Data Protection in Nigeria

Transfer in Nigeria

The Nigeria Data Protection Act has provided in respect of transfer of personal data that such transfer is permissible if the recipient of the data is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection with respect to the personal data.

To ensure the level of adequacy required by the recipient country of personal data, the following will occur:

  • a data controller or processor shall record the basis for transfer and adequacy of protection in that country;
  • the Commission may make regulations requiring data controllers and processors to notify it of the measures in place to explain their adequacy in accordance with the Act;
  • the Commission may by regulation designate categories of personal data that are subject to additional specified restrictions on transfer to another country based on the nature of such personal data and risks to data subjects.

Other forms of assessment to be taken into account to ensure adequacy of protection include:

  • availability of enforceable data subject rights, the ability of a data subject to enforce such rights through administrative or judicial redress, and the rule of law;
  • existence of any appropriate instrument between the Commission and a competent authority in the recipient jurisdiction that ensures adequate data protection;
  • access of a public authority to personal data;
  • existence of an effective data protection law;
  • existence and functioning of an independent, competent data protection, or similar supervisory authority with adequate enforcement powers; and
  • international commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.

The Commission shall issue guidelines for these assessments in line with the factors that have been outlined above. The Commission may determine if a country, region or specified sector within a country has the adequate level of protection. The Commission may approve binding corporate rules, codes of conduct, certification mechanisms or similar instruments for data transfer proposed to it if it meets the standards specified in this Act.

In the absence of adequacy of protection as specified by the Act, transfer of personal data from Nigeria to another country is possible if at least one of the following conditions are met:

  • The data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections;
  • transfer is necessary for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject, prior to entering into a contract;
  • transfer is for the sole benefit of a data subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer or if it were reasonably practicable to obtain such consent, the data subject would likely give it;
  • transfer is necessary for important reasons of public interest;
  • transfer is necessary for the establishment, exercise, or defense of legal claims; or
  • transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent.

Continue reading

  • no results

Previous topic
Back to top