The clock is ticking: April 8–9, 2026
On 9 April 2026, Tanzania’s data protection rules stop being “theory” and become a live enforcement threat for every bank, mobile network and internet provider in the country. Under the Personal Data Protection Act No. 11 of 2022 (PDPA), institutions that handle personal data and are not registered with the Personal Data Protection Commission (PDPC) by 8 April face investigations, fines of up to TZS 5 billion, and even jail terms for serious misconduct.
If your bank, ISP or mobile operator is not compliant, your money, your identity and your privacy are all being handled outside the law. This countdown is not just a regulatory story for lawyers – it directly affects how safely your salary, loan data, NIDA details and mobile money records are collected, stored, and shared every single day.
The law behind the deadline: no registration, no legal processing
The PDPA, in force since 1 May 2023, is Tanzania’s main data protection law, setting principles for how organisations collect, process, store and disclose personal data. It created the PDPC as an independent body to register data controllers and processors, investigate complaints, and enforce the law across both public and private sectors.
Part III of the Act makes registration with the PDPC a legal precondition for processing personal data – in simple terms, if an institution has not registered, it should not be handling your data at all. The Commission opened its registration system in 2024 and, after several extensions, the government has now set 8 April 2026 as the final, non‑negotiable deadline.
What actually changes on 9 April 2026?
Up to now, the PDPC has focused on awareness and voluntary compliance, giving institutions more than a year of grace periods to get ready. From 9 April 2026, that changes: the Commission has announced the start of nationwide compliance audits and “firm legal action” against any entity that collects or processes personal data without being registered or that continues unlawful practices.
Banks, insurance companies, mobile network operators, ISPs, payment providers, universities, hospitals, NGOs and many others will be on the audit list. If they are found unregistered or in serious breach, the PDPC can issue enforcement notices ordering them to stop certain processing activities and then move to penalties and, for serious offences, criminal prosecution.
The TZS 5 billion shock: fines and jail time
From April 9, 2026, the penalties stop being theoretical and start to bite. The PDPA provides that:
- Individuals who unlawfully disclose or sell personal data can be fined between TZS 100,000 and TZS 20 million or jailed for up to 10 years, or both.
- Companies and institutions – including banks, telcos and fintechs – can be fined between TZS 1 million and TZS 5 billion, depending on the gravity of the offence.
- Unlawful destruction, deletion, concealment or conversion of personal data attracts additional fines and potential imprisonment for responsible staff.
- Where a company commits an offence, officers who intentionally authorised or allowed it can be held personally liable alongside the institution.
This means that a bank executive who looks the other way while customer data is misused, sold or transferred without proper safeguards is now personally at risk – not just the institution.
No more hidden data harvesting
The era of silent data harvesting – where institutions profile you in the background and sell access to your attention – is ending in Tanzania. Part VI of the PDPA gives you enforceable rights as a “data subject”, and banks, mobile operators and ISPs must re‑design their systems and marketing around those rights.
Three rights matter most for ordinary customers:
- Right to know and access You have the right to know that your data is being processed, to see what information is held about you, why it is being used, and with whom it is being shared. A bank or telco should be able to explain, in plain language, what data they keep on you and how it drives decisions such as credit scoring, fraud checks, or tariff offers.
- Right to block, erase or “be forgotten” Where data is inaccurate, no longer needed, unlawfully processed, or used for unapproved commercial purposes, you can request rectification, blocking, erasure or destruction. The PDPC Regulations set formal procedures and timelines; controllers must respond within a set period and justify any refusal in writing, leaving their decision open to challenge before the Commission.
- Right to stop direct marketing and spam The PDPA gives you an absolute right to demand that your data stop being processed for commercial advertising and direct marketing. That means you can legally opt out of those endless SMS blasts, unsolicited loan offers and cross‑selling based on your transaction history.
The cross‑border twist: diaspora data under the microscope
For Tanzanians in the UK, EU, USA and beyond, this law also reaches across borders. Sections 31 and 32 of the PDPA tightly regulate cross‑border data transfers, distinguishing between countries with “adequate” data protection and those without, and imposing conditions in both scenarios.
If your personal data moves from, say, a UK‑based app or bank into a Tanzanian bank or mobile money operator, the Tanzanian institution must:
- Assess whether the destination country’s laws are adequately protective.
- Ensure the transfer is necessary for a lawful purpose and does not harm your legitimate interests.
- Put safeguards in place (such as binding contracts) and, in many cases, obtain a permit from the PDPC before sending data across borders.
Are institutions really ready?
By late 2024, the PDPC reported that over 700 institutions had already registered – including many banks, insurers and large public bodies – but it also highlighted thousands more that still needed to come into the system. In January 2026, the Minister for Communication and Information Technology issued a final three‑month grace period and instructed the PDPC to prepare nationwide compliance audits.
PDPC briefings in March 2026 have repeated the message clearly: on 9 April 2026, the focus shifts from education to strict enforcement, with special attention on high‑risk, data‑heavy sectors like banking and telecoms.
What this means for your bank, ISP or mobile operator
For institutions, this is no longer a “nice‑to‑have” compliance project – it is a board‑level risk. Every bank, mobile operator, ISP, PSP, fintech, SACCOS and bureau that handles customer data must:
- Be registered as a data controller or processor with the PDPC.
- Map what data they collect (IDs, biometrics, transaction logs, locations, etc.) and why.
- Clean up consent and marketing practices to honour opt‑outs and stop unlawful profiling.
- Lock down security and access controls, including how staff and third parties see customer records.
Those that do not will face regulatory sanctions, public exposure, and a growing wave of consumer complaints and litigation once people realise the power of their new rights.
What this means for you and your family
As a customer, the April 2026 deadline finally gives you leverage. You can demand to know what data providers hold about you and why, opt out of direct marketing, and complain to the PDPC if your rights are ignored.
For the Tanzanian diaspora, you can question how your data is moved between countries and which safeguards are in place when using remittance apps or cross‑border wallets.
Call to action: is your provider compliant?
Is your bank, ISP or mobile operator ready for April 9 – or gambling with your privacy and their licence?
PamojaCompare is building a compliance‑first view of Tanzania’s financial landscape. Our goal is simple: to make it easy for you to see which institutions respect your data, your money and your rights.
Is your provider compliant? PamojaCompare only features institutions that respect your privacy. Check our compliance‑verified list here.
