2) The Chairman or, in his absence, the Vice-Chairman, may, convene a special or extraordinary meeting of the Board.

(3) An ordinary meeting of the Board shall be convened by the Chairman and the notice specifying the place, date and time of the meeting shall be sent to each member not less than ten days before the date of the meeting and where the Chairman is unable to act by reason of illness or other cause or is absent from the United Republic, the Vice-Chairman may convene the meeting.

(4) The Board may act notwithstanding any vacancy in its membership.

Conflict of interest

6.-

(1) Where at any time a member of the Board has a conflict of interest in relation to-

(a) any matter before the Board for consideration or determination;

(b) any matter the Board could reasonably expect might come before it for consideration or determination, the member shall immediately disclose the conflict of interest to the other members of the Board and refrain from taking part, or taking any further part, in the consideration or determination of the matter.

(2) Where the Board becomes aware that a member has a conflict of interest in relation to any matter which is before the Board, shall direct the member to refrain from taking part, or taking any further part, in the consideration or determination of the matter.

(3) A member of the Board shall be considered to have breached the provision of subparagraph (1) if-

(a) he fails without reasonable cause to make declarations of his interests as required; or

(b) he knowingly makes a declaration false or misleading in material particulars thereby affecting the decision, that person commits an offence and shall be required to resign from office.

Invitation of expert

7. The Board may invite any person who is not a member to participate in the deliberations of the Board and provide expertise as the Board may require, but such person shall not be entitled to vote.

Quorum

8. The quorum at any meeting of the Board shall be more than half of the members in the Board.

Minutes of meetings

9. Minutes of each meeting of the Board shall be kept and shall be confirmed by the Board at its next meeting.

Decision of Board

10. Decision of the Board shall be decided by majority of the vote of the members present and in the event of the equality of  the vote the Chairman shall have a casting vote.

Board to regulate its own proceedings

11. Subject to the provisions of this Act, the Board shall regulate its own proceedings in relation to its meetings and discharge of its duties.

Remuneration of members

12. The members of the Board shall be paid such fees and allowances as may be determined by the relevant authority.