Data Privacy Comparative Guide

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Nigeria's main and overarching legislative framework for data privacy is the Nigeria Data Protection Act (NDPA), which was enacted into law in June 2023. The Act has a broad scope of application and applies to:

• both the private and public sectors;
• data controllers and data processors established or operating in Nigeria;
• data controllers and data processors that are not established or operating in Nigeria but process the personal data of Nigerians; and
• all forms of data processing activities, except those expressly exempted under the Act in each of these cases.

The NDPA establishes the Nigeria Data Protection Commission (NDPC) to oversee its administration and enforcement. In March 2025, the NDPC issued the General Application and Implementation Directive of the Nigeria Data Protection Act (GAID), which, through its 52 articles and 10 schedules:

• provides interpretative and application guidance on specific provisions of the NDPA; and
• introduces supplemental provisions addressing some areas for which the NDPA requires the NDPC to issue regulations on.

The GAID took effect in September 2025 and replaces the Nigeria Data Protection Regulation 2019, which was Nigeria's first omnibus data protection law covering all sectors and data processing activities.

Beyond the NDPA and its GAID, other laws include provisions on data privacy for specific sectors or types of data processing. These sector-specific or subject matter-specific laws are issued as:

• Acts of the National Assembly;
• Laws of states; or
• subsidiary regulations/laws by sectoral regulators.

Some of these are outlined in question 1.2.

The NDPA explicitly provides that where its provisions conflict with those of any other law relating directly or indirectly to the processing of personal data, the NDPA will take precedence. This establishes a clear legislative hierarchy in which the NDPA supersedes other laws with data privacy provisions.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Yes. In addition to the NDPA, Nigeria has several sector-specific and subject matter-specific regimes that complement general data protection requirements. These regimes target particular sectors, types of personal data or specific data processing activities, thereby ensuring tailored regulation where standard provisions may not fully address sectoral risks or operational realities.

Examples include the following:

• Banking sector: The Central Bank of Nigeria (CBN) has issued regulations with data privacy provisions, including:
• • the Operational Guidelines for Open Banking in Nigeria, 2023;
  • the Regulatory Framework for Open Banking in Nigeria, 2021;
  • the Consumer Protection Regulations, 2019; and
  • the Consumer Protection Framework, 2016.
• Telecommunications sector: The Nigerian Communications Commission (NCC) has regulations addressing data privacy, such as:
• • the Consumer Code of Practice Regulations, 2024; and
  • the Registration of Telephone Subscribers Regulations, 2011.
• Healthcare sector: The National Health Act, 2014 provides a legal framework for health services, including provisions on the protection of personal health information.
• National identity management: The National Identity Management Commission Act, 2007 empowers the National Identity Management Commission to establish and maintain a National Identity Database, with rules on the security and access to personal information.
• Public access to information: The Freedom of Information Act, 2011 grants citizens the right to request government-held records, promoting transparency while safeguarding personal privacy.
• Cybersecurity and electronic communications: The Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 provides a legal framework to prevent and punish cybercrimes, including requirements for the protection of personal data and electronic communications.
• Public sector data management: The Guidelines for the Management of Personal Data by Public Institutions in Nigeria, 2020, which is now deemed issued under the NDPA, provide mandatory guidance to public institutions on data protection.

These regimes ensure that sector-specific risks and operational particularities are addressed alongside the general obligations under the NDPA.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

Currently, no bilateral or multilateral instrument specifically addressing data protection/privacy (as opposed to privacy in general) is directly enforceable in Nigerian courts. .

Nigeria has signed the African Union Convention on Cyber Security and Personal Data Protection (commonly referred to as the 'Malabo Convention'), which was adopted in 2014. This convention aims to harmonise data protection laws across Africa and entered into force on 8 June 2023. However, Nigeria has neither ratified nor domesticated the convention. Under Nigeria's dualist approach to international law, treaties must be enacted as national legislation before they have domestic legal effect. As a result, the Malabo Convention is not directly enforceable in the Nigerian courts.

Similarly, Nigeria is also a party to the Economic Community of West African States (ECOWAS) Supplementary Act A/SA1/01/10 on Personal Data Protection, adopted in 2010. This legally binding instrument requires member states to establish national data protection frameworks, including the creation of national data protection authorities. While binding at the ECOWAS level, enforcement in domestic courts depends on national implementation. The ECOWAS Court of Justice can hear cases interpreting and applying this act, so it is enforceable against Nigeria at the ECOWAS level; but it is not enforceable directly in Nigerian courts.

Despite the lack of domestication of the Malabo Convention and the ECOWAS Supplementary Act, the NDPA aligns closely with the principles, rights and obligations set out in these instruments. In particular, it establishes the NDPC as an independent regulatory body, which is a key feature encouraged by both instruments.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The body primarily responsible for enforcing data protection legislation in Nigeria is the NDPC, which is established under the NDPA. The NDPC is empowered to:

• oversee the implementation of the NDPA;
• set fees for data controllers and processors based on their activities;
• issue regulations, rules, directives and guidance;
• define how and when compliance reports must be submitted;
• request information or inspect documents related to data processing;
• investigate violations of the NDPA or subsidiary legislation; and
• impose penalties for breaches.

Alongside the NDPC, various sectoral regulators enforce data protection within their respective industries or subject matters within their oversight. For example:

• in the financial sector, the CBN ensures that banks and other financial institutions comply with data privacy requirements;
• the NCC performs a similar role for telecoms operators; and
• in the electricity sector, the Nigeria Electricity Regulatory Commission and relevant state electricity regulatory bodies oversee data privacy compliance for licensed power sector operators.

Other bodies, such as the Federal Competition and Consumer Protection Commission (FCCPC) and the National Information Technology Development Agency (NITDA), also play complementary roles. The FCCPC addresses consumer protection issues related to personal data misuse or unfair practices, while NITDA enforces data privacy in the context of information technology services. These agencies can investigate, issue compliance directives and collaborate with the NDPC to ensure adherence to data protection requirements across different sectors.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Industry standards and best practices are central to data protection compliance and enforcement in Nigeria. For example, the NDPC has issued the Guidance Notice on Registration of Data Controllers and Data Processors of Major Importance and All Matters Connected Therewith (NDPC/HQ/GN/VOL.03/B/24), which classifies organisations into three levels based on the sensitivity and volume of the data they handle:

• ultra-high level (UHL);
• extra-high level (EHL); and
• ordinary-high level (OHL).

The Guidance Notice stipulates that UHL organisations are expected to comply with the highest global standards. On the other hand, EHL and OHL organisations are only expected to follow global best practices that are proportionate to the risks associated with the data they handle.

The GAID also highlights the following areas where industry standards and best practices play a role.

Setting the standard of care and accountability: Industry standards serve as a benchmark against which the duty of care of data controllers and processors can be evaluated. Organisations are expected to adopt current, tested and trusted processes and technologies while demonstrating a strong culture of compliance. This includes:

• ensuring that processes and technologies are credible, supported by expert reviews or verifiable use cases;
• conducting regular training and sensitisation programmes on data privacy; and
• adhering to global data ethics standards, ensuring respect for data ownership, transparency, accountability and fairness in processing.

Guiding auditing and security measures: Best practices shape the design and evaluation of privacy controls and technical safeguards. Organisations are expected to align their measures with recognised international frameworks, including:

• ISO/IEC 27000 series – information security management systems standards;
• NIST SP 800 – cybersecurity and information security guidelines;
• Center for Internet Security Critical Security Controls – best practices for cyber defence;
• COBIT – framework for IT governance and management; and
• HITRUST CSF – cybersecurity framework for managing healthcare data security.

Supporting regulatory benchmarking and mechanisms: Industry standards guide compliance and facilitate alignment with international norms, including:

• the adoption of interoperable data privacy measures (IDPMs) for:
• • data protection impact assessments;
  • legitimate interest assessments; and
  • records of processing activities;
• the integration of IDPMs and best practices by data protection officers (DPOs) in day-to-day data management;
• compliance with cross-border data transfer instruments, demonstrating adherence to reputable global standards; and
• evaluation of DPO professionalism and ethics through recognised certifications, codes of conduct and professional guidance.

The above signals a clear hierarchy of standards, in that:

• global frameworks inform national expectations; and
• compliance obligations scale with the sensitivity and scale of data processed.

It also ensures that organisations can demonstrate accountability and alignment with international best practices in both domestic and cross-border operations.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The Nigeria Data Protection Act 2023 (NDPA) applies to two main categories of entities:

• Domestic entities: Data controllers or data processors that are domiciled, resident or operating in Nigeria. These include all organisations physically present, established or registered within the country.
• Foreign entities: Data controllers or data processors that are not domiciled, resident or operating in Nigeria but that process the personal data of individuals located in Nigeria. This ensures that organisations outside Nigeria handling the personal data of Nigerian residents are also subject to the NDPA.

This broad scope ensures comprehensive coverage of data protection obligations for both local and international entities that process the data of Nigerian data subjects.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The NDPA does not apply in the following circumstances:

• The processing is for personal or household purposes. This includes activities carried out solely for personal use, provided that they do not violate the fundamental privacy rights of any individual. Examples include:
• • maintaining a personal contact list; and
  • storing family photos.
• The processing is carried out by a competent authority for specific official purposes. These include:
• • the prevention, investigation or prosecution of criminal offences and the execution of criminal penalties;
  • the management of public health emergencies;
  • national security activities;
  • publication in the public interest, including journalism, education, artistic or literary works, where compliance with the NDPA would conflict with these purposes; and
  • the establishment, exercise or defence of legal claims, whether in court proceedings, administrative proceedings or out-of-court processes.
• If the NDPC has prescribed exemptions. The NDPC can, through regulation, identify types of personal data or processing activities that are exempt from the act.

2.3 Does the data privacy regime have extra-territorial application?

Yes. The NDPA has extraterritorial application and thus applies not only to entities domiciled, resident or operating in Nigeria, but also to foreign data controllers and processors that handle the personal data of individuals in Nigeria. Additionally, the NDPA applies where the processing of personal data occurs within Nigeria, even if the organisation managing the data is located outside the country. This ensures that Nigerian data subjects are protected regardless of where their personal data is processed.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

Any operation or set of operations which is performed on personal data, whether or not by automated means, such as:

• collection;
• recording;
• organisation;
• structuring;
• storage;
• adaptation;
• alteration;
• retrieval;
• consultation;
• use;
• disclosure by transmission, dissemination or otherwise making available;
• alignment;
• combination;
• restriction;
• erasure; or
• destruction.

The term does not refer to the mere transit of data originating outside Nigeria.

(b) Data processor

An individual, private entity, public authority or any other body that processes personal data on behalf of or at the direction of a data controller or another data processor.

(c) Data controller

An individual, private entity, public commission, agency or any other body that, alone or jointly with others, determines the purposes and means of processing of personal data.

(d) Data subject

An individual to whom personal data relates.

(e) Personal data

Any information relating to an individual who can be identified or who is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.

(f) Sensitive personal data

This encompasses:

• personal data relating to an individual's genetic and biometric data for the purpose of uniquely identifying a natural person;
• details of an individual's:
• • race or ethnic origin;
  • religious or similar beliefs, such as those reflecting conscience or philosophy;
  • health status;
  • sex life;
  • political opinions or affiliations; or
  • trade union memberships; and
• other information prescribed by the Nigeria Data Protection Commission (NDPC) as sensitive personal data.

(g) Consent

A freely given, specific, informed and unambiguous indication – whether by a written or oral statement or an affirmative action – of an individual's agreement to the processing of personal data relating to them or to another individual on whose behalf they have permission to provide such consent.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

• 'Binding corporate rules': Personal data protection policies and procedures adhered to by the members of a group of firms under common control with respect to the transfer of personal data among such members and containing provisions for the protection of such personal data.
• 'Data controller/data processor of major importance':
• • A data controller or data processor that is domiciled, resident in or operating in Nigeria and that processes or intends to process personal data of more than such number of data subjects who are within Nigeria as the NDPC may prescribe; or
  • Such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the NDPC may designate.
• 'Pseudonymisation': The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

Yes, registration is mandatory, but not for all entities. It is specifically mandated for entities that qualify as data controllers or data processors of major importance. According to the NDPA, these are entities that:

• are domiciled, resident in or operating in Nigeria; and
• process or intend to process:
• • the personal data of a number of data subjects prescribed by the NDPC; or
  • personal data of particular value or significance to the economy, society or security of Nigeria.

Based on the wording of the NDPA, it will ordinarily be expected that a controller or processor must have some form of physical presence or establishment in Nigeria in order to qualify as one of major importance. However, the GAID expands this interpretation. It defines 'operating in Nigeria' to include data controllers or processors that target data subjects in Nigeria, even if they are not domiciled or resident in the country. This interpretation suggests that these foreign entities may be required to register if they meet the other thresholds of major importance.

The GAID justifies this interpretation on the basis that the NDPA applies to foreign entities that are not established in Nigeria but that process the personal data of data subjects within the country. It further explains that this inclusion is necessary to ensure accountability for data controllers and processors whose activities significantly affect Nigeria's economy, society or security.

The NDPC has issued the Guidance Notice on the Registration of Data Controllers and Data Processors of Major Importance (NDPC/HQ/GN/VOL.03/B/24), which provides further clarification on:

• the controllers and processors that are of major importance; and
• the registration requirements for these entities.

According to the Guidance Notice, a data controller or processor is designated as being of 'major importance' where it:

• keeps or has access to a filing system, digital or analogue; and
• meets any of the following criteria:
• • processes the personal data of more than 200 data subjects within six months;
  • carries out commercial information and communications technology services on a digital device that stores personal data belonging to another individual; or
  • operates in certain key sectors (eg, aviation, communication, education, electric power, import and export, financial services, health, hospitality, insurance, oil and gas, tourism, e-commerce or public service).

The Notice further introduces a three-tier sub-classification for data controllers and processors of major importance based on the scale and sensitivity of their processing activities. This includes:

• Ultra-high level (UHL): Entities under this category are expected to meet the highest global standards of data protection. They typically:
• • process the data of over 5,000 data subjects;
  • handle sensitive or financial data; and
  • rely heavily on third-party or cloud infrastructure.
• Examples include:
• • commercial banks;
  • telecommunications companies;
  • insurance companies;
  • multinational corporations;
  • electricity distribution companies;
  • oil and gas companies;
  • social media and email application developers;
  • communication device manufacturers;
  • payment gateway providers; and
  • fintech companies.
• Extra-high level (EHL): This category applies to organisations that typically process between 1,000 and 5,000 data subjects. It includes entities such as:
• • ministries, departments and agencies;
  • microfinance banks;
  • higher institutions;
  • tertiary hospitals; and
  • mortgage banks.
• These organisations are expected to maintain strong global best practices in data protection.
• Ordinary-high level (OHL): This applies to smaller entities that:
• • process personal data in a systematic or automated manner; and
  • handle the data of between 200 and 1,000 data subjects.
• Examples include:
• • primary and secondary schools;
  • corporate training providers;
  • primary health centres;
  • medical laboratories;
  • hotels and guest houses with fewer than 50 suites; and
  • processors that handle sensitive personal data for commercial purposes.

The Guidance Notice also specifies entities that are not of major importance. These entities are not required to register with the NDPC or comply with the obligations applicable to data controllers or processors of major importance. They include:

• traders or artisans who do not transmit personal data as part of their business operations;
• traders with fewer than 15 employees; and
• informal communities that interact on social media or professional platforms.

The Guidance Notice also goes further to specify certain data controllers of major importance that are not required to register with the NDPC. These include:

• community-based associations;
• faith-based organisations;
• foreign embassies and high commissions;
• judicial establishments or bodies carrying out adjudicatory functions; and
• multigovernmental organisations.

Although the NDPA does not stipulate a specific penalty for non-registration, failure to register where required constitutes a breach of the NDPA and may attract regulatory enforcement actions by the NDPC.

4.2 What is the process for registration?

Entities must first determine whether they qualify as data controllers or processors of major importance. If they do, they must identify the sub-category they fall under, such as UHL, EHL or OHL.

Data controllers and data processors of major importance must register with the NDPC within six months of:

• the commencement of the NDPA; or
• becoming a data controller or processor of major importance.

Once eligibility is confirmed, an entity submits the application for registration through the NDPC's registration portal. Based on the NDPA, the application requires details such as:

• the name and address of the data controller or processor;
• the name and contact information of the designated data protection officer;
• a description of the personal data being processed;
• the categories and number of data subjects;
• the purposes of the processing; and
• the categories of recipients to whom data may be disclosed.

Submission of the registration application also involves payment of the applicable registration fees to NDPC. Registration fees are determined by the entity's sub-classification. In this regard:

• UHL entities pay NGN 250,000;
• EHL entities pay NGN 100,000; and
• OHL entities pay NGN 10,000.

The NDPC reviews the submitted registration application and may request further information or clarification before approval. Following successful verification and payment of fees, the NDPC issues a registration certificate confirming the entity as a data controller or processor of major importance. This certificate serves as proof of compliance with the registration requirement.

The GAID provides that a data controller or data processor classified under the UHL or EHL category is only required to register with the NDPC once and, in addition, file a Compliance Audit Report (CAR) by 31 March each year/annually. In contrast, a data controller or data processor classified under the OHL category must renew its registration with the NDPC annually, but is not required to file an annual CAR when it completes its yearly renewal.

The GAID also requires a data controller or data processor of major importance to notify the NDPC of any significant change to the information provided in its most recent registration. This notification must be made within 60 days of the change and submitted through the NDPC's electronic system, or by email where such a system is not available.

The GAID further provides for deregistration. Where an organisation ceases to operate as a data controller or data processor of major importance, it may request the NDPC to remove its name from the register of such controllers and processors.

4.3 Is registered information publicly accessible?

The NDPC maintains a list of registered data controllers and processors of major importance on its website (https://services.ndpc.gov.ng/repo/?flp=dcmi). The publicly available information includes:

• the name of the data controller or processor;
• the category it falls under (ie, UHL, EHL or OHL); and
• the year of registration.

No other operational or sensitive details about the entity or its data processing activities are published.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

Yes, the lawful bases vary depending on the data being processed. The NDPA sets out different lawful bases for processing personal data, sensitive personal data and personal data relating to children and persons legally incapacitated.

For personal data, processing is lawful if one of the following conditions is met:

• The data subject has given their consent, which must not have been withdrawn, for the specific purpose of the processing.
• The processing is necessary for:
• • the performance of a contract involving the data subject; or
  • steps taken at the data subject's request before entering into a contract.
• The processing is necessary to:
• • comply with a legal obligation;
  • protect the vital interests of the data subject or another person;
  • perform a task in the public interest or under official authority; or
  • pursue legitimate interests of the data controller, processor or a third party, provided that such interests do not override the rights of the data subject.

The processing of sensitive personal data is subject to stricter rules. Sensitive data may be processed only if it is proportionate and safeguards the rights of the data subject, and if one of the following conditions is met:

• The data subject has provided their explicit consent to the processing.
• The processing is necessary under specific circumstances, which include:
• • fulfilling employment or social security obligations;
  • protecting the vital interests of a person who cannot consent; or
  • conducting activities by non-profit organisations for members or regular contacts, provided that the data is not disclosed externally without consent.
• The processing is necessary for the purposes of:
• • legal claims or proceedings;
  • a substantial public interest;
  • medical or community welfare purposes by professionals bound by confidentiality;
  • public health; or
  • archiving, historical, statistical or scientific research.

The NDPA provides that the NDPC may further define:

• additional categories of sensitive data;
• lawful grounds for processing such data; and
• appropriate safeguards.

For children and persons lacking legal capacity, consent must generally be obtained from a parent or legal guardian. Controllers must verify age and consent using appropriate mechanisms, such as government-issued identification. Exceptions exist where processing is necessary:

• to protect the vital interests of the individual;
• for education, medical or social care by professionals; or
• for court proceedings.

The NDPA adopts the definition of a child from the Child's Rights Act, which defines a child as a person under the age of 18 years. However, it also provides that the NDPC will issue regulations applicable where the processing of personal data concerns a child aged 13 years and above in connection with the provision of information or services by electronic means at the specific request of the child.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

Consistent with most global data protection frameworks, the NDPA sets out seven key principles of data protection. These principles form the foundation of responsible and proper processing and are further elaborated in the GAID. The GAID requires both data controllers and data processors to demonstrate compliance with these principles through appropriate technical and organisational measures, adopting a 'privacy by design and by default' approach.

The principles are as follows:

• Principle of lawfulness, fairness and transparency:
• • Lawfulness requires that processing:
  • • be based on a legitimate legal ground; and
    • not violate any applicable law.
  • Fairness requires that the data be handled without prejudice or exploitation, ensuring outcomes consistent with civil liberties.
  • Transparency demands openness about how data is used, including disclosure of material facts that help data subjects and regulators to make informed decisions.
• Principle of purpose limitation: This principle provides that:
• • personal data must be collected for specified, explicit and legitimate purposes;
  • such data must not be further processed in ways that are incompatible with those purposes;
  • the purposes must be clearly defined, unambiguous and genuinely necessary; and
  • any further processing must remain compatible with the original purpose and not infringe the rights of the data subject.
• Principle of data minimisation: This principle requires that only data which is adequate, relevant and limited to what is necessary be collected and processed. This ensures that organisations do not collect or store excessive data beyond what is essential for their legitimate business or operational needs.
• Principle of storage limitation: This requires that personal data not be retained for longer than necessary. Once the purpose of processing has been achieved, data should either be deleted or irreversibly anonymised. Every organisation is expected to maintain a clear data retention policy and communicate it to data subjects.
• Principle of accuracy: This mandates that personal data be accurate, complete, not misleading and kept up to date. Organisations must take active steps to:
• • correct or delete inaccurate data; and
  • ensure that mechanisms for rectification are accessible to data subjects.
• Principle of integrity and confidentiality: This principle requires that personal data be processed securely to prevent unauthorised access, loss or damage. Data controllers and processors must implement technical and organisational measures that ensure the confidentiality, integrity and availability of data. These include:
• • maintaining access controls;
  • conducting regular risk assessments; and
  • performing data privacy impact assessments (DPIAs) where processing poses a high risk to individuals.
• Principle of accountability: This principle imposes a continuing duty of care on data controllers and processors to demonstrate compliance with all data protection obligations. It requires:
• • transparency;
  • meticulous record keeping;
  • responsiveness to data subject requests and regulatory directives; and
  • a commitment to maintaining high standards of data protection consistent with best practice.

These principles apply consistently across all data processing, but the measures required to ensure or demonstrate compliance may vary depending on:

• the type of data;
• the vulnerability of the data subjects; and
• the level of risk posed by the processing.

For example, the lawful basis for processing ordinary personal data differs from that required for sensitive personal data or data relating to children or other legally incapacitated persons, reflecting the need for additional safeguards and more stringent accountability measures in higher-risk contexts.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

In Nigeria, organisations processing personal data must go beyond the basic lawful bases and principles set out in the NDPA. In addition, they must:

• provide clear privacy notices;
• conduct DPIAs for high-risk processing; and
• maintain a record of processing activities.

Strong security measures such as encryption, access controls, staff training and regular audits are essential, alongside a breach management framework that includes:

• notifying the regulator within 72 hours of a data breach; and
• informing affected individuals where necessary.

Extra safeguards apply to:

• children's data (requiring verifiable parental consent); and
• cross-border transfers, which must be:
• • limited to jurisdictions with adequate protection; or
  • backed by NDPC-approved safeguards.

Best practices include:

• adopting privacy by design and by default;
• appointing a data protection officer where applicable;
• providing regular staff training; and
• conducting periodic compliance audits through licensed data protection compliance organisations.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Within the context of the NDPA, the transfer of data can be interpreted broadly to include any disclosure, communication or making available of personal data to another entity, whether within or outside Nigeria. This includes situations where the transferee is:

• another controller;
• a processor; or
• even a sub-processor.

The following requirements and restrictions are relevant to any such transfer:

• In line with the principle of transparency, the data subject must be informed by the transferor of any known or potential third parties with which their personal data may be shared. This information should be included in the transferor's Privacy Policy, together with details about the purpose of the sharing and whether the data may be transferred outside Nigeria.
• Consistent with the principle of purpose limitation, any transfer of data to a third party must be for the same or a compatible purpose as that for which the data was originally collected. The third party must not use the data for a new or unrelated purpose unless:
• • a new lawful basis exists; or
  • the data subject gives consent.
• Where the data involves a high risk to the rights and freedoms of data subjects, such as the transfer of sensitive personal data, the transferor must conduct a data protection impact assessment as a precondition to effecting such transfer. This assessment is necessary to identify potential risks and devise appropriate safeguards to mitigate the identified risks.
• Where the data is shared with a third party in its capacity as a processor or sub-processor, the party sharing such data must ensure that the transfer is governed by a written data processing agreement. This agreement ensures that the processor:
• • acts only on the documented instructions of the transferor;
  • applies appropriate safeguards; and
  • supports the controller in meeting its obligations under the NDPA.
• The entity with which the data is shared must put in place necessary security, technical and organisational measures to ensure that the personal data is protected against unauthorised access, loss or misuse. The party that has shared the data also retains a supervisory role to ensure that the recipient continues to handle the personal data:
• • in compliance with the applicable data protection requirements; and
  • only for the authorised purposes.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

The transfer of personal data outside Nigeria, which is also referred to as 'cross-border data transfer', is governed by the NDPA and further explained in the GAID. The requirements and restrictions for such transfers vary depending on the destination and the safeguards available in that jurisdiction.

A data controller or data processor may only transfer personal data abroad if the transfer meets one of two primary conditions:

• The destination affords an adequate level of protection; or
• There is a specific legal justification in the absence of adequacy.

Adequacy is determined by the NDPC, which will consider factors such as the existence of:

• enforceable data subject rights and accessible remedies;
• an independent and competent supervisory authority;
• effective data protection laws aligned with human rights;
• scrutiny of public authority access to data;
• instruments for international cooperation with Nigerian authorities; and
• relevant international commitments or membership in multilateral or regional organisations.

Transfers to jurisdictions deemed adequate may proceed without additional safeguards. If the destination lacks an adequacy decision, transfers are permitted only if:

• specific cross-border data transfer instruments (CBDTIs) have been approved by the NDPC; or
• the transfer is justified by certain statutory or fiduciary grounds.

Approved CBDTIs:

• must ensure accountability, monitoring and remedies for data subjects; and
• may include:
• • codes of conduct;
  • certifications;
  • binding corporate rules; or
  • standard contractual clauses.

In the absence of approved instruments, transfers may still occur under special circumstances. These include situations where:

• the data subject has provided informed consent and has not withdrawn it;
• the transfer is necessary to perform a contract or take pre-contractual steps at the request of the data subject;
• the transfer is for the sole benefit of the data subject and consent is impracticable; or
  • the transfer is necessary:
  • • for public interest purposes;
    • for establishing, exercising or defending legal claims; or
    • for protecting the vital interests of a data subject or other persons who cannot provide consent.

Transfers motivated by business interests or profit do not qualify as lawful justifications.

Regardless of the destination, cross-border transfers require mandatory documentation and assessment. A data privacy impact assessment must be carried out, detailing:

• the countries involved;
• the legal basis for the transfer;
• technical and organisational safeguards; and
• any data sovereignty considerations.

All transfers must be recorded in internal compliance documents, such as:

• the semi-annual data protection report; and
• the annual compliance audit returns.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Every transfer must rest on a lawful basis. Data subjects must also be informed in advance that their data may be transferred to third parties or outside Nigeria. Where a third party is involved, a binding contract must govern the transfer, setting out:

• responsibilities;
• confidentiality obligations; and
• security measures.

Transfers must also be secured with technical and organisational safeguards such as:

• encryption;
• access controls; and
• pseudonymisation.

For transfers involving sensitive personal data, explicit consent or a strict statutory ground, along with stronger safeguards, is required.

For transfers abroad, additional requirements apply:

• Transfers are allowed only to adequate jurisdictions approved by the NDPC.
• If no adequacy decision exists, the organisation must rely on appropriate safeguards such as standard contractual clauses or binding corporate rules.
• All transfers, domestic or international, must be recorded in the organisation's record of processing activities to support compliance audits.

Best practices include the following

• Conduct transfer impact assessments: Assess risks when transferring data to another entity or country, especially regarding local laws and enforcement gaps.
• Adopt privacy by design: Build secure transfer mechanisms from the onset.
• Vendor due diligence: Choose partners and service providers with robust data protection practices and recognised certifications.
• Data minimisation: Share only the data strictly necessary for the intended purpose.
• Regular reviews: Periodically audit third parties and cross-border transfers to ensure ongoing compliance.
• Training and awareness: Train staff handling data transfers on legal obligations and security practices.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

The rights granted to data subjects regarding the processing of their personal data include the following:

• Right of access: Data subjects can request confirmation from a data controller or processor on whether their personal data is being processed. If it is, they are entitled to know:
• • the purpose of the processing;
  • the categories of data involved;
  • the recipients (including international recipients);
  • the storage period; and
  • the existence of rights such as rectification, erasure and restriction of processing.
• They are also entitled to information on automated decision-making, including profiling, and its potential impact.
• Right to a copy of data: Individuals can request a copy of their personal data in a commonly used electronic format. The data controller may charge a reasonable fee if providing the copy imposes excessive costs.
• Right to rectification and erasure: Data subjects can require the correction or deletion of inaccurate, incomplete or misleading personal data. Controllers must erase data without undue delay when:
• • it is no longer necessary for its original purpose; or
  • there is no lawful basis to retain it.
• Right to restrict processing: Individuals can request that processing be limited:
• • while a request is resolved;
  • while they exercise their right to object; or
  • during legal proceedings.
• Right to withdraw consent: Consent can be withdrawn at any time and the process for withdrawal must be as easy as the process for giving consent.
• Right to object: Data subjects can object to processing for any reason. Where the objection relates to direct marketing, processing must cease immediately. Controllers may continue processing only:
• • if they can demonstrate overriding public interest; or
  • on other legitimate grounds.
• Rights regarding automated decision making: Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, if these produce significant legal or similar effects. Exceptions exist when automated decisions are:
• • necessary for contract performance;
  • authorised by law with appropriate safeguards; or
  • based on consent.
• Controllers must implement safeguards such as human intervention, allowing the data subject to express their point of view and to contest the decision.
• Right to data portability: Data subjects may receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller without obstruction. Where technically possible, data may be transferred directly between controllers. The NDPC can prescribe conditions, costs and timing for exercising this right.

Under the NDPA, exemptions from data subject rights exist in two main forms. First, some rights include built-in limitations. For example:

• the right to erasure or correction may not apply if the data is needed for legal obligations, public interest or the defence of legal claims;
• the right to object can be overridden where processing serves a legitimate or public interest;
• automated decision-making protections do not apply when decisions are necessary for contracts, authorised by law or made with consent; and
• even access and portability rights may be limited where providing data would impose unreasonable costs or technical difficulties.

These limitations balance individual rights against contractual, legal and public requirements. Secondly, general exemptions allow the act or certain provisions to be bypassed in specific circumstances.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

A data subject can make a written or electronic request to the organisation handling their data, specifying the right being exercised. The organisation must verify the requester's identity to prevent unauthorised access or misuse.

The controller must respond without undue delay. The period of reply may be longer for complex or multiple requests, but the individual must be informed of the delay.

The organisation must either comply with the request or refuse it on lawful grounds. If refused, the data subject must be told of the reasons and informed of their right to complain to the NDPC.

If the data subject is dissatisfied with the organisation's response (or lack thereof), they can file a complaint with the NDPC. The NDPC can:

• investigate;
• order compliance; and
• impose sanctions.

Beyond the NDPC, data subjects can approach the courts to enforce their rights and seek damages for harm suffered from unlawful data processing.

7.3 What remedies are available to data subjects in case of breach of their rights?

Administrative remedies through the regulator (NDPC): Affected individuals can lodge a complaint with the NDPC. The NDPC has powers to:

• investigate complaints;
• order the data controller or processor to take corrective action;
• impose administrative fines or sanctions on the offending organisation; and
• require the organisation to compensate the data subject, depending on the harm suffered.

Judicial remedies (court action): Data subjects may also bring an action before the courts for remedies in case of a breach. The court may award damages or grant certain injunctive or declaratory reliefs.

Organisations may also provide internal grievance mechanisms (via their data protection officer or complaints desk).

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

The appointment of a data protection officer (DPO) is a mandatory requirement under the NDPA, but not for all entities. According to the NDPA, this obligation specifically applies to organisations classified as data controllers of major importance, although the GAID appears to have also extended this to data processors of major importance.

These entities must appoint a qualified DPO to:

• advise them on data privacy issues;
• monitor the organisation's compliance with the NDPA and internal data protection policies; and
• serve as the primary contact point with the Nigeria Data Protection Commission (NDPC) on all matters relating to data processing.

However, in practice, many organisations that do not fall within this classification still appoint DPOs as a matter of good governance and accountability. This reflects an emerging best practice aimed at:

• embedding data protection into organisational culture; and
• ensuring continuous oversight.

The GAID further recognises that organisations may designate associate DPOs or privacy champions to support the DPO, particularly where:

• data processing occurs across multiple platforms or locations; and/or
• the organisation interacts with a large number of data subjects.

The GAID lists various ways through which organisations can support their DPO in discharging their duties, including:

• providing the necessary resources to enable the DPO to carry out all data protection tasks effectively;
• ensuring that the DPO has unhindered access to personal data processing activities and operations across the organisation;
• making adequate provision for continuous training and professional development to maintain the DPO's competence and awareness of evolving regulatory requirements;
• protecting the DPO from duress, coercion or any undue influence, whether overt or covert, that could compromise their independence;
• guaranteeing that the DPO is not dismissed, penalised or otherwise disadvantaged for performing their duties in accordance with the NDPA; and
• requiring the DPO to report directly to the management level of the controller or processor, ensuring independence and sufficient authority to influence organisational compliance.

Although the NDPA does not prescribe a specific penalty for failing to appoint a DPO, such failure constitutes non-compliance with the NDPA for entities that are legally required to do so. The NDPC may treat it as a breach of statutory obligations and initiate enforcement actions.

Beyond legal consequences, the absence of a DPO can hinder an organisation's ability to manage essential compliance tasks such as:

• handling data subject requests;
• conducting data protection impact assessments (DPIAs); and
• managing data breaches.

This increases the risk of violating the NDPA and attracting regulatory sanctions.

8.2 What qualifications or other criteria must the data protection officer meet?

The qualifications required for DPOs to be appointed and continue serving, based on the NDPA and GAID, are as follows:

• Possess expert knowledge of data privacy law.
• Demonstrate the capability to carry out the tasks required under data privacy laws.
• Possess certification relevant to data privacy, which can be verified by the NDPC.
• Maintain professionalism and competence, verified through an annual credential assessment by the NDPC. To pass this assessment, the DPO must have:
• • a certification from an educational body approved or accredited by a competent regulator of educational services;
  • completed training of up to 40 hours leading to the award of the certificate;
  • successfully passed an examination as a condition for certification;
  • enrolled on the NDPC database of certified DPOs; and
  • participated actively in at least four recognised and verifiable continuous professional development programmes each year.

Importantly, the GAID provides that verification of a DPO's certification serves as a means for the NDPC to determine whether the individual is fit and proper to carry out the duties of a DPO as required under the NDPA.

8.3 What are the key responsibilities of the data protection officer?

The DPO's responsibilities include the following:

• Advisory role: Advise the data controller or processor and its staff on all matters relating to data protection and compliance with the NDPA.
• Monitoring and compliance:
• • Monitor the organisation's compliance with the NDPA and its internal data protection policies.
  • Ensure that personal data processing activities align with the principles and obligations of the NDPA.
  • Conduct or oversee DPIAs and legitimate interest assessments (LIAs) where applicable.
  • Assess:
  • • privacy notices;
    • the types of data processed;
    • the lawful bases for processing; and
    • overall adherence to data protection principles.
  • Facilitate and ensure the filing of compliance audit returns with the NDPC and other regulatory filings required under the NDPA.
• Reporting:
• • Compile and submit a semi-annual data protection report to management, covering:
  • • compliance status;
    • data subjects' complaints and remediation;
    • guidance sought from the NDPC;
    • assessment of data security;
    • breach notifications; and
    • cross-border data transfers.
  • Ensure that the report is acknowledged and integrated into the organisation's record of processing activities (RoPA).
• Point of contact:
• • Serve as the primary contact point with the NDPC.
  • Respond to queries and concerns from data subjects regarding their rights and the processing of their personal data.
• Organisational engagement:
• • Be actively engaged in all issues relating to the processing of personal data.
    Report directly to management.
  • Maintain confidentiality and secrecy in performing DPO duties.
• Supporting organisational functions:
• • Oversee or advise on the implementation of technical and organisational measures for data protection.
  • Support the organisation in fulfilling its obligations regarding:
  • • complaints;
    • cross-border data transfers;
    • breach notifications; and
    • other compliance requirements.
• Additional duties: Perform any other tasks assigned by the data controller or processor, provided that these do not create a conflict of interest.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Yes, the DPO role can be outsourced. When considering outsourcing, certain requirements and restrictions must be observed. It appears that the role can only be outsourced to a named individual and not a firm, because the qualifications and competency standards prescribed by the NDPA and GAID apply specifically to the person acting as DPO, not to an organisation. Thus, where the role is contracted out to a firm, there must be a named individual within the firm who is formally assigned the role. Further, the outsourced DPO must meet the same standards required for an internal DPO, including possessing:

• expert knowledge of data privacy law;
• the ability to carry out relevant data protection tasks; and
• certification recognised and verifiable by the NDPC.

Another important requirement is that the appointment be documented in writing through a service contract. In other words, an oral appointment may fall short of the NDPA and GAID expectations. While the NDPA and GAID do not specify the content of such a contract, it is ideal for it to include terms covering:

• responsibilities and scope of work;
• reporting lines and independence;
• access to personal data processing activities;
• confidentiality and data security obligations;
• mechanisms to avoid conflicts of interest;
• key performance indicators to measure effectiveness;
• fees and payment terms;
• provisions for continuous professional development;
• duration and termination clauses; and
• procedures for dispute resolution or remediation.

As with the case of an internal DPO, the outsourcing arrangement must ensure that the DPO can:

• act independently, free from coercion or undue influence; and
• report directly to management.

The external DPO must also have access to all relevant personal data processing operations to effectively monitor compliance and conduct assessments such as DPIAs and LIAs. Importantly, the organisation remains ultimately responsible for compliance with the NDPA; outsourcing does not shift accountability for breaches or regulatory obligations to the external individual. Nonetheless, failure of the external DPO to adequately support or oversee the outsourced DPO could lead the NDPC to deem such a person unfit for the role.

In terms of best practices, organisations should establish a formal service agreement for the outsourced DPO, clearly defining:

• responsibilities;
• reporting lines;
• confidentiality obligations; and
• mechanisms to avoid conflicts of interest.

The outsourced DPO should participate in regular compliance reviews, audits and management reporting, just as an in-house DPO would. Organisations must provide sufficient resources, access and support to enable the outsourced DPO to discharge their duties effectively. It is also essential to regularly verify the outsourced DPO's credentials, continuing professional development and standing with the NDPC to maintain compliance with certification requirements. Finally, the outsourced DPO should be integrated into the organisation's governance framework, including involvement in:

• policy development;
• risk assessments; and
• data protection decision-making processes.

Outsourcing the DPO function may be suitable for smaller organisations or those lacking internal capacity, but careful structuring of the arrangement is essential to ensure compliance with the legal and operational obligations under the NDPA.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

• RoPA: Controllers and processors must maintain an updated record of categories of:
• • the personal data collected;
  • the purposes of the processing;
  • the categories of data subjects; and
  • data recipients.
• DPIAs: These are required where processing is likely to pose a high risk to individuals. Documentation must show risks identified and safeguards adopted.
• Data breach records: Controllers and processors must document all breaches. Records must include:
• • the nature of the breach;
  • its impact;
  • the remedial action taken; and
  • whether data subjects/regulators were notified.
• Consent records: Where processing is based on consent, organisations must:
• • keep records proving that valid, informed consent was obtained; and
  • allow withdrawal mechanisms.
• Third-party and processor contracts: Written contracts with processors or service providers handling personal data must be maintained. These must specify:
• • the processing scope;
  • confidentiality;
  • security measures; and
  • the return/deletion of data.
• Policies and governance documents: Organisations are expected to maintain up-to-date policies such as:
• • a privacy policy;
  • a data retention and deletion policy;
  • an information security policy; and
  • a breach response/incident management policy.
• Registration records: Controllers and processors of major importance must keep evidence of NDPC registration and renewal.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

• Data controllers and processors of major importance must register with the NDPC, except exempted.
• Data controllers and processors of major importance must carry out audits (typically through licensed data protection compliance organisations) and have their compliance audit return filed with the NDPC.
• Data breaches that are likely to result in a high risk to the rights and freedoms of a data subject must be reported to the NDPC within 72 hours of the data controller becoming aware of the breach. Affected individuals must also be informed promptly.
• Privacy safeguards must be integrated into systems, services and projects from the outset.
• DPIAs must be conducted before high-risk processing activities to identify and mitigate risks.
• Privacy policies, retention policies and security procedures must be updated to reflect new risks, technologies or legal changes.

It is important to treat data protection as a continuous compliance journey.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

Data controllers and processors must implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data. This includes protecting data against accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure or access.

When determining appropriate measures, controllers and processors must consider:

• the amount and sensitivity of the personal data;
• the likelihood and severity of harm to data subjects;
• the scope of processing;
• the period of data retention; and
• the cost and availability of protective technologies.

Specific measures may include:

• pseudonymisation or de-identification;
• encryption;
• processes to ensure system resilience and recovery;
• risk assessments;
• regular testing and evaluation of security measures; and
• updating of measures to address evolving threats.

Organisations are also expected to maintain monitoring, evaluation and maintenance schedules for data security systems, covering people, processes and technologies. Internal sensitisation and training on privacy, regular assessments of compliance and quality assurance procedures are key organisational measures.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Yes, data controllers must notify the NDPC within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals.

The notification must include:

• the nature of the personal data breach;
• the categories and approximate numbers of affected data subjects;
• the categories and approximate numbers of personal data records affected;
• the name and contact details of a point of contact at the data controller;
• the likely consequences of the breach; and
• the measures taken or proposed to address the breach, including steps to mitigate adverse effects.

Data processors must immediately notify the data controller that engaged them and provide details of the breach to allow the controller to comply with regulatory obligations. Notifications may be provided in phases if all information is not immediately available.

Voluntary notification may be considered even if the breach does not meet the threshold for mandatory reporting, particularly where the organisation wishes to maintain transparency or mitigate reputational risk.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Yes, if a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller must communicate the breach directly to the data subject without undue delay. The communication must be in clear and plain language and include:

• the nature of the breach;
• advice on measures that the data subject can take to mitigate possible adverse effects;
• contact details for further information; and
• a description of measures taken or proposed to address the breach.

If direct communication is not feasible due to disproportionate effort or expense, the controller may use public communication through widely used media to ensure that data subjects are informed. Voluntary notification is recommended even for lower-risk breaches to maintain transparency and trust, though it is not strictly mandated.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Other best practices include:

• keeping a comprehensive record of all data breaches, including facts, effects and remedial actions, to demonstrate compliance to the NDPC;
• conducting prompt assessments of risks and the effectiveness of technical and administrative measures, including encryption and de-identification;
• implementing schedules for monitoring, evaluation and maintenance of data security systems, including training, vulnerability testing and quality assurance;
• establishing internal procedures and policies for routine compliance checks and internal audits, which may include unannounced inspections; and
• assigning responsible officers to manage breach response and ensuring clear communication lines between staff, management and regulatory authorities.

These measures ensure that data breaches are managed effectively, mitigating harm to data subjects and demonstrating accountability under the Nigeria Data Protection Act 2023.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

In Nigeria, the processing of employees' personal data is governed by the NDPA, which applies generally to all personal data, with additional considerations for employment contexts.

Data controllers (employers) must ensure that employee data is processed lawfully, fairly and transparently. The data collected should be limited to what is necessary for employment purposes, such as:

• payroll;
• social security;
• health and safety;
• performance management; and
• compliance with legal obligations.

Sensitive personal data – such as data relating to health information, biometrics or religious beliefs – can be processed only if:

• explicit consent is obtained; or
• processing is necessary:
• • to comply with employment or social security laws;
  • to protect vital interests; or
  • for legitimate public interest reasons.

Employers must also implement adequate security measures to protect employee data against unauthorised access, loss or misuse. Employees have rights to access their personal data, correct inaccuracies, object to processing and request erasure, subject to exemptions where retention is necessary for legal, contractual or public interest reasons.

Special attention is required when transferring employee data abroad; such transfers must:

• meet the cross-border adequacy standards under the NDPA; or
• rely on other lawful grounds, such as explicit employee consent.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

In Nigeria, employee surveillance is not prohibited outright, but it is strictly regulated under the NDPA. Any monitoring or surveillance of employees constitutes the processing of personal data and must therefore comply with the general principles of lawful, fair and transparent data processing.

Surveillance must be necessary and proportionate to the purpose, such as:

• ensuring workplace safety;
• protecting company assets; or
• monitoring performance where justified.

Employers must provide clear notice to employees about the nature, scope and purpose of surveillance. Covert surveillance:

• is generally permissible only in exceptional circumstances – for example, where prior notice would undermine the purpose of monitoring; and
• must comply with legal safeguards.

Employers must also implement safeguards to protect the confidentiality, integrity and security of the collected data. Surveillance should be limited to what is strictly necessary and sensitive personal data requires additional justification, such as consent or compliance with legal obligations.

Employees retain their rights to access personal data collected about them and to be informed about automated decision-making, if any, resulting from surveillance. Surveillance practices must also be reviewed regularly to:

• ensure compliance with data protection principles; and
• avoid disproportionate or intrusive monitoring.

In practice, employers should:

• adopt clear policies;
• provide employee awareness; and
• document the legal basis for any surveillance activity.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

From an employment perspective, the processing of employee personal data must comply with the NDPA and associated guidance. Key requirements, restrictions and best practices include the following:

• Lawful basis: Employers must have a clear lawful basis for processing employee data, such as:
• • consent;
  • contractual necessity;
  • compliance with a legal obligation; or
  • legitimate interest.
• They must further ensure that the purpose is specific and documented.
• Transparency and notice: Employees should be informed about:
• • what data is collected;
  • how it will be used;
  • who it may be shared with; and
  • the retention period.
• Privacy notices or internal policies should be clear and accessible.
• Data minimisation and purpose limitation: Only data necessary for employment purposes should be collected. Personal data should not be used for unrelated purposes unless additional lawful justification exists.
• Security measures: Employers must implement technical and organisational measures to protect employee data from unauthorised access, loss or misuse. This includes:
• • encryption;
  • access controls;
  • secure storage; and
  • regular audits.
• Retention and deletion: Employee data should be retained only as long as necessary for employment-related purposes or legal obligations. Clear deletion or anonymisation procedures should be in place when data is no longer required.
• Rights of employees: Employees have the right to:
• • access, correct or request erasure of their personal data; and
  • object to certain processing activities, including automated decisions or profiling.
• Employers must have processes to facilitate these rights efficiently.
• Sensitive data: Processing sensitive personal data (eg, health records, biometric data) requires:
• • heightened safeguards;
  • clear legal justification; and
  • in most cases, explicit consent or legal necessity.
• Monitoring and surveillance policies: Any surveillance of employees must be:
• • proportionate;
  • documented; and
  • limited to legitimate purposes.
• Covert monitoring should be exceptional and legally justified.
• Training and awareness: Employers should train HR, IT and management staff on:
• • data protection obligations;
  • security practices; and
  • employee privacy rights.
• Documentation and accountability: Maintain records of processing activities, consent, data breaches and compliance measures. Demonstrating accountability is a key principle under the NDPA.
• Cross-border transfers: If employee data is transferred outside Nigeria, employers must ensure adequate protection in line with legal requirements for cross-border data transfer.
• Integration with employment policies: Privacy practices should be embedded into employment contracts, staff handbooks and company policies, ensuring consistency with broader organisational governance.

These measures collectively ensure that employee privacy is respected while allowing employers to manage operational, legal and compliance needs.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

The use of cookies and other tracking tools is regulated under the NDPA and the corresponding GAID. The key requirements are as follows:

• Consent: All cookies that process personal data require the freely given, informed and specific consent of the user. Necessary cookies – which enable core functionality such as security, network stability and accessibility – do not require explicit consent. All other cookies must provide users with a clear 'accept' or 'reject' option.
• Notice and transparency: Website operators must display a conspicuous cookie banner or notice that is immediately visible when a user accesses the site. Users must be informed of:
• • the presence of cookies;
  • their purpose; and
  • the organisation responsible for their use.
• Withdrawal of consent: Users must be able to withdraw their consent at any time. Information on how to do so should be clearly provided in the cookie notice or banner.
• Clarity and accessibility: All cookie-related information must be presented in clear, easily understandable language. Users should not be required to scroll or navigate the site to access cookie information.
• Application to other tracking tools: Any tracking tool performing functions similar to cookies is treated in the same way, subject to the same consent, notice and transparency requirements.

These rules ensure that the deployment of cookies aligns with the principles of data protection – particularly:

• transparency;
• user control; and
• lawful processing.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

Cloud computing services that process personal data must comply with the NDPA and its GAID. The key requirements are as follows:

• Data controller responsibilities: The data controller remains fully responsible for personal data stored or processed in the cloud, even if a third-party cloud service provider manages the infrastructure. Controllers must ensure that the cloud provider:
• • implements adequate security measures; and
  • processes data lawfully.
• Security and integrity: Controllers and processors must implement appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of personal data. This includes encryption, pseudonymisation, regular risk assessments and monitoring of cloud systems to prevent unauthorised access, loss or breach.
• Cross-border data transfer: Where cloud services involve storage or processing outside Nigeria, transfers must comply with the NDPA's cross-border data transfer provisions. Data may be transferred only if:
• • the destination provides an adequate level of protection; or
  • one of the lawful transfer conditions applies, such as explicit consent of the data subject or contractual necessity.
• Accountability and documentation: Data controllers must document:
• • cloud contracts;
  • data processing agreements; and
  • security measures.
• Cloud providers should be able to:
• • demonstrate compliance with the NDPA; and
  • assist controllers in fulfilling their regulatory obligations, including breach notifications and data subject requests.
• Best practices: Controllers should conduct due diligence before selecting a cloud provider, including evaluating:
• • security certifications;
  • data storage locations; and
  • compliance with Nigerian data protection standards.
• Regular audits and contractual safeguards should be established to protect personal data.

These measures ensure that the use of cloud computing does not compromise the privacy, security or rights of data subjects while maintaining compliance with Nigerian data protection law.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

From a marketing perspective in Nigeria, any online or networked marketing activities must comply with the NDPA and related guidance, ensuring that personal data is processed lawfully, transparently and for specific purposes.

Consent is central. Marketers must obtain freely given, informed and specific consent from data subjects before collecting or processing their personal data for marketing purposes. This includes:

• email marketing;
• social media campaigns;
• SMS campaigns; and
• targeted advertising.

Consent should be recorded and easily withdrawable by the data subject.

Direct marketing also triggers the right of objection. Data subjects can object at any time to the processing of their personal data for marketing purposes, including profiling related to marketing. Upon objection, marketers must immediately stop processing the data for such purposes.

The use of cookies, tracking tools and analytics for marketing purposes must comply with consent requirements. Necessary cookies that support core website functionality do not require explicit consent, but any other cookies used for tracking, profiling or targeting must be accompanied by clear notice and opt-in mechanisms. Users must be informed of:

• the purpose;
• the responsible organisation; and
• how to withdraw consent.

Marketers should also:

• ensure data minimisation, collecting only data that is relevant and necessary for the marketing purpose; and
• limit retention to the period needed to achieve the intended purpose.

Personal data must be adequately protected, with security measures proportionate to the sensitivity of the data.

Best practices include:

• implementing clear privacy notices;
• providing simple mechanisms for opting out;
• anonymising or pseudonymising data where possible;
• regularly auditing marketing practices for compliance; and
• documenting consent and processing activities.

These measures:

• reduce legal risk;
• build trust with consumers; and
• align with regulatory expectations.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

Data privacy disputes in Nigeria can be addressed both:

• administratively before the NDPC; and
• judicially in the courts.

The NDPC provides that any data subject who is aggrieved by the action, inaction or decision of a data controller or processor in violation of the NDPA may lodge a complaint directly with the NDPC.

The NDPC:

• has the authority to investigate complaints that it considers non-frivolous or vexatious; and
• may also initiate investigations on its own if it has reason to believe that a violation has occurred or is likely to occur.

During investigations, the NDPC may compel individuals or entities to:

• attend hearings;
• produce documents; or
• provide written statements.

The NDPC is also empowered to inspect material in any format, including electronic records, to verify compliance.

Following an investigation, the NDPC can issue compliance or enforcement orders. Compliance orders may require the data controller or processor to:

• adhere to statutory obligations;
• rectify breaches; or
• cease specific actions.

Enforcement orders can include remedies such as:

• compensation to affected data subjects;
• accounting for profits gained from a violation; or
• imposition of penalties.

Penalties vary depending on the scale of the data controller or processor, ranging from a standard maximum amount of NGN 2 million or 2% of annual gross revenue for smaller entities to a higher maximum of NGN 10 million or 2% of annual gross revenue for major data controllers or processors. When determining sanctions, the NDPC considers factors such as:

• the nature, gravity and duration of the infringement;
• intent or negligence;
• the number of affected data subjects; and
• the level of cooperation.

In addition to administrative recourse, data privacy disputes can be brought before the courts. The high court, the Federal High Court and the National Industrial Court all have jurisdiction depending on the context. Claims involving federal government agencies or institutions are typically filed in the Federal High Court; while disputes arising in the employment context, such as misuse of employee data, may be heard by the National Industrial Court. Other civil claims can be brought before the high court of a state or the Federal Capital Territory.

Nigerian courts, beginning with the case of Incorporated Trustees of Digital Rights Lawyers Initiative & Ors v NIMC, have recognised data protection as an extension of the constitutional right to privacy. Consequently, proceedings relating to the violation of data privacy rights, including those provided for under the NDPA, may be initiated under the Fundamental Rights (Enforcement Procedure) Rules 2009 (FREP Rules) . This provides a route for expedited hearings and remedies, including injunctive relief and damages, particularly where urgent intervention is needed to prevent ongoing or imminent violations of privacy rights. Most data protection cases in Nigeria to date have been brought under these Rules.

The GAID notably introduces the use of the standard notice to address grievance (SNAG), which is a mechanism that allows data subjects to formally notify a data controller or processor of a suspected rights violation and request corrective action. Importantly, the GAID clarifies that submitting a SNAG is not a prerequisite for filing a direct complaint with the NDPC or initiating court proceedings. Instead, it serves as a standardised template for requesting internal remediation within an organisation that may be in breach of a data subject's privacy rights.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Based on some decided cases, typical disputes involve the following issues:

• unsolicited marketing or direct communications after a data subject's objection (Chukwunweike Akosa Araka v ECART Internet Services Nigeria Limited; Tokunbo Olatokun v Polaris Bank Limited);
• failure to respect data subject rights, including objection to processing, restriction of processing and transparency obligations (Tokunbo Olatokun v Polaris Bank Limited; Emmanuel T Okpara ESQ v Green Africa Airways Limited);
• non-compliance with statutory obligations such as:
• • publishing privacy policies;
  • appointing data protection officers; or
  • filing compliance audits (Emmanuel T Okpara ESQ v Green Africa Airways Limited); and
• alleged personal data breaches or security lapses, including system errors or unauthorised access (Olumide Babalola LP v True Software Scandinavia AB; Olumide Babalola Esq v Sunday Egede).

Further, drawing from the NDPC's 2024 Annual Report, other issues have arisen around:

• unauthorised account opening by financial institutions;
• behavioural profiling and targeted advertising through big data;
• unauthorised employee access to personal data;
• unauthorised cross-border transfers of personal data;
• non-transparent use of cookies and online tracking;
• intrusive deployment of closed-circuit television and surveillance systems;
• identity theft and improper collection or storage of personal data;
• failure to conduct data privacy impact assessments;
• automated decision-making without human review; and
• intrusive or excessive processing practices affecting non-customers or non-subscribers (eg, Multichoice Nigeria).

This list illustrates the breadth of disputes and regulatory concerns, ranging from direct violations of individual rights to systemic compliance gaps across various industries.

Regarding the resolution of these disputes and issues, at the NDPC, most disputes typically begin with either:

• a complaint submitted by an aggrieved data subject; or
• the NDPC initiating an investigation.

The NDPC then examines the complaint, which may involve:

• requesting documents;
• conducting audits; and/or
• inspecting processing activities.

Following the investigation, the NDPC may:

• issue compliance directives and enforcement orders; or
• require remedial measures.

Where compensation is sought or constitutional privacy rights are implicated, cases may be escalated to the courts. The courts can award damages, enforce data subject rights and issue injunctions to restrain unlawful practices, ensuring that both statutory and constitutional obligations are upheld.

12.3 Have there been any recent cases of note?

Yes. Recent cases in Nigeria have arisen from both NDPC enforcement actions and judicial decisions interpreting and applying the NDPA. These cases illustrate the evolving regulatory and legal landscape for data protection.

Notable NDPC enforcement cases include the following:

• Meta Platforms Inc: It was reported in October 2025 that the NDPC and Meta are negotiating an out-of-court settlement involving a $32.8 million fine. Meta was accused alleged to having done the following :
• • processing the data of non-users;
  • failing to file its 2022 compliance audit;
  • transferring Nigerian users' data abroad without authorisation; and
  • processing sensitive information, including that of minors, for targeted advertising.
• Fidelity Bank: In August 2024, Fidelity Bank was fined NGN 555.8 million for violations relating to the opening of a customer account. The NDPC alleged that the bank had:
• • processed personal data without informed consent; and
  • unlawfully used tools such as cookies and banking apps.
• Reports suggest that Fidelity Bank has contested the decision and is seeking an amicable resolution with the NDPC.
• Multichoice Nigeria: In July 2025, Multichoice Nigeria was fined NGN 766.2 million for allegedly:
• • failing to obtain user consent; and
  • illegally transferring personal data outside Nigeria.

These enforcement actions highlight the NDPC's:

• active monitoring of compliance;
• investigation of complaints; and
• imposition of sanctions for non-compliance.

Judicial decisions have also played a key role. For example, in the recent case of Chukwunweike Akosa Araka v Ecart Internet Services Nigeria Limited, the applicant registered on Jumia Food, operated by the first respondent (Ecart), and ordered food from the second respondent (Eat 'N' Go) without providing his data directly to them. About seven months later, he began receiving unsolicited marketing emails from Eat 'N' Go, which continued despite complaints to Ecart and a cease-and-desist request to Eat 'N' Go. Ecart argued that the applicant had consented to data sharing for order fulfilment and claimed that it had instructed Eat 'N' Go to stop sending emails. Eat 'N' Go admitted initial compliance but alleged that messages resumed after the applicant ordered through another platform, Glovo. The court held that Ecart was a data controller, while Eat 'N' Go was a processor. Section 29 of the NDPA imposes a duty on controllers to ensure that processors comply with the law.

The court found that Ecart had discharged this duty by promptly directing Eat 'N' Go to stop marketing and ensuring a written agreement governed the processing relationship. Eat 'N' Go, however, acted outside the lawful basis of processing; the applicant's consent only covered order fulfilment, not direct marketing or retention after objection. The court awarded damages against Eat 'N' Go for breach of fundamental rights.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The data protection regulatory environment in Nigeria is evolving rapidly. This trend is largely being driven by the NDPC's issuance of subsidiary legislation and guidelines – such as the General Application and Implementation Directive 2025 – which provide greater clarity on compliance obligations for organisations across various sectors.

Alongside these regulatory clarifications, the NDPC has intensified its enforcement activities. Notable recent actions include:

• the publication in August 2025 of a list of over 1,000 organisations suspected of non-compliance; and
• high-profile enforcement cases such as fines imposed on Multichoice, Meta and Fidelity Bank:

Court actions related to data protection are also on the rise. Cases now include:

• challenges to NDPC-issued directives; and
• disputes between data subjects and controllers or processors.

Some of the claims by data subjects have been dismissed, while others have resulted in awards of damages. For example, in the case of Chukwunweike Akosa Araka v Ecart Internet Services Nigeria Limited, the court held a processor liable for processing data beyond the lawful purpose and for continuing to send marketing messages to the data subject even after they had objected to such marketing. Likewise, in the case of Tokunbo Olatokun v Polaris Bank Limited, the bank was found liable for continuing to send unsolicited communications despite a customer's objection.

These trends coincide with the rapid digitisation of activities across Nigeria. Services ranging from finance to retail are increasingly moving online and many disputes involve the automated processing of personal data. This highlights both the compliance challenges and the need for robust frameworks to safeguard personal data in technology-driven operations. In addition, there is growing advocacy and professionalisation in the field. Training programmes, certifications and learning initiatives are becoming more widely available, signalling that data protection is emerging as a recognised area of professional expertise.

Collectively, these developments indicate a landscape in which organisations must proactively embed compliance into their operations. Looking ahead, several developments are anticipated within the next 12 months. The NDPC is expected to intensify enforcement further, ensuring that organisations meet their obligations. Legislative refinements to the NDPA may be proposed to address emerging gaps or ambiguities. In this respect, the Nigerian Data Protection Act (Amendment) Bill, 2025 (SB 650) has passed a second reading in the Senate. It seeks to amend the NDPA by requiring data controllers, data processors, social media platforms and bloggers to establish and maintain physical offices in Nigeria.

Further, data privacy litigation is likely to increase as awareness of rights grows and courts continue to uphold privacy protections. Capacity-building initiatives, including training programmes for data protection officers and public awareness campaigns, are also expected to expand. In all, Nigeria's data privacy environment is characterised by:

• active regulatory oversight;
• rising enforcement;
• increasing litigation; and
• proactive efforts to build capacity and awareness.

Organisations must prioritise compliance, maintain strong data protection practices and closely monitor regulatory developments to avoid penalties and protect data subjects' rights.

It is also observed that the NDPC sometimes adopts a highly expansive and purposive approach when framing subsidiary instruments, such that certain provisions extend beyond what can reasonably be inferred from a textual reading of the NDPA itself. This trend, which is particularly evident in the GAID, is likely to shape Nigeria's data protection landscape, with more cases expected to challenge the legality of such instruments in court. Already, in the recent case of Frank Ijege v Nigeria Data Protection Commission, certain provisions of the Guidance Notice on Registration of Data Controllers and Data Processors of Major Importance (NDPC/HQ/GN/VOL.02/24) issued by the NDPC were challenged and declared void. The court found that the Guidance Notice did not comply with the requirements of the NDPA. Following the judgment, the NDPC issued a new Guidance Notice on Registration of Data Controllers and Data Processors of Major Importance and All Matters Connected Therewith (NDPC/HQ/GN/VOL.03/B/24) to align with the court's decision.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Top tips: A key point to appreciate is that data privacy compliance requirements remain an emerging area and organisations are now required to comply alongside their sector-specific obligations. It is also a complex field, requiring coordinated efforts across multiple dimensions. To ensure effective management, we propose the 'Triple P + C' framework – an acronym for:

• people;
• paper;
• process; and
• compliance.

Each component is discussed below.

People: This pillar focuses on the human element of data protection. Organisations should establish clear lines of accountability by defining roles and responsibilities for privacy management. Senior management must champion data protection as a strategic priority, embedding it into the corporate culture. Staff training is also essential under this pillar to ensure that all employees understand their obligations under the Nigeria Data Protection Act 2023 (NDPA) and its complementary subsidiary instruments. Data protection officers should be appointed, certified and empowered to oversee compliance. Additionally, privacy champions across departments can:

• support awareness;
• reinforce good practices; and
• ensure that data protection is integrated into everyday operations.

Paper: This pillar relates to documentation and records management. Organisations must maintain comprehensive documentation covering policies, procedures and contractual arrangements. Internal policies should address:

• data handling;
• retention;
• sharing; and
• breach response.

Records of processing activities, data privacy impact assessments and legitimate interest assessments should also be prepared and regularly updated to demonstrate accountability. Contracts with third-party processors must be formalised through data processing agreements, specifying:

• obligations;
• scope;
• purpose;
• security measures; and
• procedures for returning or deleting data.

Other contractual instruments may include confidentiality agreements, sub-processor agreements and relevant clauses in vendor or service contracts to ensure consistent data protection standards across all engagements.

Process: This pillar addresses the technical and operational measures needed to safeguard personal data throughout its lifecycle. Organisations should implement structured procedures for data collection, storage, access, transfer and deletion. Privacy by design principles should be applied when developing or updating systems. Regular risk assessments and robust incident detection and response mechanisms are also essential. Continuous monitoring of third-party processors is critical to ensure ongoing compliance and mitigate risks arising from outsourcing or subcontracting data processing activities.

Compliance: This pillar focuses on meeting regulatory requirements under the NDPA and other sector-specific laws. The other three pillars (people, paper and process) create the foundation for compliance. Organisations must also clearly understand specific compliance obligations, which cover:

• registration;
• regulatory filings;
• documentation;
• reporting; and
• adherence to sector-specific rules.

This pillar ensures that the organisation not only implements good practices but also demonstrates accountability and readiness for regulatory scrutiny.

Sticking points: Potential sticking points for data protection in Nigeria largely arise from practical challenges in implementation and compliance. One key issue is controller and processor ambiguity. Organisations may be unclear about who qualifies as a data controller or processor, which can create liability gaps or disputes if responsibilities are not properly defined and documented.

Consent management is another area of difficulty. Capturing, recording and managing consent across multiple platforms – especially in digital or automated environments – can be complex and failures in this area can expose organisations to regulatory action.

Cross-border data transfers also present risks. Transfers conducted without proper safeguards or in breach of NDPA requirements can trigger Nigeria Data Protection Commission (NDPC) enforcement, particularly where personal data is sent to jurisdictions with weaker protection standards.

Automated decision-making adds another layer of complexity. The use of AI or other automated processes to handle personal data without a clear lawful basis or sufficient transparency can result in disputes or challenges from data subjects.

Compliance can be further complicated by sector-specific conflicts. Organisations operating across multiple regulated sectors, such as banking, telecommunications and healthcare, must navigate overlapping regulatory frameworks, each with its own data protection obligations.

Finally, enforcement and litigation exposure is increasing. The NDPC continues to intensify enforcement actions and courts are awarding damages for breaches of both statutory and constitutional privacy rights. This underscores the need for organisations to proactively manage compliance and address potential gaps before they escalate into formal disputes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.