Last modified 17 March 2026

Data Protection in Nigeria

Registration in Nigeria

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Nigeria

Principal regulation

Nigeria Data Protection Act 2023 (NDPA)

The NDPA has been enacted to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria. Among other things, the objective of the NDPA include: the protection of personal information; establishment the Nigeria Data Protection Commission (NDPC) for the regulation of the processing of personal information; promotion of data processing practices that safeguard the security of personal data and privacy of data subjects; protection of data subjects’ rights, and provision of means of recourse and remedies, in the event of the breach of the data subjects’ rights; and strengthening the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data etc. The NDPA received Presidential assent on 13 June 2023.

Subsidiary legislation

There is subsidiary legislation that provides guidance, rules and procedures to implement and enforce the provisions of the NDPA. The legislation include:

General Application and Implementation Directive 2025 (GAID)

The GAID was issued on 20 March 2025 by the NDPC pursuant to its powers under the NDPA. With the issuance of the GAID, the Nigeria Data Protection Regulation 2019 and its Implementation Framework of 2020 ceased to apply. The NDPA and the GAID together now constitute the complete governing framework for data protection in Nigeria. The GAID provides comprehensive and binding directives for implementing the NDPA, addressing topics including: scope and applicability of the NDPA; lawful bases for data processing; designation and registration of data controllers and processors of major importance; the role of Data Protection Officers; compliance audit returns; cross-border data transfers; data breach notifications; data ethics; and the exercise of data subjects’ rights. The GAID also introduces several Schedules covering, inter alia, Principles of Data Protection, Data Privacy Impact Assessment templates, Cross-Border Data Transfer guidance, Data Subject Vulnerability Indexes, and registration guidance for data controllers and processors of major importance.

Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020 (Guidelines)

The Guidelines apply to all public institutions (PIs) in Nigeria, including ministries, departments, agencies, institutions, public corporations, publicly funded ventures, and incorporated entities with government shareholding, either at the Federal, State or Local levels, that process the personal data of a data subject. The Guidelines mandate all PIs to protect personal data in any incidence of processing such data. Processing in this context retains the same meaning it has under the NDPA. All forms of personal data of a Nigerian citizen, resident or non-Nigerian individual that has interactions with PIs, or such PIs have access to the personal data in furtherance of a statutory or administrative purpose, are to be protected in accordance with the NDPA or any other law or regulation in force in Nigeria.

Sectoral laws

In addition to the principal and subsidiary legislation mentioned, the Constitution of the Federal Republic of Nigeria and various sector-specific laws make different provisions for privacy and data protection matters. Key provisions in the mentioned laws are outlined hereunder:

The laws

Constitution of the Federal Republic of Nigeria 1999 (As Amended) (Constitution)

The Constitution provides Nigerian citizens with a fundamental right to privacy. Section 37 of the Constitution guarantees privacy protections to citizens in their homes, correspondence, telephone conversations and telegraphic communications. The Constitution neither defines the scope of privacy nor contains detailed privacy provisions.

Child Rights Act 2003 (Act)

The Act reiterates the constitutional right to privacy as it relates to children. Section 8 of the Act guarantees a child’s right to privacy subject to parent or guardian rights to exercise supervision and control of their child’s conduct. Some Nigerian states have also enacted Child Rights Laws. Under the Act / Laws, age of a child is any person under the age of 18.

Consumer Code of Practice Regulations 2007 (NCC Regulations)

The Nigerian Communications Commission (NCC) issued the NCC Regulations which requires all licensees to take reasonable steps to protect customer information against improper or accidental disclosure and ensure that such information is securely stored and not kept longer than necessary. The NCC Regulations further prohibit the transfer of customer information to any party except to the extent agreed with the customer, as permitted or required by the NCC or other applicable laws or regulations.

Consumer Protection Framework 2016 (Framework)

The Framework was enacted pursuant to the Central Bank of Nigeria Act 2007. The Framework includes provisions that prohibit financial institutions from disclosing customers’ personal information. The Framework further requires that financial institutions have appropriate data protection measures and staff training programs in place to prevent unauthorized access, alteration, disclosure, accidental loss or destruction of customer data. Financial services providers must obtain written consent from consumers before personal data is shared with a third party or used for promotional offers.

Credit Reporting Act 2017 (CRA)

The CRA establishes a legal and regulatory framework for credit reporting by Credit Bureaus. Section 5 of the CRA requires Credit Bureaus to maintain credit information for at least 6 years from the date that such information is obtained, after which the information must be archived for a 10-year period prior to its destruction. Section 9 of the CRA provides the rights of data subjects (i.e. persons whose credit data are held by a Credit Bureau) to privacy, confidentiality and protection of their credit information. Section 9 further prescribes conditions under which the credit information of the data subject may be disclosed.

Cybercrimes (Prohibition, Prevention Etc) (Amendment) Act, 2024 (Cybercrimes Act)

The Cybercrimes Act provides a legal and regulatory framework that prohibits, prevents, detects, prosecutes and punishes cybercrimes in Nigeria. The Cybercrimes Act requires financial institutions to retain and protect data and criminalizes the interception of electronic communications.

Freedom of Information Act, 2011 (FOI Act)

The FOI Act seeks to protect personal privacy. Section 14 of the FOI Act provides that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available. Section 16 of the FOI Act provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc.).

National Identity Management Commission Act 2007 (NIMC Act)

The NIMC Act creates the National Identity Management Commission (NIMC) to establish and manage a National Identity Management System (NIMS). The NIMC is responsible for enrolling citizens and legal residents, creating and operating a National Identity Database and issuing Unique National Identification Numbers to qualified citizens and legal residents. Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information in the Database with respect to a registered individual without authorization from the NIMC. The NIMC is empowered to provide a third party with information recorded in an individual’s Database entry without the individual’s consent, provided it is in the interest of National Security.

National Health Act 2014 (NH Act)

The NH Act provides rights and obligations for health users and healthcare personnel. Under the NH Act, health establishments are required to maintain health records for every user of health services and maintain the confidentiality of such records. The NH Act further imposes restrictions on the disclosure of user information, and requires persons in charge of health establishments to set up control measures for preventing unauthorized access to information. The NH Act applies to all information relating to patient health status, treatment, and admittance into a health establishment, and further applies to DNA samples collected by a health establishment.

Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011 (Regulation)

Section 9 and 10 of the Regulation provides confidentiality for telephone subscribers’ records maintained in the NCC’s central database. The Regulation further provides telephone subscribers with a right to view and update personal information held in the NCC’s central database of a telecommunication company in camera.

Related resources

Definitions

Definitions in Nigeria

Definition of personal data

Personal Data is defined as any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.

Definition of personal data breach

Personal Data Breach is defined as a breach of security of a data controller or data processor leading to or likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Definition of data subject

Data Subject means an individual to whom personal data relates.

Definition of data controller

Data Controller means an individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data.

Definition of processing

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction and does not include the mere transit of data originating outside Nigeria.

Definition of sensitive personal data

Sensitive Personal Data means personal data relating to an individual’s:

genetic and biometric data, for the purpose of uniquely identifying a natural person,
race or ethnic origin,
religious or similar beliefs, such as those reflecting conscience or philosophy,
health status,
sex life,
political opinions or affiliations,
trade union memberships, or
other information prescribed by the Commission as sensitive personal data.

Related resources

Authority

National data protection authority in Nigeria

Nigeria Data Protection Commission

The Nigeria Data Protection Commission (the Commission) was established under the Nigeria Data Protection Act 2023 (the Act) as the supervisory and regulatory authority for data protection in Nigeria, a function previously undertaken by the Nigeria Data Protection Bureau (NDPB). Essentially, the Commission is the successor-in-title to the duties, power and functions of the NDPB.

Related resources

Registration

Registration in Nigeria

Under the NDPA and the GAID, data controllers and data processors of major importance are required to register with the NDPC. A data controller or data processor of major importance is defined in the NDPA as a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria as the NDPC may prescribe, or such other class of data controller or data processor processing personal data of particular value or significance to the economy, society or security of Nigeria, as the NDPC may designate.

Notably, the term “operating in Nigeria” under the GAID includes a data controller or data processor who targets a data subject in Nigeria, even if not domiciled or resident in Nigeria. In exercising its designation powers, the NDPC considers factors including:

the risks of data processing to data subjects;
data sovereignty implications;
the sensitivity of personal data; data-driven financial assets;
reliance on third-party servers or cloud computing;
substantial cross-border data flows;
use of automated filing systems;
number of data subjects; and
the need for international certifications.

The GAID further designates as data controllers or processors of major importance any organization that:

processes personal data of more than 200 data subjects in six months;
carries out commercial ICT services on any digital device belonging to another individual; or
processes personal data in the aviation, communication, education, electric power, export/import, financial, health, hospitality, insurance, oil and gas, tourism, e-commerce, or public service sectors.

The GAID classifies data controllers and data processors of major importance into three levels as follows:

Ordinary High level (OHL)

Number of data subjects whose personal data was processed in six-month period: Over 200 but less than 1,000 data subjects in six months.

Also includes (regardless of data subject volume):

primary and secondary schools;
corporate training service providers;
primary health centres;
independent medical laboratories;
hotels and guest houses with less than 50 suites;and
processors of sensitive personal data of more than 200 data subjects for commercial purposes.

Fee payable: N10,000. Registration must be renewed annually. Not required to file annual CAR.

Extra-High Level (EHL)

Number of data subjects whose personal data was processed in six-month period: Over 1000 but less than 5,000 data subjects in six months.

Also includes (regardless of data subject volume):

Ministries, Departments and Agencies (MDAs) of government;
microfinance banks; higher institutions;
hospitals providing tertiary or secondary medical services; and
mortgage banks.

Fee payable: N100,000. Registers once; required to file annual CAR (through a licensed DPCO) by 31st March each year.

Ultra-High Level (UHL)

Number of data subjects whose personal data was processed in six-month period: Over 5,000 data subjects in six months.

Also includes (regardless of data subject volume):

commercial banks operating at national or regional level;
telecommunication companies;
insurance companies;
multinational companies;
electricity distribution companies; oil and gas companies;
public social media App developers and proprietors;
public e-mail App developers and proprietors;
communication device manufacturers;
payment gateway service providers; and
fintechs.

Fee payable: N250,000. Registers once; required to file annual CAR (through a licensed DPCO) by 31st March each year.

Data Controllers Not of Major Importance

The GAID also identifies the following as data controllers not of major importance, who are therefore not required to register with the Commission:

traders or artisans who do not transmit personal data as a trade or business object to other data controllers or processors;
traders with fewer than 15 employees, or artisans who do not keep any specific filing system of personal data relating to their customers except routine phone contact files, receipts data, contact addresses and electronic mail addresses; and
a community of friends, professionals or people of common interest who interact on social media platforms.

Notwithstanding their non-registration status, such entities remain subject to the fundamental obligation to respect the privacy of data subjects under the NDPA.

NDPA Compliance Audit Returns (CAR)

The GAID establishes comprehensive provisions for compliance auditing. Every data controller or data processor of major importance must conduct periodic compliance audits of their data processing activities. The following key obligations apply:

Audits must adopt a risk-based approach covering people, processes, and technologies in the data processing value chain;
CAR must be filed by the qualifying organizations through an automated platform or portal provided by the NDPC;
For qualifying organizations established before 12 June 2023, CAR must be filed not later than 31st March each year;
For qualifying organizations established after 12 June 2023, the first CAR filing is due within fifteen (15) months of establishment, and annually thereafter;
Failure to file CAR by the due date attracts an administrative penalty of 50% of the stipulated CAR filing fee in addition to the filing fee; and
the NDPC may issue a Compliance Audit Returns Certificate upon filing.

Related resources

Data protection officers

Data protection officers in Nigeria

The Nigerian Data Protection Act 2023 requires Data Controllers of Major Importance to designate a Data Protection Officer (DPO) who will be responsible for ensuring internal compliance with the Act, other applicable data protection directives, and serving as a point of contact between the Data Controller and the regulatory body (Nigeria Data Protection Commission). The Data Protection Officer may be an employee of a Data Controller or engaged by a service contract.

Related resources

Collection and processing

Collection and processing in Nigeria

Collection

Personal data must be collected and processed in accordance with a specific, legitimate, and lawful purpose. The lawful basis for processing must be identified before collection commences. Prior to collecting personal data, data controllers must provide data subjects with relevant information required by law. Notably, the GAID clarifies that the provision of information to data subjects does not constitute a request for consent. Consent must be specifically and separately requested when required by law, and only after all relevant information has been provided to enable the data subject to make an informed decision.

The information to be provided includes :

the identity and contact details of the Controller, contact details of its Data Protection Officer and the intended purpose and legal basis for Personal Data processing;
the legitimate interests pursued by the Controller or third party must be stated;
the recipients or categories of recipients of the Personal Data, if any;
where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organization, and the existence or absence of an adequacy decision by the Agency, the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
data subjects must be provided with notice of their right to:
- request access to and rectification of Personal Data maintained by the Controller;
- withdraw consent for further processing by the Controller at any time; and
- lodge a complaint with the relevant authority; and

Where the Controller intends to process Personal Data for a purpose other than for which it was collected, the Controller must provide Data Subjects with any relevant information on the additional purpose prior to further processing.

Processing

Personal Data Processing is lawful if at least one of the following applies:

The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes and the data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach;
Processing is necessary for compliance with a legal obligation to which the Controller or processor is subject;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a contract to which the Data Subject is party to or in order to take steps at the request of the Data Subject prior to entering into a contract;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor; or
For the purposes of the legitimate interests pursued by the data controller or data processor, or by a third party to whom the data is disclosed. Interest in processing personal data can only be legitimate if:
- they do not override the fundamental rights, freedoms and the interests of the data subject;
- they are compatible with other lawful basis of processing above with the exception of consent;
- the data subject would have a reasonable expectation that the personal data would be processed in the manner envisaged.

Data processing by a third party is governed by a written contract between the third party and the authorised Data Controller. Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure compliance with the Nigerian Data Protection Act 2023.

Related resources

Transfer of personal data

Transfer of personal data in Nigeria

The Nigeria Data Protection Act has provided in respect of transfer of personal data that such transfer is permissible if the recipient of the data affords its data subject to adequate data protection. The NDPC may adjudge a country as affording adequate data protection by assessing the following conditions:

availability of enforceable data subject rights, the ability of a data subject to enforce such rights through administrative or judicial redress, and the rule of law;
existence of any appropriate instrument between the NDPC and a competent authority in the recipient jurisdiction that ensures adequate data protection; access of a public authority to personal data; existence of an effective data protection law;
existence and functioning of an independent, competent data protection, or similar supervisory authority with adequate enforcement powers; and
international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.

Cross-Border Data Transfer Instruments (CBDTI)

In the absence of an adequacy decision, the NDPA may approve a CBDTI for a data controller or processor. These instruments may take the form of codes of conduct, certifications, binding corporate rules, or standard contractual clauses. The objective of a CBDTI is to ensure proper monitoring of data flows and accountability between parties. The Commission shall review the CBDTI to confirm it meets the requirements of the NDPA.

In the absence of adequacy of protection as specified by the NDPA, transfer of personal data from Nigeria to another country is possible if at least one of the following conditions are met:

The data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections;
transfer is necessary for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject, prior to entering into a contract;
transfer is for the sole benefit of a data subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer or if it were reasonably practicable to obtain such consent, the data subject would likely give it;
transfer is necessary for important reasons of public interest;
transfer is necessary for the establishment, exercise, or defense of legal claims; or transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent.

Related resources

Security

Security in Nigeria

Data Controllers and Processors involved in data processing or the control of data have the responsibility to develop and implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data under its control. Such measures include but are not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policies for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff. In developing and implementing the measures referred to above, the amount and sensitivity of the personal data, likelihood of harm to the data subject amongst other considerations should be taken into account.

Related resources

Breach notification

Breach notification in Nigeria

Commission Notification

Within 72 (seventy-two) hours of becoming aware of a breach, if the breach is likely to result in a risk to the rights and freedoms of individuals, the data controller must notify the Commission. The data controller must immediately communicate the breach in plain and clear language, including advice about measures the data subject could take to mitigate the effect of the breach, the categories and approximate numbers of data subjects, and personal data records concerned.

Data Subject Notification

Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller shall immediately communicate the personal data breach to the data subject in plain and clear language, including advice about measures the data subject could take to mitigate the possible adverse effects of the data breach. If a direct communication to the data subject would involve disproportionate effort or expense, or is otherwise not feasible, the data controller may instead make a public communication in one or more widely used media sources such that the data subject is likely to be informed.

The notifications referenced above should communicate the name and contact details of a point of contact of the data controller, describe the likely consequences of the personal breach and measures taken or proposed to be taken to address the personal breach.

Data Processor Notification

In a processing activity involving a data processor and controller or a processor and sub processor, there is an obligation on a data processor (or sub processor), on becoming aware of a breach, to notify the data controller or processor that engaged it, describing the nature of the personal data breach including where possible, the categories and approximate number of data subject and records concerned; and respond to all information requests from the data controller or processor that engaged it.

Related resources

Enforcement

Enforcement in Nigeria

The Commission is saddled with supervisory and enforcement responsibilities in respect of data protection matters in Nigeria. It collaborates with security agencies like the office of the Inspector General of Police to ensure full compliance and enforcement.

A data subject who is aggrieved by the decision, action or inaction of a data controller or data processor in respect of their obligations, may lodge a complaint with the Commission. The Commission may investigate any complaint referred to it as long as it does not appear to be frivolous or vexatious.

Where the Commission is satisfied that a data controller or data processor has violated or is likely to violate any requirement under the Act or any subsidiary legislation, the Commission may make an appropriate compliance order against that data controller or data processor.

The order made by the Commission may include:

warning that certain act or omission is likely to be a violation of one or more provisions under the Act or any subsidiary legislation or orders issued under it;
requirement that the data controller or data processor complies with such provisions, including complying with the requests of a data subject to exercise one or more rights under the Act; or
cease and desist order requiring the data controller or data processor to stop or refrain from doing an act, which is in violation of the Act, including stopping or refraining from processing personal data that is the subject of the order.

If the Commission, after completing an investigation, is satisfied that a data controller or data processor has violated any provision of the Act it:

may make any appropriate enforcement order or impose a sanction on the data controller or data processor; and
shall inform the data controller or data processor, and if applicable, any data subject who lodged a complaint leading to the investigation, in writing of its decision.

An enforcement order made or sanction imposed shall include:

requiring the data controller or data processor to remedy the violation;
ordering the data controller or data processor to pay compensation to a data subject, who has suffered injury, loss, or harm as a result of a violation;
ordering the data controller or data processor to account for the profits realised from the violation; or
ordering the data controller or data processor to pay a penalty or remedial fee.

Applicable remedial fees are as follows:

For data controllers / processors of major importance, the organization can be fined up to 2% of its annual gross revenue or 10 million Naira in the preceding financial year, whichever is greater;
In case of a data controller / processors not of major importance, the organization can be fined up to 2% of its annual gross revenue or 2 million Naira in the preceding financial year, whichever is greater.

Also, a data controller or data processor, who fails to comply with orders made by the Commission commits an offence and is liable on conviction to:

a fine of up to the;
- higher maximum amount, in the case of a data controller or data processor of major importance, or
- standard maximum amount, in the case of a data controller or data processor not of major importance; or
imprisonment for a term not more than one year or both.

Related resources

Electronic marketing

Electronic marketing in Nigeria

The NCC Regulations provide that no licensee shall engage in unsolicited telemarketing unless it discloses:

At the beginning of the communication, the identity of the licensee or other person on whose behalf it is made and the precise purpose of the communication. During the communication, the full price of any product or service that is the subject of the communication must be specified.
The person receiving the communication shall have an absolute right to cancel the agreement for purchase, lease or other supply of any product or service within seven (7) days of the communication, by calling a specific telephone number (without any charge, and that the Licensee shall specifically identify during the communication) unless the product or service has by that time been supplied to and used by the person receiving the communication.

Licensees are required to conduct telemarketing in accordance with any “call” or “do not call” preferences recorded by the consumer, at the time of entering into a contract for services or after, and in accordance with any other rules or guidelines issued by the Commission or any other competent authority.

Direct Marketing

The Data Protection Act provides that where personal data is processed for direct marketing purposes, the data subject will have the right to object at any time, to the processing of such data. When the data subject objects, the personal data must no longer be processed for such purposes.

Internet Service Providers (ISP)

The NCC Legal Guidelines for Internet Service Providers (ISP) provides that Commercial Communications ISPs must take reasonable steps to promote compliance with the following requirements for commercial email or other commercial communications transmitted using the ISP’s services:

The communication must be clearly identified as a commercial communication.
The person or entity on whose behalf the communication is being sent must be clearly identified.
The conditions to be fulfilled in order to qualify for any promotional offers, including discounts, rebates or gifts, must be clearly stated.

Promotional contests or games must be identified as such, and the rules and conditions to participate must be clearly stated. Persons transmitting unsolicited commercial communications must take account of any written requests from recipients to be removed from mailing lists, including by means of public opt-out registers, in which people who wish to avoid unsolicited commercial communications are identified.

Advertising

The Advertising Regulatory Council of Nigeria Act 2022 (ARCON Act) is the apex law regarding advertising and marketing communications in Nigeria; its scope covers both terrestrial and online advertisements. The Nigerian Code of Advertising Practice Sales Promotion and Other Rights / Restrictions on Practice (5th Edition) which continues in force under the ARCON Act, provides that all advertisements and marketing communications directed at the Nigerian market using the Internet or other electronic media must comply with the following requirements:

The commercial nature of such communications must not be concealed or misleading, it should be made clear in the subject header.
Terms of the offer should be clear and devices should not be used to conceal or obscure any material factors, such as price or other sales conditions likely to influence customer decisions.
The procedure for concluding a contract should be clear.
Due recognition must be given to the standards of acceptable commercial behavior held by public groups before posting marketing communications to such groups using electronic media.
Unsolicited messages should not be sent except where there are reasonable grounds to believe that consumers who receive such communications are interested in the subject matter or offer.
All marketing communications sent via electronic media should include a clear and transparent mechanism enabling consumers to expressly opt-out from future solicitations.
Care should be taken to ensure that neither the marketing communication, or applications used to enable consumers to open marketing or advertising messages, interfere with consumers normal use of electronic media.
Customer information must not be transferred to any party except to the extent agreed with the Customer, as permitted or required by the NCC or other applicable laws or regulations.

Emerging Technologies and Artificial Intelligence

The GAID establishes specific obligations for data controllers and processors deploying Emerging Technologies (ETs) such as Artificial Intelligence, Internet of Things (IoT), and Blockchain for the purposes of processing personal data. Requirements include:

Setting technical and organisational parameters for ET tools in accordance with the threshold of data processing permitted by law – specifically taking into account the right not to be subject to decisions based solely on automated processes, the right to be forgotten, safeguards for sensitive personal data and children, cross-border data flow regulation, and privacy by design and by default;
Carrying out a DPIA before deployment, with particular attention to assessment of disparate outcomes and Data Subjects’ Vulnerability Indexes (DSVI);
Determining the suitability of data anonymisation upon collection;
Testing ETs in sandbox (controlled) environments before wider deployment;
Iteratively retooling and re-testing until satisfactory outcomes are achieved, or wholly discarding the ET if privacy risks are unmitigable; and
Implementing continuous monitoring and evaluation mechanisms upon deployment.

The technical and organisational parameters for ET deployment must be documented and filed with the NDPC as part of the CAR.

Data controllers must refrain from using ET systems that are impossible to operate in compliance with international human rights law or that pose undue risks to the enjoyment of human rights, in line with the United Nations Resolution on Artificial Intelligence and global consensus standards.

Related resources

Online privacy

Online privacy in Nigeria

The Constitutional right to privacy applies to electronic media, including mobile devices and the Internet. Violations of these rights as safeguarded by the constitution may be subject to civil enforcement under the Fundamental Rights Enforcement Procedure Rules, 2009.

According to the Nigeria Data Protection Act, data controllers must perform a data privacy impact assessment where processing personal data could potentially pose a substantial risk to the rights and freedoms of a data subject, taking into consideration the nature, scope, context and purposes of such processing. Where the probability of high risks is established by the impact assessment, the controller is obligated to consult the Commission before processing.

The GAID requires all mediums through which Personal Data is collected or processed to display a simple and conspicuous privacy policy, easily understood by the targeted Data Subject class. The privacy policy must contain the following, in addition to any other relevant information:

What constitutes Data Subject consent;
Description of Personal Data to be collected;
Purpose of Personal Data collection;
Technical methods used to collect and store personal information (i.e. cookies, web tokens etc.);
Access (if any) of third parties to Personal Data and purpose of access;
An overview of data processing principles under the NDPR;
Available remedies for privacy policy violation;
Timeframes associated with available remedies; and
Any limitation clause, provided that no limitation clause shall avail any Data controller who acts in breach of the principles of lawful processing set out in the NDPR.

Related resources

Key contacts

Data protection lawyers in Nigeria

Sandra Oyewole

Partner

Olajide Oyewole LLP

Lagos

Email Full bio

Adewumi Salami

Legal Director

Olajide Oyewole LLP

Lagos

Email Full bio

the risks of data processing to data subjects;
data sovereignty implications;
the sensitivity of personal data; data-driven financial assets;
reliance on third-party servers or cloud computing;
substantial cross-border data flows;
use of automated filing systems;
number of data subjects; and
the need for international certifications.

The GAID further designates as data controllers or processors of major importance any organization that:

processes personal data of more than 200 data subjects in six months;
carries out commercial ICT services on any digital device belonging to another individual; or
processes personal data in the aviation, communication, education, electric power, export/import, financial, health, hospitality, insurance, oil and gas, tourism, e-commerce, or public service sectors.

The GAID classifies data controllers and data processors of major importance into three levels as follows:

Ordinary High level (OHL)

Number of data subjects whose personal data was processed in six-month period: Over 200 but less than 1,000 data subjects in six months.

Also includes (regardless of data subject volume):

primary and secondary schools;
corporate training service providers;
primary health centres;
independent medical laboratories;
hotels and guest houses with less than 50 suites;and
processors of sensitive personal data of more than 200 data subjects for commercial purposes.

Fee payable: N10,000. Registration must be renewed annually. Not required to file annual CAR.

Extra-High Level (EHL)

Number of data subjects whose personal data was processed in six-month period: Over 1000 but less than 5,000 data subjects in six months.

Also includes (regardless of data subject volume):

Ministries, Departments and Agencies (MDAs) of government;
microfinance banks; higher institutions;
hospitals providing tertiary or secondary medical services; and
mortgage banks.

Fee payable: N100,000. Registers once; required to file annual CAR (through a licensed DPCO) by 31st March each year.

Ultra-High Level (UHL)

Number of data subjects whose personal data was processed in six-month period: Over 5,000 data subjects in six months.

Also includes (regardless of data subject volume):

commercial banks operating at national or regional level;
telecommunication companies;
insurance companies;
multinational companies;
electricity distribution companies; oil and gas companies;
public social media App developers and proprietors;
public e-mail App developers and proprietors;
communication device manufacturers;
payment gateway service providers; and
fintechs.

Fee payable: N250,000. Registers once; required to file annual CAR (through a licensed DPCO) by 31st March each year.

Data Controllers Not of Major Importance

The GAID also identifies the following as data controllers not of major importance, who are therefore not required to register with the Commission:

traders or artisans who do not transmit personal data as a trade or business object to other data controllers or processors;
traders with fewer than 15 employees, or artisans who do not keep any specific filing system of personal data relating to their customers except routine phone contact files, receipts data, contact addresses and electronic mail addresses; and
a community of friends, professionals or people of common interest who interact on social media platforms.

Notwithstanding their non-registration status, such entities remain subject to the fundamental obligation to respect the privacy of data subjects under the NDPA.

NDPA Compliance Audit Returns (CAR)

Audits must adopt a risk-based approach covering people, processes, and technologies in the data processing value chain;
CAR must be filed by the qualifying organizations through an automated platform or portal provided by the NDPC;
For qualifying organizations established before 12 June 2023, CAR must be filed not later than 31st March each year;
For qualifying organizations established after 12 June 2023, the first CAR filing is due within fifteen (15) months of establishment, and annually thereafter;
Failure to file CAR by the due date attracts an administrative penalty of 50% of the stipulated CAR filing fee in addition to the filing fee; and
the NDPC may issue a Compliance Audit Returns Certificate upon filing.

Quick links

Data Protection in Nigeria

Registration in Nigeria

Ordinary High level (OHL)

Extra-High Level (EHL)

Ultra-High Level (UHL)

Data Controllers Not of Major Importance

NDPA Compliance Audit Returns (CAR)

Continue reading