Data Protection in Nigeria

Collection and processing in Nigeria

Collection

Personal Data must be collected and processed in accordance with a specific, legitimate and lawful purpose consented to by the Data Subject:

  • Prior to Personal Data collection, Controllers must provide Data Subjects with relevant information, including the identity and contact details of the Controller, contact details of its Data Protection Officer and the intended purpose and legal basis for Personal Data processing;
  • The legitimate interests pursued by the Controller or third party must be stated;
  • The recipients or categories of recipients of the Personal Data, if any;
  • Where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organization, and the existence or absence of an adequacy decision by the Agency, the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
  • Data subjects must be provided with notice of their right to:
    1. request access to and rectification of Personal Data maintained by the Controller;
    2. withdraw consent for further processing by the Controller at any time; and
    3. lodge a complaint with the relevant authority; and
  • Where the Controller intends to process Personal Data for a purpose other than for which it was collected, the
    Controller must provide Data Subjects with any relevant information on the additional purpose prior to further processing.

Processing

Personal Data Processing is lawful if at least one of the following applies:

  • The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes and the data is processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach;
  • Processing is necessary for compliance with a legal obligation to which the Controller is subject under;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a contract to which the Data Subject is party to or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor; or

  • For the purposes of the legitimate interests pursued by the data controller or data processor, or by a third party to whom the data is disclosed. Interest in processing personal data can only be legitimate if:

    1. they do not override the fundamental rights, freedoms and the interests of the data subject;

    2. they are compatible with other lawful basis of processing above with the exception of consent;

    3. the data subject would have a reasonable expectation that the personal data would be processed in the manner envisaged. 

Data processing by a third party is governed by a written contract between the third party and the authorised Data Controller. Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure compliance with the Nigerian Data Protection Act 2023.

Continue reading

  • no results

Previous topic
Back to top