Resources
Colour
PolicyX

Balogun Harold is a licensed Data Protection Compliance Organisation. Our team of litigators specialise in Data Privacy Litigation.

The Nigeria Data Protection (Establishment, etc.) Act 2023 is the general data protection legislation applicable in Nigeria. Prior to the enactment of the NDPA, data protection in Nigeria was regulated pursuant to the Nigerian Data Protection Regulation 2019 (the “NDPR”) and the Nigerian Data Protection Regulation Implementation Framework. The NDPA is a “general” legislation, which sets the minimum requirements for protection of personal data in Nigeria. Accordingly, sectoral regulators in Nigeria, may prescribe additional data privacy requirements and standards for businesses in Nigeria.

The NDPA adopts an establishment and targeting criteria for the determining the. Accordingly, the NDPA applies where (a) a data controller and/or data processor is domiciled, operating in or resident in Nigeria (b) regardless of the place of establishment, a data processor or controller processes the data of a Nigerian citizen or processes any personal data within Nigeria. On this basis, foreigners who sell goods or services to Nigerians will generally be required to comply with the NDPA.



The NDPA applies to the processing of personal data, whether done by automated means or by non-automated means. The NDPA does not apply to processing of personal data carried out by one or more persons solely for personal or household purposes.

Yes, national derogations are permitted under the NDPA. The obligations under Part V of the NDPA (excluding sections 24, 25, 32 and 40 of the NDPA) do not apply to data controllers or data processors if the processing of personal data is carried out (by a competent authority) for the purposes of or in respect of 

  • The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
  • National security; 
  • Prevention or control of national public health emergencies;
  • Publication in the public interest for journalism and all literary purposes where the obligations and rights are incompatible with such purposes;
  • The establishment, exercise, or defense of legal claims in court or administrative proceedings.

The possible category of plaintiffs includes: 

(a) a Data Subject who can prove that they have suffered some injury, loss or harm as a result of a breach of the NDPA; and

b) the Nigerian Data Protection Commission (the “Commission”), where someone has laid a complaint to the Commission or of its own accord, upon reasonable belief that a breach of the NDPA has occurred. Persons who submit a complaint to the Commission must be able to demonstrate that (i) a complainant has a legal interest in the subject of the complaint (ii) the complaint is not frivolous or vexatious.

No. However companies trading in personal data are required to comply with the requirements of the NDPA

A Data Controller is defined as any individual, private entity, public commission or agency who or which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A Data Processor is any individual, private entity or public authority, who or which processes personal data on behalf of or at the request of a data controller or another data processor.

A Data Subject is any individual to whom personal data relates.

Personal Data is any information relating to an individual who is identified or identifiable directly or indirectly by reference to identifiers such as:

  • a name, 
  • an identification number, 
  • location data,
  • online identifiers,
  • physical factors, 
  • physiological factors, 
  • genetic factors, 
  • cultural factors, 
  • social factors, 
  • economic identity.

Processing is broadly defined in the NDPA as the performance of any operation or set of operations on personal data, whether or not by automated means, including:

  • Collection, 
  • Recording, 
  • Organization, 
  • Structuring, 
  • Storage, 
  • Adaptation or alteration, 
  • Retrieval, 
  • Consultation, 
  • Use, 
  • Disclosure by transmission, 
  • Dissemination or otherwise making available, 
  • Alignment or combination, 
  • Restriction, 
  • Erasure or destruction. 

It should be noted that processing does not include the mere transit of data originating outside Nigeria.

The NDPA highlights six key principles which form the core of the data protection regime in Nigeria and govern personal data processing. The principles are: 

  1. Fairness, Lawfulness and Transparency: Data Controllers/Processors must ensure that personal data is processed in a fair, lawful and transparent manner. 
  2. Purpose Limitation: Data Controllers/Processors must ensure that personal data is only collected for specified, explicit, and legitimate purposes and are not further processed in a way incompatible with these purposes. 
  3. Data Minimisation: Personal data to be processed must be adequate, relevant and limited to the minimum necessary for the purpose for which it was collected or further processed. 
  4. Storage Limitation: Personal data to be processed must not be retained for no longer than is necessary to achieve the purposes for which it was processed. 
  5. Accuracy: Data Controllers/Processors must ensure that personal data is accurate, complete, and not misleading. It must be kept up to date for the purposes for which it was collected or further processed. 
  6. Integrity and Confidentiality (Security): Data Controllers/Processors must ensure that their data processing systems provide appropriate security measures for personal data including protection against unauthorised or unlawful processing, access, loss, destruction, damage or any form of data breach.

A valid consent is one that is freely given, specific, informed and unambiguous. The silence or inactivity of the data subject does not constitute consent.

The forms of consent include Explicit Consent and Opt-in Consent.

Generally, specific consent is required with regard to

  • Any direct marketing activity excluding the ones directed against existing customers who have purchased goods/services, 
  • The processing of Sensitive Personal Data,
  • Further processing,
  • The processing of the personal data of a minor,
  • Before personal data is processed in a country not on NITDA’s Whitelist,
  • Before the Data Controller makes a decision based solely on automated processing.

Yes, it can. Data Subjects have the right to withdraw their consent to the processing of their personal data at any time.

Processing of personal data conducted prior to the withdrawal of consent remains lawful and unaffected by the subsequent withdrawal.

  • The Data Controller is required to inform the data subject of the right to withdraw consent before granting consent.
  • The Data Controller is required to ensure that it is easy for the data subject to withdraw consent as it is to give consent.

Data Controllers/processors who engage data processors have the following obligations:

  • To take reasonable measures to ensure that the engaged processor complies with all applicable principles and obligations.  
  • To assist processors/controllers as the case may be, by the use of appropriate technical and organisational measures in honouring the rights of a data subject.
  • To implement technical and organisational measures in ensuring security, integrity and confidentiality of PD as required under the Act.
  • To provide the engaged processor with information reasonably required to comply and demonstrate compliance with the Act.
  • To notify the engaged processor when a new data processor is engaged.

Yes, the DPA defines data pseudonymization as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.2

No, the NDPA does not expressly define anonymization. However, anonymization is generally considered to be a data processing technique that modifies personal information of data subjects in such a way that it no longer relates to an identified or identifiable individual. 

No, the DPA does not expressly define ‘joint controller’. However, data controllers are defined to be those who, alone or jointly with others, determine the purposes and means of the processing of personal data. The concept of a joint controller is also implied within the definition of “Data Controller” under the NDPA.

There is no general requirement for all companies to appoint a DPO under the NDPA. Only companies/data controllers of major importance are required to appoint DPOs. Data Controller/Processor of major importance means a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.

Section 24 of the NDPA places an obligation on Data Controllers, or Data Processors who engage another data processor to take reasonable measures to ensure that the latter complies with all applicable principles and obligations set out in the section. ‘Measures’ for the purpose of this, shall include a written agreement between the data controllers and the data processor, or between data processors, as the case may be. This Data Processing Agreement is also typically referred to as the Data Processing Addendum

The age of consent under the NDPA is 13 years.

The penalty for non-compliance is a Compliance Order made by the Commission against the defaulter. The Compliance Order may include either a warning, compliance order, or a cease or desist order or a fine.

Data Subjects have the following rights with respect to their personal data:

  • The right to be informed about the storage and processing of their personal data.
  • The right to access an e-copy of their personal data.
  • The right to have inaccurate personal data rectified, corrected or deleted.
  • The right to erasure of personal data without undue delay.
  • The right to restrict processing pending some circumstances.

A Data Protection Impact Assessment (DPIA) is defined as a process designed to identify the risks and impact of an intended processing of personal data. A DPIA comprises a systematic description of the envisaged processing and its purpose; an assessment of the necessity and proportionality of processing as against the purpose of processing; an assessment of the risks to the rights and freedoms of a data subject, and others.

The NDPR highlights situations in which a DPIA is required.  A DPIA is required for the following types of processing: 

  • Evaluation or scoring (Profiling);
  • Automated decision-making with legal or similar significant effect;
  • Systematic monitoring; 
  • Sensitive personal data processing; 
  • When processing relates to vulnerable or differently-abled data subjects; 
  • When considering the deployment of innovative processes or application of new technological or organisational solutions.

A personal data breach is defined as a breach of security of a data processor leading to or likely to lead to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data of data subjects in custody of the processor.

The rules on reporting data breaches are as follows:

  • A Data Processor is obligated to notify the Data Controller, without delay, of any data breach that has occurred with respect to personal data stored and processed by the Processor. The notification must describe the nature of the personal data breach including the categories, approximate numbers of data subjects and personal data records affected. 
  • The Processor shall respond to all information requests from the data controllers or Processors who engaged it 
  • The Processor has a duty to notify the NDPC, without delay, of breaches that are likely to risk the rights and freedoms of individuals, where feasible, within seventy-two hours.

All notifications mentioned above must contain the name and contact details of the data controller; describe the likely consequences of the personal data breach; describe the measures taken to address the breach and measures to mitigate its possible consequences.

Generally, a Data Controller or Processor is not permitted to transfer or grant permission for the transfer of personal data from Nigeria to another country. The exceptions are, however, where: 

  • The recipient is subject to a law or rules that afford an adequate level of protection to the personal data. 
  • The transfer is permissible, a data controller/processor must record the basis for the transfer of personal data outside Nigeria and also the adequacy of protection for the personal data. 
  • The Commission may make regulations requiring data controllers/processors to notify it of measures in place for an intended transfer of data and also the adequacy of protection. 
  • The Commission may designate categories of personal data that are subject to additional specified restrictions.

 

In the absence of adequacy of protection, a data controller/processor can only transfer personal data from Nigeria to another country if the following occurs:

  • The Data Subject has provided and not withdrawn consent to the transfer after having been informed of the risks likely to arise from such transfers in the absence of adequate protections. 
  • The transfer is necessary for the performance of a contract to which the data subject is a party or to take steps prior to entering into a contract, at the request of a data subject. 
  • The transfer is necessary for the performance of a contract between the data controller and a third party for the benefit of a data subject. 
  • The transfer is for the sole benefit of a Data Subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer and even if it was, the data subject would likely give it. 
  • The transfer is necessary for important reasons of public interest.
  • The transfer is necessary for the establishment, exercise or defense of legal claims. 
  • The transfer is necessary to protect the vital interests of a data subject or other persons where the data subject is incapable of giving consent.

Sensitive personal data is defined as personal data relating to an individual’s –

  • Genetic and biometric data;
  • Race or ethnic origin; 
  • Religious or similar beliefs; 
  • Health status;
  • Sex life; 
  • Political opinions or affiliations;
  • Trade union memberships;
  • Other information, as may be prescribed by the Commission as sensitive personal data. 

Data Protection Officers are appointees of data controllers, of major importance for the sole purpose of compliance with the Act, possessing expert knowledge of data protection law and practices, and the ability to fulfil requirements under the Act and any subsidiary legislation. A DPO may be an employee of such a data controller or be engaged through a service contract.

DPOs have the following duties: 

  • To advise the data controller/processor and their employees in accordance with the provisions of the Act.
  • To monitor compliance with the Act and related policies of the data controller/processor. 
  • To act as the contact point for the Commission on issues concerning data processing.

A DPCO is a body or person possessing the requisite level of expertise in data protection, and licensed by the Commission under the NDPA. Their role is to monitor, audit and report on the compliance by data controllers/processors with applicable data protection regulations.

The right of data portability entitles a Data Subject to receive his personal data in a structured, commonly used and machine-readable format, and to transmit the same to another data controller without any hindrance, if possible, directly.

Yes, Data Subjects have the right to object to processing of their personal data. This applies where the processing is for the performance of a task to be carried out in the public interest and the purpose of the data controller’s or processor’s legitimate interest, or for profiling. It also applies where personal data is processed for direct marketing purposes.

No, it is not. A data controller may not discontinue the data processing if it can demonstrate that the public interest or other legitimate grounds override the fundamental rights, freedoms and interest of the data subject.

Yes, it is. Data Subjects have the right not to be subjected to a decision based solely on automated processing of personal data that produces legal or similarly significant effects for them.

Automated decision making is defined as a decision made by automated means without any human involvement. Examples of automated decision making include an online decision to award a loan or a recruitment aptitude test which uses pre-programmed algorithms and criteria.3

No, it is not. This right is not recognized in the following instances: 

  • Where the decision is necessary for entering into or the performance of a contract between the data subject and a data controller; 
  • Where the decision is authorized by a written law establishing measures to safeguard the rights, freedoms and interests of the data subject; and
  • Where the decision is authorized by the consent of the data subject.

Binding Corporate Rules are defined as personal data protection policies and procedures adhered to by the members of a group of firms under common control with respect to the transfer of personal data among such members and containing provisions for the protection of such personal data.

No, it has not been repealed. All extant regulations made by NITDA before the enactment of the NDPA remain in force upon the enactment of the NDPA 2023 until specifically repealed.