PDPC Compliance

Data Protection Statement

Pursuant to the Personal Data Protection Act, 2022 (Act No. 11 of 2022) of the United Republic of Tanzania & regulations issued by the Personal Data Protection Commission (PDPC).

Last updated: April 2026

Regulatory commitment — ESN Microcredit Ltd. is registered as a Data Controller and Processor with the PDPC. We process personal data in strict accordance with the PDPA and all subsidiary regulations, guidelines, and directives issued by the Commission.

1. Legal Framework

The Personal Data Protection Act, 2022 (PDPA) was enacted by the Parliament of the United Republic of Tanzania on 27 November 2022 to establish minimum requirements for data protection and to safeguard the fundamental right to privacy guaranteed under Article 16 of the Constitution of the United Republic of Tanzania. The PDPA is administered by the Personal Data Protection Commission (PDPC), headquartered in Dodoma.

This statement should be read together with our Privacy Policy and Terms of Service.

2. Data Controller & Processor Details

Registered NameESN Microcredit Ltd.
RoleData Controller & Data Processor
Registered OfficeDar es Salaam, United Republic of Tanzania
Emaildpo@esnmicrocredit.com
PDPC RegistrationRegistered — Certificate available on request

3. Data Protection Officer (DPO)

In compliance with Section 38 of the PDPA, ESN has appointed a Data Protection Officer responsible for:

  • Monitoring internal compliance with the PDPA and PDPC directives.
  • Serving as the primary point of contact between ESN and the PDPC.
  • Advising on Data Protection Impact Assessments (DPIAs).
  • Handling data-subject access requests and complaints.
  • Conducting staff training on data protection obligations.

Contact the DPO: dpo@esnmicrocredit.com

4. Lawful Basis for Processing

Under Section 11 of the PDPA, personal data may only be processed where at least one lawful basis applies. ESN relies on the following bases:

Consent (Section 11(a))

You have given clear, informed, and voluntary consent for us to process your personal data for one or more specified purposes, such as marketing communications.

Performance of a Contract (Section 11(b))

Processing is necessary to enter into or perform a loan agreement, account registration, or any other contractual obligation between you and ESN.

Legal Obligation (Section 11(c))

Processing is required to comply with Tanzanian law, including the Banking and Financial Institutions Act, Anti-Money Laundering Act, and Tax Administration Act.

Vital Interest (Section 11(d))

Processing is necessary to protect the vital interests of a data subject or another person, for example in emergencies.

Public Interest (Section 11(e))

Processing is carried out in the public interest or in the exercise of official authority.

Legitimate Interest (Section 11(f))

Processing is necessary for legitimate interests pursued by ESN (e.g., fraud prevention, platform security, analytics), provided such interests are not overridden by your fundamental rights.

5. Categories of Personal Data Processed

  • Identification data: full name, date of birth, gender, National ID (NIDA) number, passport number, TIN.
  • Contact data: email address, mobile phone number, physical address.
  • Financial data: bank account details, mobile-money (M-Pesa / Tigo Pesa / Airtel Money) identifiers, loan history, repayment records, credit scores.
  • Technical data: IP address, device type, browser information, cookies, access logs.
  • Geolocation data: approximate location derived from IP; precise GPS only with explicit consent.
  • Biometric data (where applicable): fingerprint or facial recognition used solely for identity verification under Section 18 of the PDPA.

6. Sensitive Personal Data

Section 18 of the PDPA defines sensitive personal data to include data revealing racial or ethnic origin, political opinions, religious beliefs, health status, biometric data, and genetic data. ESN does not routinely collect sensitive personal data. Where it is necessary (e.g., biometric identity verification), we obtain your explicit consent and apply enhanced safeguards including encryption at rest and strict access controls.

7. Data Subject Rights

Under Part IV of the PDPA, you are entitled to the following rights in relation to your personal data:

  1. Right of Access (Section 20): Request confirmation of whether we process your data and obtain a copy of it.
  2. Right to Rectification (Section 21): Request correction of inaccurate or incomplete personal data.
  3. Right to Erasure (Section 22): Request deletion of your personal data where it is no longer necessary, consent is withdrawn, or processing is unlawful — subject to legal retention obligations.
  4. Right to Restriction (Section 23): Request that we limit the processing of your data in certain circumstances.
  5. Right to Data Portability (Section 24): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
  6. Right to Object (Section 25): Object to processing based on legitimate interest or public interest, including profiling and direct marketing.
  7. Right Not to be Subject to Automated Decisions (Section 26): Not be subject to decisions based solely on automated processing, including profiling, that produce legal effects, unless authorised by law or based on explicit consent.
How to exercise your rights: Send your request to dpo@esnmicrocredit.com with proof of identity. We will respond within 30 days as required by the PDPA. If you are not satisfied with our response, you have the right to lodge a complaint with the PDPC.

8. Consent & Withdrawal

Where processing is based on consent, ESN ensures that consent is:

  • Freely given — without coercion or undue influence.
  • Specific — relating to a defined purpose.
  • Informed — you are told exactly what data is collected and why.
  • Unambiguous — given through a clear affirmative action.

You may withdraw consent at any time by contacting the DPO or using the preference settings in your account dashboard. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

9. Cross-Border Data Transfers

Section 28 of the PDPA restricts the transfer of personal data outside Tanzania unless the receiving country provides an adequate level of data protection, or appropriate safeguards are in place. ESN may transfer data to cloud infrastructure providers located outside Tanzania. In such cases we ensure:

  • Standard contractual clauses are in place with the data processor.
  • The transfer has been authorised by the PDPC where required.
  • Technical safeguards such as encryption in transit (TLS 1.3) and at rest (AES-256) are applied.
  • Data minimisation principles are strictly observed.

10. Data Protection Impact Assessments (DPIAs)

In line with Section 33 of the PDPA, ESN conducts DPIAs before introducing any new processing activity that is likely to result in a high risk to data subjects’ rights and freedoms. This includes:

  • Large-scale processing of financial data for credit scoring.
  • Systematic monitoring of borrower repayment behaviour.
  • Use of automated decision-making in loan approval processes.
  • Introduction of new biometric verification technologies.

DPIA reports are made available to the PDPC upon request.

11. Data Breach Notification

Under Section 35 of the PDPA, ESN is obligated to notify the PDPC of any personal data breach within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected data subjects without undue delay.

Our breach response includes:

  1. Immediate containment and investigation by the security team.
  2. Assessment of scope, severity, and affected individuals.
  3. Notification to the PDPC with all details required under the PDPA.
  4. Direct notification to affected data subjects where required.
  5. Remediation measures and post-incident review.

12. Data Retention

Personal data is retained only for as long as necessary to fulfil the purpose for which it was collected, or as required by law. Key retention periods include:

Data CategoryRetention Period
KYC / identity documents7 years after account closure (AML Act)
Loan agreements & transaction records7 years after contract completion
Communication records3 years
Marketing consent recordsUntil consent is withdrawn + 1 year
Technical logs (IP, access)12 months
DPIA records5 years from completion

After expiry of the retention period, data is securely deleted or irreversibly anonymised.

13. Technical & Organisational Safeguards

In compliance with Section 31 of the PDPA, ESN implements appropriate measures to ensure a level of security appropriate to the risk, including:

  • Encryption of all data in transit (TLS 1.3) and at rest (AES-256).
  • Multi-factor authentication (MFA) for all staff accounts and administrative access.
  • Role-based access controls (RBAC) — data is only accessible to authorised personnel on a need-to-know basis.
  • Regular penetration testing and vulnerability assessments.
  • Automated audit trails and real-time intrusion detection.
  • Mandatory annual data-protection training for all employees and contractors.
  • Physical security controls at data centres (access badges, CCTV, 24/7 monitoring).

14. Processing of Children’s Data

ESN’s services are intended for individuals aged 18 years and above. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly and notify the PDPC where required under Section 19 of the PDPA.

15. Automated Decision-Making & Profiling

ESN uses automated credit-scoring models to assess loan eligibility. In accordance with Section 26 of the PDPA:

  • You are informed when automated decisions affect you.
  • You have the right to request human intervention or review.
  • You may challenge the outcome and express your point of view.
  • We regularly audit our models for bias and accuracy.

16. Third-Party Data Processors

Where ESN engages third-party processors (e.g., cloud providers, payment gateways, SMS providers), we ensure:

  • A written data-processing agreement (DPA) is in place per Section 29 of the PDPA.
  • Processors implement equivalent security measures.
  • Sub-processors are approved and documented.
  • Regular compliance audits are conducted.

17. Complaints & PDPC Contact

If you believe ESN has not handled your personal data in accordance with the PDPA, you may:

  1. Contact our DPO at dpo@esnmicrocredit.com.
  2. Lodge a complaint directly with the Personal Data Protection Commission:

Personal Data Protection Commission (PDPC)

P.O. Box 1105, 1 Moshi Street, Viwandani

41102 Dodoma, Tanzania

Email: helpdesk@pdpc.go.tz

Phone: +255 753 459 155 / +255 718 462 536

Website: www.pdpc.go.tz

Online Complaints: dataprotection.pdpc.go.tz

18. Penalties for Non-Compliance

The PDPA establishes significant penalties for violations, including fines and imprisonment. ESN takes these obligations seriously and maintains a continuous compliance programme, internal audits, and DPO oversight to ensure full adherence.

19. Updates to This Statement

We review this Data Protection Statement at least annually or whenever there are material changes to our processing activities or the regulatory environment. Changes will be published on this page with an updated revision date. Where changes are significant, we will notify registered users by email.