The Personal Data Protection (Complaints Settlement Procedures) Regulations, 2023.

By Sunday Ndamugoba and Lubaina Hassanali

The Personal Data Protection (Complaints Settlement Procedures) Regulations, 2023. outline the process for filing and resolving complaints related to violations of personal data protection principles in Mainland Tanzania and Tanzania Zanzibar. The summary of the procedures is as follows:

 Filing of complaint:

Individuals that believe there is a violation of personal data protection principles or is dissatisfied with a decision made by the data controller or data processor can submit a complaint to the Commission established by the Personal Data Protection Act 2023. The complaint can be submitted orally or in writing using a provided form but can only be submitted in Kiswahili or English.  The Commission evaluates the complaint to determine its validity and compliance with the Act and regulations. If the complaint meets the requirements, the Commission serves a summons to the respondent within seven days. However, If the complaint is rejected for having not met the requirements, the Commission informs the complainant with reasons for the rejection in writing within seven days. Following the summon, the respondent has twenty-one days to present a defense, and failure to do so may result in a hearing proceeding without their participation.

Investigation and mediation process:

Proceeding with the complaint, the Commission attempts to resolve the complaint amicably within thirty days from the date of filing. A designated officer is assigned and acts as a mediator between the parties. If a settlement is reached during mediation, it is reduced to writing and signed by the parties. The mediator submits a copy to the Commission, and it is considered an award. On the other hand, if an amicable settlement cannot be reached within the provided time, the mediator refers the complaint to the Commission for a hearing. Parties are notified within seven days that the complaint has been referred for a hearing. The hearing is composed of a Complaints Hearing Committee which consists of three individuals with expertise in law, personal data protection, and ICT. Parties may appear in person, represented by an advocate or authorized representative given that they provide proof of authorization. The complaint is successful if the Commission determines non-compliance with the Act or regulations, and an enforcement notice may be issued, requiring rectification within seven days. Failure to comply can lead to a penalty notice.

 Application for review

For parties dissatisfied with the outcome of the hearing, there is scope for review. Following the Commission’s award, the dissatisfied party may apply for review within twenty-one days. Hereinafter, the Commission reviews the application within fourteen days and may alter, revoke, or reverse any direction in the award. Additionally, if still unsatisfied, parties may appeal to the high court within twenty-one days from the date of delivery of the award.

Conclusion

The Personal Data Protection Act and its corresponding regulations: Personal Data Collection and Processing and Complaints Settlement Procedure aim to meet international standards of data protection. It initiates a fair system that allows businesses to be held accountable in circumstances of breach and encourage businesses to adopt data processes that have minimal risk.

Download there The Personal Data Protection (Complaints Settlement Procedures) Regulations, 2023.Subsidiary legislation (The Personal Data Protection (Complaints Settlement Procedures) Regulations, 2023.)