Article 1 – Aim of the Data Protection Policy

Jaza acknowledges that information technology should be at the service of every citizen. Information technology development shall take place in the context of international co-operation. Information technology shall not violate human identity, human rights, privacy, or individual or public liberties.

Jaza is committed to international compliance with data protection laws. This Data Protection Policy applies worldwide to Jaza and is based on globally accepted, basic principles on data protection. It is designed to ensure compliance with applicable data protection laws and regulations in all countries where Jaza operates. Ensuring data protection is the foundation of trustworthy relationships and the reputation of Jaza as a credible organization.

The Data Protection Policy ensures the adequate level of data protection as prescribed by relevant legal frameworks, including in countries that do not yet have adequate data protection laws.

Jaza data protection policy is meant to be a practical and easy to understand document to which all Jaza departments, stakeholders and partners can refer to.

Article 2 – Scope of the Data Protection Policy

This Data Protection Policy applies to all entities of Jaza, including network and branch offices in all countries of operation.

1. The policy applies to all Jaza staff and governance members.
2. The provision of this policy may also be applied to any person employed by an entity that carries out missions for Jaza.
3. In particular, this policy applies to implementing partners, suppliers, sub-grantees, stakeholders and other associated entities.

Jaza’s Data Protection Policy applies to all personal data that Jaza holds relating to identifiable individuals, meaning any information relating to an identified or identifiable individual.

Article 3 – Jaza’s sets of data and definitions

Jaza’s Data Protection Policy applies to all sets of personal data, currently stored, maintained and handled by Jaza, and more specifically to the following identified sets of personal data:

Jaza’s Authorised Representative herein referred to means the Jaza CEO, or other appointed legal representative responsible for the enforcement and improvement of Jaza’s Data Protection Policy

Jaza’s personnel, including national and international staff,

• Jaza’s customers and users
• Jaza’s direct and indirect beneficiaries, including interviewees,
• Jaza’s individual shareholders,
• Jaza’s contractors, suppliers, consultants, implementing partners currently under contract with Jaza.

Personal data herein referred to, means any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This includes, but is not limited to:

– Names of individuals
– Postal or living addresses
– Email addresses
– Telephone numbers
– Identity card and passport Date and place of birth
– Identification of relatives
– Fingerprints
– Business reference
– Geo-referencing
– Education, medical, criminal or employment history

Processing of personal data means any operation or set of operations in relation to such data, whatever the mechanism used, especially the obtaining, recording, organization, retention, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.

Data Controller means the entity that determines the purposes and means of processing personal data. 

Data Processor means the entity that processes personal data on behalf of the Data Controller. Jaza may act as Data Controller or Data Processor depending on the context of data handling.

A Data Protection Officer (DPO) means an individual designated to oversee an organization’s data protection strategy and implementation

Consent means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of Personal Data,.Recipent means a natural person, legal person, public body or any other person who receives Personal Data from the data controller who is Jaza.

Sensitive Personal Data includes:

• Genetic data related to children, data related to offences, financial transactions of the individual, security measure or biometric data.
• If they are processed for what they reveal, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation, trade union membership, gender and data concerning health or sex life.
• Any personal data otherwise considered under the laws of the country as presenting a major risk to the rights and interests of the data subject.

Article 4 – Application of National Laws and sources of authority

Jaza is headquartered in Canada and observes the laws of Canada including the Privacy Act, RSC 1985, c P-21 (“Privacy Act”). It also operates in more than 2 countries. Jaza Country Operations observe the laws of their country.

This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event that it conflicts with this Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed. Each entity of Jaza, including network and branch offices is responsible for compliance with this Data Protection Policy and the legal obligations.

At the same time, Jaza has rules and standards that seek to create a consistent approach and which, in some cases, may be stricter than national or local laws. This Policy must, therefore, be followed in addition to the relevant national and local laws on data protection.

In the event of conflicts between national legislation and the Data Protection Policy, Jaza will work with the relevant country offices to find a practical solution that meets the purpose of the Data Protection Policy.

Article 5 – Principles for Processing Personal Data

Jaza shall ensure that all personal data is processed in accordance with the following principles. These principles reflect internationally accepted data protection standards and incorporate the core principles found in applicable national laws, including the Personal Data Protection Act, 2022 of Tanzania, to ensure consistent application across Jaza’s global operations.

These principles apply to all personal data handled by Jaza, regardless of medium (electronic, paper, or other formats) and extend to all employees, contractors, partners, and service providers acting on behalf of Jaza.

1. Lawfulness, Fairness and Transparency

Jaza shall process personal data lawfully, fairly, and transparently to protect the rights and interests of data subjects.

Lawfulness:

• Each processing activity must be based on a lawful ground (e.g., consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests).
• The lawful basis must be documented in Jaza’s record of processing activities and reviewed periodically to confirm continued applicability.

Fairness:

• Data collection and use must not involve deception, discrimination, or practices that could cause unjustified harm.
• Data subjects’ reasonable expectations shall be considered when introducing new processing purposes or technologies.

Transparency:

• Data subjects must be informed, before or at the time of collection, of the purposes, lawful basis, categories of recipients, retention periods, and their rights.
• This shall be communicated through privacy notices, consent forms, or contractual disclosures in clear, understandable language.
• Updates or significant changes in processing must be communicated promptly to affected data subjects.

2. Purpose Limitation

Jaza ensures that data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. For instance, data collected for one specific purpose (e.g., invoicing) will not be used for unrelated activities such as unsolicited marketing.

Any proposed new use of personal data must undergo review by the DPO to confirm compatibility with the original purpose, and the lawful basis for such processing must be documented.

Where further processing is required for compatible purposes such as statistical analysis, research, or public interest objectives, Jaza shall ensure that the data is anonymized or otherwise processed in accordance with applicable law and without identifying individuals unless additional consent or lawful authority is obtained.

3. Data Minimization

Jaza collects only the minimum amount of personal data necessary to fulfill the defined purpose. For instance, when processing job applications, only the data relevant to the role will be requested.

Departments shall regularly review data collection practices to ensure no excessive or irrelevant information is gathered. Where sensitive personal data is required, collection must be strictly justified, limited to what is necessary, and carried out in line with applicable legal requirements, including obtaining prior written consent where required.

4. Storage Limitation

Personal data will be retained only as long as necessary for the purposes for which it was collected and will be securely disposed of or deleted once no longer required. Destruction will be carried out in a manner that prevents data from being reconstructed. Jaza maintains a data retention schedule that defines retention timelines and secure disposal methods for different categories of personal data.

Retention periods shall be reviewed periodically to ensure ongoing necessity, taking into account legal, contractual, and operational requirements. Where retention is required for legal, archival, or historical purposes, such retention must be clearly justified and safeguarded to prevent unauthorized access or misuse. All staff must follow established retention and disposal procedures, and any deviations must be approved by the DPO and documented.

5. Accuracy

Personal data must be accurate, complete, and, where necessary, kept up to date. Reasonable steps shall be taken to verify the accuracy of data at the time of collection and throughout the data lifecycle. Jaza shall provide mechanisms for data subjects to request correction or updating of their personal data, and such requests must be addressed promptly. Inaccurate, incomplete, or misleading data must be rectified or deleted without undue delay, taking into account legal and operational requirements.
Periodic reviews of stored data shall be conducted to ensure continued accuracy and relevance.

6. Data Subject Rights

Personal data shall be processed in a manner that respects and facilitates the rights of data subjects. These rights include the right to be informed about why and how their data is used, the right of access to view their data, the right to rectification to correct inaccuracies, the right to erasure to have their data deleted in certain circumstances, the right to object to specific processing activities (such as direct marketing), the right to data portability to receive their data in a usable format, and the right to restrict processing to temporarily halt certain processing activities.

Mechanisms shall be in place for data subjects to exercise these rights easily and without undue delay. Requests shall be acknowledged and addressed promptly, and outcomes documented. Where a request cannot be fulfilled due to legal or regulatory requirements, the data subject shall be informed of the reason and any alternative remedies available.

7. Integrity and Confidentiality

Personal data must be treated as confidential and secured with suitable organizational and technical measures to prevent unauthorized access, unlawful processing or distribution, as well as accidental loss, modification, or destruction.

Security measures shall be proportionate to the sensitivity of the data, potential risks to individuals, and available technological and financial resources, and they shall be reviewed periodically. All staff must report suspected security incidents or breaches immediately in accordance with Jaza’s breach reporting procedures.

Third-party processors must implement equivalent safeguards and act only on instructions from Jaza, with compliance verified through contractual commitments and periodic monitoring.

In the event of a security breach, the DPO shall assess and report the incident in line with applicable legal and regulatory requirements.

8. Accountability

Jaza shall be responsible for, and able to demonstrate, compliance with all data protection principles.

• The DPO shall maintain records of processing activities, oversee compliance monitoring, and coordinate with regulators when required.
• Senior management shall review compliance reports periodically and ensure sufficient resources for ongoing data protection measures.
• Data protection obligations shall be incorporated into contracts, policies, and operational procedures across Jaza’s business units.
• Staff and partners shall receive regular training and are required to report suspected non-compliance or data breaches immediately.
• Compliance shall be demonstrated through documented policies, periodic audits, and risk assessments.

9. Cross-Border Transfers

Cross-border transfers of personal data shall comply with the requirements set out in Article 7 of this Policy, which outlines the conditions for transferring data outside Jaza, including the need for consent, regulatory authorization where required by law, and appropriate safeguards to ensure an equivalent level of protection.

Article 6 – Data Processing

1. Consent to Data Processing

Individual data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. For Sensitive Personal Data, explicit consent will be required. In certain exceptional circumstances, consent may be given verbally. Data subjects have the right to withdraw their consent at any time when processing is based on consent, without affecting the lawfulness of processing carried out before the withdrawal.

Jaza will maintain records of consent obtained, including the purpose and method of collection. Where personal data is processed based on another lawful basis (such as contractual obligation, legal obligation, or vital interests), the justification for such processing will be clearly documented and communicated to the data subject.

2. Data processing Pursuant to Legitimate Interest

Personal data can also be processed if it is necessary to enforce a legitimate interest of Jaza. Legitimate interests are generally of a legal (such as filing, enforcing or defending against legal claims), audit or financial nature. Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the individual merit protection. Before data is processed, it must be determined whether there are interests that merit protection. Control measures that require processing of personal data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the organization in performing the control measure (e.g. compliance with legal provisions and internal rules of the organization) must be weighed against any interests meriting protection that the individual affected by the measure may have in its exclusion, and cannot be performed unless appropriate.

3. Telecommunications and Internet

Telephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by Jaza primarily for work-related assignments. They are a tool and an organizational resource. They can be used within the applicable legal regulations and internal Jaza communication policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.

To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the network used by Jaza that block technically harmful content or that analyze the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the internet/internet and internal social networks can be blocked for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justified case of suspected violations of policies and/or procedures of Jaza. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner as the Jaza regulations.

4. Rights of the Data Subject

All individuals who are the subject of personal data held by Jaza are entitled:

To request information which personal data relating to him/her has been stored, how the data was collected, and for what intended purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected. If personal data is transmitted to third parties, individuals should be informed of such a possibility. If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.

To request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.

To object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.

Article 7 – Transmission of Personal Data

Transmission of personal data to recipients outside or inside Jaza is subject to the authorisation requirements set out in this Policy and applicable laws. Transfers require the consent of the data subject and, where required by law, additional authorization or a permit from the Personal Data Protection Commission (the Commission). The data recipient must be required to use the data only for the defined purposes and maintain a level of protection equivalent to this Policy..

Cross-border transfers shall only occur where adequate protection is ensured and in full compliance with applicable legal requirements. Where local law mandates regulatory authorization, Jaza shall obtain this authorization before the transfer. Appropriate safeguards, such as contractual clauses or binding corporate rules, must be implemented where required to ensure equivalent protection.

Where national legislation requests, requires, or authorizes the processing or transfer of personal data, Jaza shall ensure that the processing is limited to what is necessary and complies with relevant statutory provisions. If legal flexibility exists, the interests of the data subject that merit protection must be taken into account.

Disclosures to law enforcement agencies without the consent of the data subject may be permitted only where there is a legal obligation to do so. In such cases, only Jaza’s Authorized Representative can authorize the disclosure in writing, ahead of the transfer. The Authorized Jaza Representative must confirm that the request is legitimate, necessary, proportionate, and does not pose a direct risk to Jaza.

Before approving the disclosure, The Authorized Jaza Representative will ensure that the recipient uses the data strictly for the defined purposes and has the capacity and willingness to comply with that obligation. Where necessary, The Authorized Jaza Representative will seek legal advice and consult Jaza’s Committee for validation, particularly in cases involving significant security, operational, or reputational risks.

The processing of personal data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the individual that merit protection must be taken into consideration.

In certain circumstances, the Jaza Data Protection Policy allows personal data to be disclosed, based on a legal obligation, to law enforcement agencies, without the consent of the data subject.

Only Jaza’s Authorized Representative can validate any such disclosure in writing, ahead of the disclosure, after ensuring the request is legitimate, motivated by the requester, appropriate, necessary and does not pose a threat or direct risk to Jaza.

Before approving such disclosure, Jaza’s Authorized Representative will check that the recipient of the data uses the data for the defined purposes only, and that it demonstrates the capacity and will to abide by such an obligation.

Where necessary, Jaza’s Authorized Representative will refer to legal advisers for advice, and to Jaza’s Committee for validation, notably but not only in cases involving direct security threats and implications or global organizational risks including reputation.

For Tanzania specific policy, refer further to Annex A – Tanzania Annex to Jaza Data & Privacy Policy

Article 8 – Subject access and modification requests to personal data

All Jaza staff and external individuals to the company can contact Jaza to request rights as listed in Article 6 section 4 – Rights of the Data Subject to be applied.

Individual subject access requests from individuals should be addressed by email or in writing. If not in writing, the request should be taken and handled by a duly authorized Jaza staff and registered in a log for reference and follow up.

Any individual subject access request received by Jaza will be duly verified before being handled, with the verification of the identity of anyone making a subject access request, before handing over any information.

Jaza will ensure to respond to individual requests in a timely manner.

Jaza will ensure that any data subject, including but not only personnel, individual donors and sympathizers, and beneficiaries, have the means to contact Jaza to verify the data Jaza holds about them, and can have authorized Jaza personnel update and correct personal information. Such an obligation entails the following:

Article 9 – Providing information

Jaza aims to ensure that individuals are aware that their data is being processed, and that they understand:

How the data is being used; How to exercise their rights;

To these ends, the current policy is shared with all Jaza staff and available on request by individuals. A version of this Policy is also available upon request to Jaza HQ.
Any subscriber or user of an electronic communication service shall be informed in a clear and comprehensive manner by Jaza, except if already previously informed, regarding: the purpose of any action intended to provide access, by means of electronic transmission, to information previously stored in their electronic connection terminal device, or to record data in this device; the means available to them to object to such action.

Article 10 – Confidentiality of Processing

Personal data is subject to data secrecy. Any unauthorized collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is unauthorized. The “need to know” principle applies. Duly-authorized employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.

Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.

Article 11 – Processing Security

Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification). The technical and organizational measures for protecting personal data are part of Jaza’s ITC management and must be adjusted continuously to the technical developments and organizational changes.

Article 12 – Data Protection Control

Compliance with the Data Protection Policy and the applicable data protection laws is checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of Jaza’s Authorized Representative or appointed representative. The results of the data protection controls performed by the appointed representative must be reported to The Authorized Jaza Representative. Jaza’s Leadership Team and Board must be informed of the primary results as part of the related reporting duties. On request, the results of data protection controls will be made available to the responsible data protection authority. The responsible data protection authority can perform its own controls of compliance with the regulations of this Policy, as permitted under national law.

Article 13 – Violation, sanction and reporting

Any failure to comply with the current policy or to deliberately violate the rules set in the policy will result in the launch of an appropriate investigation by Jaza.

Depending on the gravity of the suspicion or accusations, Jaza may suspend staff or relations with other stakeholders during the investigation. This will not be subject to challenge.

Depending on the outcome of the independent investigation, if it comes to light that anyone associated with Jaza has deliberately violated the rules set in the policy for its personal profit or any other usage of personal data, or has systematically and deliberately contravened with the principles and standards contained in this document, Jaza will take immediate disciplinary action and any other action which may be appropriate to the circumstances. This may mean, for example, for:

• Employees – disciplinary action/dismissal;
• Trustees, officers and interns – ending the relationship with the organization; Partners – withdrawal of funding/support;
• Contractors and consultants – termination of contract.

Depending on the nature, circumstances and location of the case and violation, Jaza will also consider involving authorities such as the police to ensure the protection of personal data and victims.

The reporting of suspected or actual violations to this policy is a professional and legal obligation of all staff and partners. Failure to report information can lead to disciplinary action.

Jaza encourages its staff and stakeholders to report suspected cases which involve any Jaza staff, consultants, board members, guests or staff of Jaza’s partner organizations, their board members, staff and or suppliers.

Jaza encourages its staff and stakeholders to report suspected cases through the following means: Staff and interns can report contacting

• Standard lines of hierarchy (contained in staff Terms of Reference);
• The Director of Operations

All reports will be treated as confidential in line with Jaza’s Whistleblower Policy and Jaza’s Human Resources guidelines.

Jaza will not tolerate false accusations which are designed to damage a member of staff’s reputation. Anyone found making false accusations will be subject to investigation and disciplinary action.

Article 14 – Responsibilities

Jaza’s Committee is responsible to ensure that the legal requirements, and those contained in this Data Protection Policy, for data protection are met (e.g. national reporting duties).

Management staff are responsible for ensuring that organizational, Human Resources, and technical measures are in place so that any data processing is carried out in accordance with data protection. The managers must ensure that their employees are sufficiently trained in data protection

Compliance with these requirements is the responsibility of the relevant employees.

Jaza shall appoint a DPO responsible for overseeing compliance with this Data Protection Policy, advising senior leadership, handling data subject requests, and liaising with regulatory authorities. The DPO shall act independently, conduct periodic risk assessments, and report directly to senior management.

Article 15 – Personal Data Breach Notification

[Jaza has established a formal procedure for managing personal data breaches]. In the event a breach is identified that may compromise the rights or freedoms of individuals, appropriate supervisory authorities will be notified in accordance with applicable laws and regulatory requirements. Affected individuals will also be informed without undue delay when required.

Notifications will include relevant details such as the nature of the breach, the categories and approximate volume of data affected, potential consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Article 16 – Data Protection Impact Assessment (DPIA)

Jaza will conduct DPIAs before initiating any high‑risk data processing activities. DPIAs will evaluate purpose, scope, context, and risks, and define mitigation measures. DPIA outcomes will be documented and retained; submitted to the Commission when required.

Article 17 – Use of CCTV Cameras and Locator Technologies

Where CCTV or location‑based technologies are used, Jaza will comply with data protection principles. Deployment areas will be marked with clear signage. Video and location data will be retained strictly for as long as necessary, and access will be limited to authorized personnel.

Article 18 – Cookies and Online Tracking

[Jaza’s websites may use cookies and similar technologies.] Users must be informed via a cookie banner or privacy notice and given the option to accept or decline non-essential cookies. User preferences will be recorded and honored.

Article 19 – Data Protection by Design and Default

Privacy and data protection will be embedded into all new services and systems from the design phase. Jaza will implement technical and organizational controls (such as data minimization, pseudonymization, access control) as default settings. Privacy design reviews will be conducted for all new projects.

Article 20 – Special Groups and Online Privacy

Where Jaza services or online platforms are accessed by children, vulnerable individuals, or individuals with specific needs, additional privacy protections shall apply. These include obtaining appropriate consent from parents, guardians, or legal representatives where required, and ensuring safeguards and accessibility measures suited to these groups. Such processing shall comply with applicable data protection laws and regulations in the jurisdictions where Jaza operates.

Article 21 – Implementation, Monitoring, and Evaluation

Jaza will ensure the effective implementation of this Data Protection Policy through clearly defined procedures, staff training, and integration into operational processes. Compliance will be monitored through periodic audits, internal reporting mechanisms, and reviews conducted by the Data Protection Officer or designated staff. Findings will inform updates to internal procedures, risk mitigation strategies, and training programs.

Annex A – Tanzania Annex to Jaza Energy Data & Privacy Policy

1. Purpose and Scope

This Annex supplements the Jaza Global Data & Privacy Policy (“Global Policy”) and applies exclusively to the processing of Personal Data of natural persons located in the United Republic of Tanzania (“Data Subjects”). Where this Annex imposes higher standards than the Global Policy, this Annex shall prevail.

2. Definitions

Capitalised terms not defined here have the meaning given in the Personal Data Protection Act, 2022 (“PDPA”).

3. Statutory Data Protection Principles (PDPA § 5)

Jaza Energy commits to processing Personal Data in accordance with the eight principles set out in Section 5 of the PDPA reproduced below:

(a) Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject; (b) Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; (c) Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (d) Personal Data shall be accurate and, where necessary, kept up to date; every reasonable step shall be taken to ensure that Personal Data that are inaccurate are erased or rectified without delay; (e) Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; (f) Personal Data shall be processed in accordance with the rights of Data Subjects under the PDPA; (g) Personal Data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; and (h) Personal Data shall not be transferred outside the United Republic of Tanzania contrary to the provisions of the PDPA.

4. Cross‑Border Transfer of Personal Data

4.1 Jaza Energy shall transfer Personal Data of Tanzanian Data Subjects outside the United Republic of Tanzania under the Permit Registration No 0-000-005-230 pursuant to Regulation 20 of the Data Protection (Personal Data Protection) Regulations, 2023.

Permit No: 0-000-005-230

5. Sensitive Personal Data & Children

5.1 Jaza Energy does not intentionally collect or process Personal Data of persons under the age of 18. Onboarding flows require Data Subjects to provide Date of Birth; individuals under 18 are prevented from creating an account.

5.2 Should Jaza Energy in future need to process children’s Personal Data, it will obtain prior written consent from the Data Subject’s parent or legal guardian in accordance with PDPA § 30.

5.3 Other categories of Sensitive Personal Data (e.g., biometric or health data) are processed only where necessary and with the Data Subject’s explicit consent or as permitted under the PDPA.

6. Data Subject Rights

Data Subjects may exercise the rights provided in PDPA Part V (access, rectification, erasure, data portability, objection to processing) by contacting the representative named in Section 7.

7. Contact for Tanzania Data Protection Matters

Data Protection Representative Richard M, Managing Director, Jaza Energy Tanzania P.O. Box 66701, Dar es Salaam, Tanzania – Contact compliance [at] jazaenergy.com

8. Effective Date & Review

This Annex is effective as of June 06 2025 and will be reviewed annually or sooner if required by changes in law or business operations. The latest version will be published at https://jazaenergy.com/privacy-policy.