Data subject rights: Taking control of your personal data in everyday life
DAR ES SALAAM: IN our daily lives, whether sending money, registering a SIM card, browsing online, or signing up for a service, we share pieces of ourselves almost instinctively.
Yet, very few of us pause to ask a simple but important question: what rights do I actually have over my personal data?
This week’s column brings that question closer to home. It is not about theory or legal jargon. It is about practical awareness, grounded in real experiences and guided by the Personal Data Protection Act, Cap. 44.
The law does not treat personal data as something to be owned like property, but it gives every individual clear, enforceable rights over how their personal information is collected, used and shared. I recall a session in Njombe with members of the business community. It was one of those honest engagements where people speak from lived experience.
A woman stood up and asked, calmly but firmly: “I keep receiving promotional messages from a service I barely remember signing up for. Can I tell them to stop using my personal data?”
There was a brief silence. Then I responded: Yes, you can. What followed was more than relief. It was a shift in understanding across the room.
Because in that moment, many realised something they had never fully considered: they have rights and those rights can be exercised.
At the heart of the law is a simple idea, individuals must have control over how their personal data is handled. That control begins with the right to be informed.
No organisation should collect your personal data without explaining what is being collected, why it is needed and how it will be used.
information must be provided clearly, at the point of collection, not hidden in complex or inaccessible terms. Take a familiar example. You download a mobile loan application and before completing registration, it requests access to your contacts, messages and location.
A reasonable question follows: why is all this data necessary? If that purpose is not clearly explained, then your right to be informed is not being properly respected. Transparency is not a favour from institutions; it is a legal requirement. Another important right is the right of access.
This allows you to ask an organisation what personal data they hold about you and how it is being used. For instance, a long-time mobile banking user can formally request their bank to provide details of the personal data held in their systems.
A telecom subscriber who suspects their data may have been shared can also seek clarity.
These right removes uncertainty and replaces it with visibility. Closely linked to this is the right to rectification.
Personal data must be accurate and up to date. Where errors occur, individuals have the right to request correction.
I once encountered a case where a minor spelling error in a person’s name affected multiple services, from financial verification to employment processing.
Such situations are not just inconveniences; they have real consequences.
The law recognises this and provides a clear path for correction. The law also provides for the right to erasure, but within defined limits.
A person may request deletion of their personal data where there is no longer a valid or lawful reason for it to be retained. However, this right is not absolute.
ALSO READ: Public sector responsibility in protecting personal data
Certain institutions are required by law to keep records for specific periods.
For example, financial institutions must retain transaction records for regulatory and compliance purposes. In such cases, the obligation to retain data overrides a request for deletion.
This reflects a necessary balance between individual privacy and legal obligations. Equally practical is the right to object to processing, particularly in relation to direct marketing.
Returning to the Njombe example, the woman receiving persistent promotional messages has the right to object to that use of her personal data.
Once such an objection is raised, the organisation is required to stop that specific form of processing unless there is a lawful basis to continue.
This gives individuals a meaningful way to push back against unwanted use of their information. There is also the right to restrict processing, which is less commonly discussed but equally important.
This allows a person to temporarily limit how their data is used, for example, while disputing its accuracy or raising concerns about how it is being processed. It ensures that questionable data is not actively used until the issue is resolved. Importantly, the law does not leave individuals without recourse.
There is a clear right to lodge a complaint with the Personal Data Protection Commission. Where a person believes their data has been misused, whether through unauthorised sharing, excessive collection, or failure by an organisation to respond to a request, they can escalate the matter.
The Commission has the mandate to receive complaints, investigate and take appropriate action.
This is what transforms rights from theory into practice. Across different regions, I have seen a consistent pattern. At first, people are surprised to learn that these rights exist. Then they begin to ask questions.
And eventually, they start to act. In Mwanza, a trader once remarked after a session, “Kumbe tunaweza kuuliza maswali.”
That realisation matters. Because awareness changes behaviour. People begin to read before consenting. They question unusual requests. They challenge misuse. For institutions, this should not be seen as a threat. It is an opportunity. An informed public strengthens trust.
Organisations that respect personal data rights build credibility and position themselves as responsible actors in a growing digital economy. As Tanzania continues to advance digitally, the conversation must also mature. It is no longer enough to simply access digital services.
Citizens must engage with them with awareness and confidence, understanding not just how to use them, but also how their personal data is being handled. Because personal data is not just information stored in systems. It is linked to identity, dignity and individual autonomy.
The law provides the framework. But its real impact depends on whether people understand their rights and choose to exercise them. Faragha yako ni haki yako. Zifahamu haki zako, zitumie, na zilinde.
