September 2023

1. Governing Texts

In Nigeria, data protection is founded on the constitutional right to privacy under section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) ('the Constitution'). The Nigeria Data Protection Act 2023 ('NDPA') is Nigeria's main data protection legislation. The NDPA was enacted on June 12, 2023, and has been in effect since then.

Prior to the NDPA, the Nigerian Data Protection Regulation, 2019 ('NDPR') which was issued at the time by the National Information Technology Development Agency ('NITDA') was the go-to regulation on data protection. Although enforceable, it remains a subsidiary legislation, and there was no specific commission to oversee data protection. The NDPR was a placeholder until the enactment of the NDPA, and NITDA had to stretch itself to oversee data protection. To temporarily assist with supervision, the Nigerian Government ('the Government') issued an executive order in February 2022 that established the Nigeria Data Protection Bureau ('NDPB') and transferred the data protection role as well as the existing regulations or guidance issued by NITDA to the NDPB. In my opinion, the NDPB lacked legislative backing, but with the enactment of the NDPA, the Nigeria Data Protection Commission ('NDPC') was created to oversee data protection in Nigeria, and the 2022 abnormality was corrected. Based on the NDPA, the NDPB has been subsumed into the NDPC (Section 64 of the NDPA). Furthermore, the NDPR along with regulations or circulars on data protection issued by NITDA or NDPB are still applicable to data protection in Nigeria and are now treated as regulations issued by the NDPC (Section 64 of the NDPA). Thus, the NDPR operates side by side with the NDPA, but the NDPA will prevail where there is a conflicting provision in the NDPR (Section 63 of the NDPA). Therefore, in this guidance note, reference will be made mostly to the NDPA. The NDPR will also be covered where there are similar provisions or where there are no applicable provisions in the NDPA.

1.1. Key acts, regulations, directives, bills

The following laws and regulations contain provisions for data protection:

• the Constitution;
• NDPA;
• Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 ('the Cybercrimes Act');
• National Identity Management Commission Act, 2007 ('the NIMC Act');
• the NDPR; and
• National Cybersecurity Policy and Strategy, 2021.

1.2. Guidelines

• Consumer Protection Framework 2016
• Framework and Guidelines for Public Internet Access 2019
• Guidelines for the Provision of Internet Service
• Nigeria Data Protection Regulation 2019: Implementation Framework, 2020
• Guidelines for the Application of  NDPR by Public Institutions in Nigeria

In addition, the National Information Technology Development Agency ('NITDA') has issued the following guidance:

• NDPR Frequently Asked Questions ('the FAQs');
• Implementation Framework of the Nigeria Data Protection Regulation (November 2020) ('the Implementation Framework');
• Audit Template for NDPR compliance, within the Implementation Framework ('the Audit Template'); and
• List of Licensed DPCOs.

Furthermore, the Nigerian Data Protection Bureau published Data Protection Compliance Organisation ('DPCO') criteria.

1.3. Case law

Incorporated Trustees of Laws and Rights Awareness Initiative v. Zoom Video Communications Inc (FHC/AB/CS/53/2020)

This suit was instituted in 2020 by the Incorporated Trustees of Laws and Rights Awareness Initiative against Zoom Video Communications Inc for non-compliance of Zoom's privacy policy with the NDPR. The suit is currently before the court, and a decision is yet to be made.

Digital Rights Lawyers Initiative v. National Youth Service Corps (NYSC) (FHC/IB/98/2020)

This suit was instituted in 2020 by the Digital Rights Lawyers Initiative against the National Youth Service Corps ('NYSC'). The claimant asserted that the NYSC published and sold a yearbook containing Corp members' personal details without consent and is seeking a declaration that the processing of the photos and other personal data of the Corp members violates Section 37 of the Constitution and Section 2.1(a) of the NDPR. The suit is currently before the court, and a decision is yet to be made by the court.

Incorporated Trustees of Digital Rights Lawyers Initiative v. Lagos State Inland Revenue Service (LIRS) (FHC/ABJ/CS/1401/19).

This suit was instituted in 2019 by the Incorporated Trustees of Digital Rights Lawyers Initiative against the Lagos State Inland Revenue Service ('LIRS'). It is in connection with the online publication of the personal and tax information of Nigerians by the LIRS on its website. The claimant alleges a violation of the NDPR. The suit is currently before the court, and a decision is yet to be made by the court. 

2. Scope of Application

2.1. Personal scope

The main legislation on data protection in Nigeria is the NDPA while the NDPR and other regulations or circulars supplement. The NDPA applies to the processing of personal data whether or not by automated means (Section 2(1) of the NDPA).

2.2. Territorial scope

The NDPA applies where:

• data controller or data processor is domiciled in, resident in, or operating in Nigeria;
• processing of personal data occurs within Nigeria; or
• the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processes personal data of a data subject in Nigeria.

The NDPR applies to Nigerian citizens regardless of where they reside. The NDPR will apply to a data controller so long as the data of a Nigerian citizen is collected. The NDPR will have extra-territorial scope in its application. (Section1.2(b) of the NDPR).

2.3. Material scope

The NDPA applies to any data controller that processes the personal data of anyone residing in Nigeria or to Nigerians within the country.

The NDPA does not apply to the processing of personal data for personal or household purposes. The NDPA also does not apply to the processing of personal data:

• carried out by a competent authority to prevent, investigate, detect, prosecute, or adjudicate any criminal offense or execution of criminal penalty;
• carried out by a competent for national security purposes;
• carried out by a competent authority to prevent or control a national public health emergency; or
• for public interest publication, defense of legal claims whether in court or administrative or out-of-court proceedings.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The NDPC is the main supervisory and regulatory authority for data protection in Nigeria. The NDPC oversees the implementation of the NDPA and matters relating to data protection in Nigeria (Section 4 of the NDPA).

In addition, there are sectoral regulations, for instance, the Central Bank of Nigeria ('CBN') oversees matters relating to protecting financial data and the Nigerian Communications Commission ('NCC') regulates data collected or processed by internet service providers and telecommunications companies.

3.2. Main powers, duties and responsibilities

The NDPC has the power to issue regulations, investigate alleged violations of the NDPA, and impose fines data for contravention of the NDPA (Section 6 of the NDPA). The NDPC has the responsibility to register data controllers and data processors of major importance; promote awareness regarding the obligations of data controllers and data processors; accredit, licence, and register data protection compliance service; receive complaints about violations of the NDPA; and advise the government on data protection (Section 5 of the NDPA).

4. Key Definitions

Personal data: means any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.

Sensitive data:  means personal data related to an individual's:

• genetic and biometric data, for the purpose of uniquely identifying a natural person;
• race or ethnic origin;
• religious or similar beliefs, such as those reflecting conscience or philosophy;
• health status;
• sex life;
• political opinions or affiliations;
• trade union memberships; or
• any other personal data prescribed by the NDPC as sensitive personal data pursuant to Section 30 (2).

Data controller: means an individual, private entity, public commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing personal data.

Data controller or data processor of major importance: means a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the NDPC may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the NDPC may designate.

Data processor: means an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor.

Data subject: means an individual to whom personal data relates.

Biometric data: means any personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of an individual, which allows or confirms the unique identification of that individual, including without limitation by physical measurements, facial images, blood typing, fingerprinting, retinal scanning, voice recognition, and deoxyribonucleic acid (DNA) analysis.

Health data: There is no specific definition of health data in the law. However, both the NDPA and the NDPR include data relating to an individual's health within their definitions of sensitive personal data.

Pseudonymization: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Consent: means any freely given, specific, informed, and unambiguous indication, whether by a written or oral statement or affirmative action, of an individual's agreement to the processing of personal data relating to them or to another individual on whose behalf they have the permission to provide such consent.

Automated decision-making: means a decision based solely on automated processing by automated means, without any human involvement.

The Nigerian Cloud Computing Policy classifies data into the following categories:

• official, public, or non-confidential data: refers to data publicly available and non-sensitive;
• confidential, routine government business data: includes health and financial information of natural person and is regarded as data of moderate sensitivity;
• secret, sensitive government, and citizen data: applies to data of both natural and juridical persons. This data is classified as sensitive because its loss may be serious and have material effects on the data subject or related entities; and
• classified or national security information: this data is considered sensitive to national security and thus requires additional safeguards.

5. Legal Bases

5.1. Consent

Section 2.2(a) of the NDPR stipulates that processing shall be lawful where the data subject has given consent to the processing of personal data for one or more specific purposes. The data controller must also demonstrate that the data subject has the legal capacity to consent (Section 2.3(2)(a) of the NDPR).

An individual has the right to withdraw consent and a data controller has an obligation to make it easy for an individual to withdraw just as it is easy to give consent. (Section 35 of the NDPA).

5.2. Contract with the data subject

Section 25(1)(b)(i) of the NDPA provides that the processing of personal data is lawful where the processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering a contract. A similar provision is contained in Section 2.2(a) of the NDPR.

5.3. Legal obligations

Processing of personal data is lawful where the processing of the data is necessary for compliance with a legal obligation to which the data controller or data processor is subject (Section 25(1)(b)(ii) of the NDPA; Section 2.2(c) of the NDPR).

5.4. Interests of the data subject

Processing of personal data is lawful where the processing is necessary to protect the vital interest of the data subject or of another natural person (Section 25(1)(b)(iii) of the NDPA; NDPR, Section 2.2(d) of the NDPR).

5.5. Public interest

Processing of personal data is also lawful where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor (Section25(1)(b)(iv) of the NDPA; Section 2.2(e) of the NDPR).

5.6. Legitimate interests of the data controller

Please see the section on public interest above.

5.7. Legal bases in other instances

There are no specific legal bases under the NDPR or NDPA for the processing of employee data or direct marketing. A data subject has the right to object to the processing of their data where the data controller intends to process the data for marketing (Section 2.8(a) of the NDPR).

6. Principles

Transparency

Where a data controller is processing personal information, the data subject has to be informed without constraint or unreasonable delay (Section 34(1) of the NDPA). A data controller has an obligation to take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and for any information relating to a child (Section 3.1(1) of the NDPR). In addition, prior to collecting personal data from a data subject, a data controller has to inform the data subject of the purpose(s) of the processing for which the personal data is intended as well as the legal basis for the processing (Section 3.1(7)(c) of the NDPR).

Purpose and limitation

A data controller has an obligation to specify the purpose of processing personal data (Section 34 (1)(a)(i) of the NDPA; Section 2.5(c) of the NDPR). Where a data controller intends to further process the personal data for a purpose other than that for which the personal data was collected, the controller shall provide the data subject prior to that further processing with information on that other purpose, and with any relevant further information (Section 3.1(7)(m) of the NDPR).

Limitation

The provisions of the NDPR are sacrosanct and no limitation clause in a privacy policy will exonerate a data controller from liability for violating the NDPR (Section 2.5(i) of the NDPR).

Accuracy

Personal data is expected to be accurate and without prejudice to the dignity of the human person (Section 2.1(1)(b) of the NDPR). A data subject has the right to access and rectify their data (Section 3.1(7)(h) of the NDPR).

Storage Limitation

A data controller should stipulate the period of storage or if not possible, the criteria used to determine that period (Section 34(1)(a)(iv) of the NDPA). A data controller should stipulate in its privacy policy the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period (Section 3.1(7)(g) of the NDPR).

Confidentiality

A data controller is required to put in place a data security apparatus to keep the collected data confidential and protect it against attacks (Section 2.6 of the NDPR).

Accountability

Anyone who is entrusted with the personal data of a data subject or who is in possession of such data is accountable for its acts and omissions in respect of data processing and in accordance with the principles contained in the NDPR (Section 2.1(3) of the NDPR).

7. Controller and Processor Obligations

Obligations of the data controller or data processor under the NDPA include:

• ensuring that where a data processor is engaged, the data processor complies with the NDPA when processing personal data (Section 29(1)(a));
• a data controller assisting the data processor by use of appropriate technical and organizational measures to ensure the rights of a data subject are honored (Section 29(1)(b));
• implement appropriate technical measures to ensure the security, integrity, and confidentiality of personal data (Section 29(1)(c));
• provide the data controller or data processor with the information required to ensure compliance (Section 29(1)(d)); and
• notify the existing data processor where a new data processor is engaged (Section 29(1)(e)).

Under the NDPR, a data controller must:

• designate a data protection officer ('DPO') for the purpose of ensuring adherence to the NDPR, relevant data privacy instruments, and data protection directives of the data controller - the data controller may outsource data protection to a verifiably competent firm or person (Section 4.1(2));
• ensure continuous capacity building for its DPOs and the generality of its personnel involved in any form of data processing (Section 4.1(3));
• ensure that consent of a data subject has been obtained without fraud, coercion, or undue influence (Section 2.3(2));
• send a soft copy of the summary of the audit containing information about processed data to NITDA where it processes the personal data of more than 1,000 in a period of six months (Section 4.1(6)); and
• submit a summary of its data protection audit to NITDA where it processes the personal data of more than 2,000 data subjects within 12 months by 15 March of the following year (Section 4.1(7)).

7.1. Data processing notification

Where a data controller processes the personal data of more than 1000 data subjects in a period of six months, a soft copy of the summary of a required audit must be submitted to the NITDA, stating its privacy and data protection practices including:

• personally identifiable information the organization collects on employees of the organization and members of the public;
• any purpose for which the personally identifiable information is collected;
• any notice given to individuals regarding the collection and use of personal information relating to that individual;
• any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
• whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;
• the policies and practices of the organization for the security of personally identifiable information;
• the policies and practices of the organization for the proper use of personally identifiable information;
• organization policies and procedures for privacy and data protection;
• the policies and procedures of the organization for monitoring and reporting violations of privacy and data protection policies; and
• the policies and procedures of the organization for assessing the impact of technologies on the stated privacy and security policies (Article 4.1(5) and (6)).

Data controllers who process the personal data of more than 2000 data subjects in a period of 12 months are required to submit a summary of its data protection audit to the NITDA, not later than 15 March of the following year. The data protection audit must contain information as specified above (Article 4.1(5) and (7) of the NDPR).

The Implementation Framework further specifies that a data protection audit must contain the following information (Section 6.6.1 of the Implementation Framework):

• the identity and the contact details of the controller;
• the contact details of the data protection officer;
• the purpose(s) of the processing for which the personal data is intended as well as the legal basis for the processing;
• the legitimate interests pursued by the controller or by a third party;
• the recipients or categories of recipients of the personal data, if any;
• where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the NITDA;
• period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
• the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
• the right to lodge a complaint with a relevant authority;
• whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;
• the existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
• where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with the basis for this further processing; and
• where applicable, that the controller intends to transfer personal data to a recipient in a foreign country or international organization and the existence or absence of an adequacy decision by the NITDA.

The NITDA registers and licenses DPCOs who monitor, audit, conduct training, and data protection compliance consulting to all data controllers on its behalf (Article 4.1(4) of the NDPR). Audits submitted pursuant to Article 4.1 of the NDPR must be accompanied by a verification statement by a licensed DPCO (Section 10 of the FAQs and 6.8 of the Implementation Framework). Each controller is expected to pay the following filing fees for annual audit reports (Section 6.5 of the Implementation Framework):

• NGN 10,000 (approx. $13) for a filing of a report of less than 2,000 data subjects; and
• NGN 20,000 (approx. 426) for a filing of a report of 2,000 or more data subjects.

A standard template for the audit report is included in Annexure A of the Implementation Framework (Section 6.6.2 of the Implementation Framework).

7.2. Data transfers

A data controller is allowed to transfer personal from Nigeria to another country as long as there is an adequate level of protection of personal data in such country (Section 41(1)) of the NDPA or the data subject consented to the transfer after being informed of the risk and did not withdraw the consent, the transfer is necessary for the performance of a contract to which the data subject is a party, the transfer is for the data subject's benefit, necessary for a public interest, necessary for legal action, or protect the vital interest of the data subject or third party (Section 43(1) of the NDPA).

Pursuant to Section 2.11 of the NDPR, the transfer of data to a foreign country falls under the supervision of the Honourable Attorney General of the Federation ('HAGF'). For data to be transferrable to foreign countries or international organizations must ensure an adequate level of protection, as determined by NITDA and the HAGF. In determining the adequacy of a third country or organization, the following considerations will be born in mind:

• the legal system of the foreign country notably as it relates to human rights protection, the rule of law, and relevant legislation;
• implementation of such legislation;
• the existence and effectiveness of an independent supervisory authority in the foreign country or whether an international organization is responsible for compliance with data protection, assisting and advising the data subjects in exercising their rights and cooperation with the relevant authorities in Nigeria; and
• the commitments of the foreign country or international organization to data protection through conventions, instruments, and participation in multilateral or regional systems.

Under Section 2.12 of the NDPR, the exceptions to the above requirements are:

• where the data subject has given their consent after being informed of the risk;
• where the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
• where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
• where the transfer is necessary for important reasons of public interest;
• where the transfer is necessary for the establishment, exercise, or defense of legal claims; and
• where the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

The data subject should be aware of possible violations of their rights in the foreign country.

7.3. Data processing records

There is an obligation to maintain data processing records. Section 4.1(5) of the NDPR requires data controllers to conduct a detailed audit of their privacy and data protection practices with at least each audit stating:

• personally identifiable information the organization collects on employees of the organization and members of the public;
• any purpose for which the personally identifiable information is collected;
• any notice given to individuals regarding the collection and use of personal information relating to that individual;
• any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
• whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;
• the policies and practices of the organization for the security of personally identifiable information;
• the policies and practices of the organization for the proper use of personally identifiable information;
• organizational policies and procedures for privacy and data protection;
• the policies and procedures of the organization for monitoring and reporting violations of privacy and data protection policies; and
• the policies and procedures of the organization for assessing the impact of technologies on the stated privacy and security policies.

7.4. Data protection impact assessment

A data controller is required to conduct a privacy impact assessment where the processing of personal data may likely result in high risks to the rights of a data subject (Section 28(1) of the NDPA). The data controller will have to consult the NDPC prior to processing where the impact assessment indicates that the processing would result in a high risk to the rights and freedom of a data subject (Section 28(2) of the NDPA). The NDPC will then make regulations regarding the impact assessment (Section 28(1) of the NDPA).

Under the NDPR, as part of an audit, a data controller is required to specify the policies and procedures of the organization for assessing the impact of technologies on its privacy and security policies (Section 4.1(5)(j) of the NDPR). In addition, Section 4.1(5) of the NDPR, provides that within six months after the date the NDPR has been issued, each organization must conduct a detailed audit of its privacy and data protection practices, please see the section on data processing records above. Moreover, where data controllers process personal data of more than 1,000 data subjects in a period of six months, they must submit a soft copy of the audit to NITDA containing the information detailed in Section 4.1(5) of the Regulation (Section 4.1(6) of the Regulation). Furthermore, data controllers processing personal data of more than 2,000 data subjects in a period of 12 months must submit a summary of the audit to NITDA on an annual basis containing the information detailed in Section 4.1(5) of the Regulation (Section 4.1(7) of the Regulation).

The NDPR Implementation Framework

The Implementation Framework requires that data controllers and processors conduct a Data Protection Impact Assessment ('DPIA') in accordance with the provisions of the NDPR (Section 3.2 (viii) of the Implementation Framework). Section 3.2 (viii) of the Implementation Framework states that data controllers and processors/administrators must conduct DPIAs as part of enhancing compliance and reducing liabilities, within their compliance checklist, where applicable.

Where the organization intends to embark on a project that would involve the intense use of personal data, a DPIA should be conducted to identify possible areas where breaches may occur and devise a means of addressing such risks. Organizations are expected to conduct a DPIA on their processes, services, and technology periodically to ensure continuous compliance) (Section 3.2 (viii) of the Implementation Framework).

Furthermore, NITDA may request the submission of a DPIA from any data controller or processor/administrator where such processing activities are deemed to be of high impact on data subjects. A DPIA may be required for the following types of processing (Section 4.2 of the Implementation Framework):

• evaluation or scoring (profiling);
• automated decision-making with legal or similar significant effects;
• systematic monitoring;
• when sensitive or highly personal data is involved;
• when personal data processing relates to vulnerable or differently-abled data subjects; and
• when considering the deployment of innovative processes or the application of new technological or organizational solutions.

Annexure A of the Implementation Framework sets out the audit template for compliance with the NDPR as a guideline for data controllers and administrators to show evidence of compliance. No 1.18 of the template requests a policy for conducting DPIAs on existing or potential projects. No. 1.19 of the template asks, based upon Article 4.5 of the NDPR, whether the DPIA policy addresses issues such as:

• a description of the envisaged processing operations;
• the purposes of the processing;
• the legitimate interest pursued by the controller;
• an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
• an assessment of the risks to the rights and freedoms of the data subject; and
• risk mitigation measures being proposed to address the risk.

Under Section 3.7 (c)(iv), a DPO must have the requisite knowledge of how to advise on DPIAs and monitor their performance.

7.5. Data protection officer appointment

Under NDPA, a data controller of a major importance is required to have a Data Protection Officer (DPO). The DPO may be an employee, or someone engaged to provide such service (Section 32(1) of the NDPA). The DPO will advise data controllers or data processors regarding the processing of personal data, monitor compliance with the NDPA and act as contact point for the NDPC on issues relating to data processing (Section 32(3)(c) of the NDPA).

Meanwhile, under the NDPR, both data controller and processor are required to appoint a DPO. A data controller or processor can also outsource to a verifiably competent firm or person. There are no specific requirements in this regard. A data controller or processor has to ensure continuous capacity building for its DPO, and its personnel involved in any form of data processing. To comply with Article 4.1(3) of the NDPR, the Audit Template suggests the annual training of DPOs (Section 2.2 of the Audit Template).

The Implementation Framework specifies that a data controller is required to appoint a dedicated DPO within six months of commencing business or within six months of the issuance of the Implementation Framework itself, where one or more of the following conditions are present (Section 3.4.1 of the Implementation Framework):

• the entity is a government organ, ministry, department, institution or agency;
• the core activities of the organization involve the processing of personal data of more than 10,000 data subjects annually;
• the organization processes sensitive personal data in the regular course of its business; and
• the organization possesses critical national information infrastructure (as defined under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or any amendment thereto) consisting of personal data.

The NDPR does not include provisions for the role of the DPO, however, the Implementation Framework and the Audit Template outline that to comply with Article 4.1(2) of the NDPR, a DPO must have verifiable professional expertise and knowledge of data protection to do the following (Section 3.7 of the Implementation Framework and Section 2.2 of the Audit Template):

• inform and advise the business, management, employees, and third parties who carry out processing, of their obligations under the NDPR;
• monitor compliance with the NDPR and with the organization's own data protection objectives;                                                                                 
• assignment of responsibilities, awareness-raising, and training of staff involved in processing operations;                                                                     
• provide advice where requested as regards a DPIA and monitor its performance;                                                   
• cooperate with NITDA; and
• act as the contact point for NITDA on issues relating to data processing.

However, the Implementation Framework clarifies that, notwithstanding any contractual, civil, or criminal liability, a DPO is not personally liable for the organization's non-compliance with applicable data protection laws (Section 3.6 of the Implementation Framework).

Prior to collecting personal data from a data subject, the controller must provide the data subject with the contact details of the DPO (Article 3.1(7) of the NDPR). Multinational companies meeting one or more of the conditions under Section 3.4.1 of the Implementation Framework and with a subsidiary in Nigeria must appoint a country based DPO (Section 3.5 of the Implementation Framework). To comply with Article 4.1(2) of the NDPR, the Audit Template suggests evaluating the DPO's other professional responsibilities to confirm there is no conflict of interest and ensuring DPOs have sufficient access, support, and the budget to perform their role (Section 2.2 of the Audit Template). Moreover, a DPO shall be chosen having regard to the nature of the processing activities and the data protection issues that arise within the organization (Section 3.7 of the Implementation Framework).

Where NITDA has ascertained that an organization is in breach of the NDPR, it may issue an order for compliance with relevant provisions to curtail further breaches and may prescribe an additional monetary sanction (Section 10.1.4 of the Implementation Framework).

7.6. Data breach notification

Section 21(1) of the Cybercrimes Act provides that any person or institution who operates a system or a network, whether public or private, must immediately inform the Nigeria Computer Emergency Response Team ('ngCERT') of any stacks, intrusions, and other disruptions liable to hinder the functioning of another computer system or network so that ngCERT can take necessary measures to tackle the issues.

Section 21(3) of the Cybercrimes Act provides that any person or institution who fails to report any such incident to ngCERT within seven days of its occurrence commits an offence and shall be liable to denial of internet services. Such persons or institutions shall, in addition, pay a mandatory fine of NGN 2 million (approx. $ 2,610) to the National Cyber Security Fund.

Banks and other financial institutions have an obligation to report such breaches to the CBN while telecommunication companies and internet service providers are required to report to the NCC.

7.7. Data retention

Section 38(1) of the Cybercrimes Act provides that a service provider shall keep all traffic data and subscriber information as may be prescribed by the relevant authority (responsible for the regulation of communication services in Nigeria), for the time being for a period of two years.

Non-compliance is an offence, punishable upon conviction with imprisonment for a term of not more than three years of fine not more than NGN 7 million (approx. $9,140) (Section 38(6) of the Cybercrimes Act).

7.8. Children's data

There are specific provisions that regulate the processing of a child's data.

A data controller has an obligation to obtain consent from a data subject's parent or legal guardian if the data subject is a child (Section 31(1) of the NDPA). However, consent may not be required, where the processing is to protect the vital interest of a child, the processing is for educational, medical, or social care and done under the supervision of a professional, or necessary for court proceedings (Section 31(2) of the NDPA). Section 65 of the NDPA adopts the definition of a child i.e., someone below 18 years of age from the Child Rights Act 2003 ('Child Rights Act'). Section 8 of the Child Rights Act stipulates that every child has the right to privacy, family life, home, correspondence, telephone conversation, and telegraphic communications.

Section 2.4(a) of the NDPR provides that no consent shall be sought, given, or accepted in any circumstance that may engender a child rights violation. Section 3.1(1) of the NDPR requires a data controller to take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and for any information relating to a child.

The NDPC also has the power to make rules regarding the processing of the information of a child of 13 years and above (Section 31(5)(6) of the NDPA).

7.9. Special categories of personal data

A data controller or data processor is prohibited from processing sensitive personal data (see definition above). However, there are exceptions to this rule, including Section 30 (1)(2) of the NDPA:

• where a data subject consents and has not withdrawn consent for the purpose of processing;
• processing is necessary to for performing the data controller's obligation or exercise of a data subject's rights;
• processing is necessary to protect the vital interests of a data subject or another person;
• processing is carried out in the course of a data controller's legitimate activities;
• processing is necessary for legal proceedings;
• processing necessary by reason of substantial public interest;
• for medical care or community welfare; and
• for public health or research purposes.

7.10. Controller and processor contracts

Section 2.4(b) of the NDPR provides that a data controller and processor have a duty to take reasonable measures to ensure that a party to a data processing contract (other than the data subject) does not have a record of violating the rights of a data subject. Moreover, every data controller and processor shall be liable for the actions or inactions of third parties that handle the personal data of data subjects under the NDPR.

8. Data Subject Rights

Under Part VI of the NDPA and Part 3 of the NDPR, data subjects have the following rights:

• right to be informed of the processing of data;
• right to complain or send a request to the data controller;
• right to obtain information about their data from the data controller free of charge except as otherwise provided by regulation or public policy;
• right to know the details of the data controller;
• right to withdraw consent;
• right to access their personal data;
• right to data portability;
• right to data rectification;
• right to restrict or object to the processing of their data;
• right to be informed where their data is being processed for additional purposes;
• right to be informed about the transfer of their data to another country;
• right to complain to the relevant authority; and
• right to data deletion.

8.1. Right to be informed

A data controller is required to take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and for any information relating to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means (Section 34(1) of the NDPA; Section 3.1(1) of the NDPR).

8.2. Right to access

A data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another data controller without hindrance from the data controller to which the personal data has been provided (Section 3.1(14) of the NDPR).

8.3. Right to rectification

A data subject has the right to be notified by the data controller of the rectification of data (Section 3.1(13) of the NDPR).

8.4. Right to erasure

A data subject has the right to the erasure of their personal data (Section 34(1)(d) and 34(2) of the NDPA; Section 3.1(13) of the NDPR).

8.5. Right to object/opt-out

Data subjects have the right to withdraw their consent to the processing of their personal data at any time. In addition, a data subject may choose to object to the processing of personal data relating to them which the data controller intends to process for the purpose of marketing (Section 36 of the NDPA; Section 2.8 of the NDPR).

8.6. Right to data portability

A data subject has the right to transmit personal data from one data controller to another without hindrance from the data controller (Section 38 of the NDPA; Section 3.17(h) of the NDPR).

8.7. Right not to be subject to automated decision-making

Prior to collecting personal data from a data subject, the data controller has to provide the data subject with information regarding the existence of automated decision-making (Section 37 of the NDPA; Section 3.17(l) of the NDPR).

8.8. Other rights

A data subject has the right to access and obtain personal data free of charge (Section 3.1(5) of the NDPR). However, where the requests from a data subject are manifestly unfounded or excessive, in particular, because of their repetitive character, the data controller may either:

• charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested; or
• write a letter to the data subject stating refusal act on the request and copy the NITDA on every such occasion through a dedicated channel which shall be provided for such purpose.

9. Penalties

The NDPC has wide powers under section 48 of the NDPA where a data controller violates the same irrespective of criminal sanctions including:

• requiring the data controller or data processor to remedy the violation;
• ordering the data controller or data processor to pay compensation to the data subject for the injury, loss, or harm suffered;
• ordering the data controller or data processor to account for profits earned from the violation;
• ordering the data controller or data processor to pay a penalty or remedial fee.

The penalty or remedial fee may be an amount up to the higher maximum amount, in the case of a data controller or data processor of major importance; or the standard maximum amount in the case of a data controller or data processor not of major importance.

The higher maximum amount is expected to be greater than NGN 10 million (approx. $ 13,040) and 2% of its annual gross revenue in the preceding financial year. The standard maximum amount is expected to be greater than NGN 2 million (approx. $2,610) and 2% of its annual gross revenue in the preceding financial year. The monetary penalty to be paid is determined based on the nature, gravity, and duration of the infringement; the purpose of the processing; the number of data subjects involved; level of damage and mitigation measures implemented; intent or negligence; degree of cooperation with the NDPC; and the types of data involved.

However, under the NDPR, the monetary penalty is calculated differently. Section 2.10 of the NDPR provides that any person subject to the NDPR who is found to be in breach of the data privacy rights of any data subject shall be liable, in addition to any other criminal liability, to the following:

• in the case of a data controller dealing with more than 10,000 data subjects, a fine of 2% of the annual gross revenue of the preceding year or payment of the sum of NGN 10 million (approx.. $13,040), whichever is greater; or
• in the case of a data controller dealing with less than 10,000 data subjects, a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of NGN 2 million (approx. $2,610), whichever is greater.

9.1 Enforcement decisions

• Soko Loans: The NITDA fined Soko Lending Company Limited NGN 10 million (approx. $13,040) for violating the NDPR; and
• Electronic Settlement: The NITDA fined Electronic Settlement Limited NGN 5 million (approx. $ 6,520) for personal data breach.