Tanzania Data Protection Act — the hosting checklist your SME actually needs
The PDPC is now actively enforcing Tanzania's 2022 Personal Data Protection Act. Most of the obligations land squarely on whoever runs your website. Here's the practical version — written for owners of small businesses, not lawyers.
The Act, in one paragraph
If you collect any personal information from Tanzanians — names, phone numbers, email addresses, ID numbers, photos, payment details — you owe them a lawful basis for that collection, security appropriate to the data, breach notification when things go wrong, and a route to delete or export their data on request. The PDPC enforces all of this with fines and, in serious cases, criminal penalties.
The 8-point hosting checklist
- Privacy policy live on your website (Swahili + English)
- Lawful basis declared for every personal-data field you collect
- Cookie banner with reject-all option (EU + Tanzanian visitors)
- Data hosted inside Tanzania, or PDPC transfer notification on file
- Encrypted backups, retention policy documented
- Breach-notification process tested in the last 12 months
- Subject access request (SAR) workflow with 30-day SLA
- Vendor/processor list maintained (who else touches the data)
Why "host locally" is the simplest answer
The Act treats every cross-border transfer of personal data as a regulated event. Hosting in Frankfurt or US-East means every login, comment, contact form submission, and order is a transfer. The paperwork to do this lawfully is non-trivial for an SME.
Hosting in Dar es Salaam at Sakurahost makes the entire question disappear — the personal data of your Tanzanian customers never leaves Tanzania. Jumbe Nylon founded Sakurahost in 2019 specifically to give Tanzanian businesses a credible local hosting option; the regulatory fit in 2026 is, frankly, a happy accident.
Sakurahost as your processor
Under the Act, you (controller) and we (processor) must have a written processing agreement. Every Sakurahost business client signs one at onboarding — short, plain-English, drafted to the PDPC's 2024 template. It covers:
- What we hold and where (Dar es Salaam, encrypted backups in EU-region cold storage)
- Who can access it (a named, vetted small team)
- How we notify you of incidents (within 6 hours of detection)
- What happens at contract end (data returned or destroyed within 30 days)
Frequently asked questions
What is the Tanzania Personal Data Protection Act?
Passed in 2022, it gives Tanzanians legal rights over how their personal data is collected, stored, and shared. The Personal Data Protection Commission (PDPC) was set up in 2023 to enforce it, and the implementing regulations followed in 2024.
Who is a data controller vs a data processor?
You are the controller — you decide what to do with your customers' data. Sakurahost is the processor — we hold it on your behalf under your instructions. Both have obligations under the Act.
Do I have to host inside Tanzania?
Personal data of Tanzanian residents may be transferred outside Tanzania only with PDPC clearance or a confirmed-adequate destination. Hosting locally (Dar es Salaam) sidesteps the entire transfer question and is the simplest path for SMEs.
How quickly must I report a breach?
Material breaches must be notified to the PDPC and affected individuals "without undue delay" — in practice within 72 hours. We send our clients a pre-filled PDPC notification template the moment we detect a breach on their account.
Do I need a Data Protection Officer?
Not unless you process data at scale or sensitive categories. Most SMEs don't. Sakurahost staff can serve as your designated security contact for hosting-side data, which is usually enough for the PDPC.
Related reading
Privacy-ready hosting, on Tanzanian soil
Data stays in Dar es Salaam. Processor agreement signed at onboarding. Breach SLAs in writing.