Frequently Asked Quetions

What is the full meaning of the NDP Act?

The Nigeria Data Protection Act, 2023.

What are the major objectives of the NDP Act?
  • To safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, 1999;
  • Provide for the regulation of processing of personal data;
  • Promote data processing practices that safeguard the security of personal data and privacy of data subjects;
  • Ensure that personal data is processed in a fair, lawful and accountable manner;
  • Protect data subjects’ rights, and provide means of recourse and remedies, in the event of the breach of the data subjects rights;
  • Ensure that companies fulfil their obligations to data subjects;
  • Establish an impartial, independent, and effective regulatory Commission to superintend over data protection and privacy issues, and supervise data controllers and data processors; and
  • Strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data (Section 1, NDP Act).
What is the scope of the NDP Act?
  • NDP Act applies where the company and/or organisation is domiciled in, resident in, or operating in Nigeria;
  • NDP Act applies where the processing of personal data occurs within Nigeria; or
  • NDP Act applies where the company and/or organisation is not domiciled in, resident in, or operating in Nigeria, but is processing personal data of a data subject in Nigeria (Section 2, NDP Act).
  •  
What is personal data processing?

It means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval. consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure, or destruction and does not include the mere transit of data originating outside Nigeria (Section 65, NDP Act).

The consent of a data subject is very important in data protection. A Data Controller must seek this consent either in writing, orally, through electronic means or by any other action through which the Data Subject knows he is giving consent.

 

There are exceptions where duly constituted authorities can process data without consent in public interest or where private organizations may have lawful and cogent (albeit rebuttable) for data processing. These exceptions are without prejudice to the principles of data protection. Hence, every data every data controller whether acting in public interest or in private interest

How can the Nigeria Data Protection Commission (NDPC) legally protect the Privacy Rights of a Data Subject?

Privacy rights is a fundamental right that is recognised and enforceable through executive powers vested in the executive arm and the judicial powers vested in the judicial arm of government. In the exercise of the executive powers vested in the President by virtue of Section 5, 1999 Constitution of the Federal Republic of Nigeria (CFRN) (as amended), the NDPC was established to implement the NDP Act (see About Us).

 

Through its synergy and collaboration with relevant government agencies such as the National Information Technology Development Agency (NITDA), Nigeria Police Force, Federal Competition and Consumer Protection, Independent Corrupt Practices and Related Offences Commission (ICPC), Central Bank of Nigeria, etc., NDPC takes effective measures in protecting the Privacy Rights of Data Subjects.

What is the role of NDP Act in transactions that require the transfer of Personal Data abroad?

The NDP Act recognises the need for cross-border transfer of data in an era of globalised and high-speed business transactions.

Sections 41-43 (Part VIII) of the NDP Act, addresses transfer of personal data to a foreign country. To comply with the provision and other aspects of the Act, the Data Controller or Data Processor is under legal obligation to ensure that there is adequate level of protection of the personal data being transferred.

An adequate level of protection can be obtained by:

  1. Obtaining an adequacy decision from the Commission
  2. Submitting a Cross Border Data Transfer Instrument to the Commission for approval, and obtaining this approval before engaging in cross border data transfer.
  3. Jural or Fiduciary Obligations
  4. Other lawful bases such as:
    • Defence or establishment of a legal claim;
    • Vital interest of another data subject where the data subject is physically or legally impossible to give consent;
    • Pubic Interest
    • The data subject concerned has given and has not withdrawn consent;
    • The risks must be properly communicated and there must be a clear indication that the data subject understands the risks involved
    • There is a contract involving the data subject as a party
    • If the contract is under negotiation, an agreement in principle will suffice.
    • The purpose of the transfer is for the sole benefit of the data subject.
When is the deadline for filing Annual Compliance Audit Returns?

Data Controllers are expected to file their audit returns annually before the 31st March each year. (Article 10.7 & Article 10.8 NDP Act – General Application and Implementation Directive (GAID) 2025).

Do we need to file Compliance Audit Returns if we process the Personal Data of less than 200 Data Subjects?

If you process personal data of less than 200 data subjects and you fall under a Data Controller and Processor of Major Importance – Ordinary High Level, you are not required to file Compliance Audit Returns (CAR) but will need to renew your registration with the Commission on an annual basis.

How do we file Compliance Audit Returns (CAR)?

CAR is to be filed with the Commission through a Licensed Data Protection Compliance Organisation (DPCO) (See the list of Licensed DPCOs).

Do we need to comply with the NDP Act if our Sector Regulator has issued a Data Protection Regulation for our sector?

Yes. NDP Act covers all sectors and all aspects of data privacy. Sectoral guidelines or regulations are usually directed at customers of persons to whom you (as a Data Controller or Processor) may owe a fiduciary duty. NDP Act, in line with Section 37 of the 1999 Constitution of the Federal Republic of Nigeria, imposes a duty of care in respect of customers, employees, guests, visitors, and all other categories of Data Subjects whose data may be in your custody or may come into your custody for any reason.

What are the possible consequences of non-compliance with the NDP Act?
  • Breach of data privacy by a non-compliant Data Controller or Data Processor attracts administrative and criminal sanctions.
  • Data Subjects have the right to file civil actions in Court against a Data Controller or Data Processor on the basis of the NDP Act.
  • The business implication of non-compliance includes reputational damage, loss of customers, restriction from international market opportunity, lack of support from national supervisory authority against foreign investigation by an international authority.
  • Negative perception/reputation of the organisation

According to Section 48(2) of the NDP Act, any person who is found to be in breach of Data Privacy Rights of a Data Subject shall be liable to an order or sanction;

  1. requiring the Data Controller or Data Processor to remedy the violation;
  2. ordering the Data Controller or Data Processor to pay compensation to the data subject, who has suffered injury, loss or harm as a result of a violation;
  3. ordering the Data Controller or Data Processor to account for the profits realised from the violation; or
  4. ordering the Data Controller or Data Processor to pay a remedial fee.
    • In the case of a Data Controller or Data Processor of Major Importance (DCPMI), the penalty or remedial fee may be an amount up to the higher maximum amount which shall be the greater of N10,000,000.00 and 2% of its annual gross revenue in the preceding financial year;
    • In the case of a Data Controller or Processor not of Major Importance, the penalty or remedial fee may be an amount up to the standard maximum amount which shall be the greater of N2,000,000.00 and 2% of its annual gross revenue in the preceding financial year. (Section 48, NDP Act).
Does the NDP Act limit my right as a professional to advise clients on Data Protection?

No.

Professionals are not restricted from performing their professional duties. However, only Licensed DPCOs can provide a competent verification statement on Compliance Audit Returns.

IMPORTANT PRIVACY NOTICE


NDPC is a public institution that processes data in furtherance of our mandate as Nigeria’s Data Protection Authority. We rely on recognised lawful bases for data processing such as consent, legal obligation and contract. We process various categories of your data based on the type of engagement you have with us. Subject to your data subject rights, embedded applications or codes (which are in some cases called “cookies”) on our website may process your pattern of engagement with our website and thereby create automated responses and notifications that seem most likely to suit your interest. You can manage the cookies settings on our website. Click here TO READ OUR DATA PRIVACY POLICY. This notice applies to NDPC. Make sure you read privacy notices on every website that you visit.

This will close in 0 seconds