G Elias
What law(s) specifically govern personal data / information?
The Constitution of the Federal Republic of Nigeria, 1999 (as amended).
The Nigeria Data Protection Act, 2023 (the “NDPA”).
The Nigerian Data Protection Regulation 2019: Implementation Framework, 2020 (the “Framework'”).
The Nigeria Data Protection Act General Application and Implementation Directive, 2025 (the “GAID”).
With the issuance of the GAID in March 2025 (effective from September 19, 2025), the Nigeria Data Protection Regulation (NDPR) 2019 and its Implementation Framework are no longer in effect. The GAID now serves as the authoritative regulatory framework for implementing the NDPA, providing clarity, structure, and uniformity.
What are the key data protection principles in this jurisdiction?:
Personal data should be processed in a fair, lawful and transparent manner.
The collection and processing of personal data must be done in accordance with the specific, explicit, and legitimate purpose consented to by the data subject.
The personal data must be adequate, relevant, and limited to the minimum necessary for the purposes for which the personal data was collected or further processed.
Personal data must be stored only for the period for which it is reasonably needed.
Personal data must be secured against foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other nature elements.
The personal data must be accurate, complete, not misleading and where necessary kept up to date.
(NDPA, section 24; GAID, Art. 15.)
What is the supervisory authority / regulator in charge of data protection?
The Nigeria Data Protection Commission (the “NDPC”) (established by section 4 of the NDPA).
Is there a requirement to register with a supervisory authority / regulator?
Yes. A data controller and/or a data processor of major importance is obligated to register with the NDPC within six (6) months after the commencement of the NDPA or within six (6) months of becoming a data controller or data processor (NDPA, section 44).
By the NDPC Guidance Notice dated February 14, 2024 (the “Guidance Notice”), a data controller and/or a data processor is deemed to be of major importance if it keeps or has access to a filing system (whether analogue or digital) for the processing of personal data and:
- has processed the personal data of more than 200 data subjects in six months; or
- provides commercial IT services on any digital device which has storage capacity and belongs to another individual; or
- processes personal data as an organisation or service provider in certain sectors like health, education, insurance, financial, aviation, etc (Guidance Notice, para. 1).
In addition, persons who render data protection compliance services and who possess the requisite level of expertise in relation to data protection, may be licensed by the NDPC to monitor, audit, and report on compliance by data controllers and data processors, for the purpose of ensuring compliance with the NDPA and other regulations, guidelines and directives made by the NDPC including the GAID.
(NDPA, section 33)
Is there a requirement to notify the supervisory authority / regulator?
Yes. The NDPC is to be notified within seventy-two (72) hours in the event of personal data breach. (NDPA, section 40; GAID, Art 7(p).)
Is it possible to register with / notify the supervisory authority / regulator online?
Yes. Registration of a data controller or processor of major importance and as a Data Protection Compliance Officer (DPCO) is carried out online. The NDPC also has a page on its website for reporting any kind of privacy breach.
What are the key data subject rights under the data protection laws of this jurisdiction?
Section 34 of the NDPA and the GAID set out the rights of data subjects as follows:
- right to information relating to data processing from data controllers in a concise, transparent, intelligible, and easily accessible form;
- information provided to a data subject and any communication and actions taken shall be provided without cost except in exceptional circumstances;
- prior to the collection of personal data from a data subject, data controllers are amongst others, mandated to inform data subjects about the purpose and legal basis for the processing for which the personal data are intended;
- right to be informed of the appropriate safeguards in a foreign country in the event of transfer of personal data to a foreign country or international organisation;
- right to request for the correction or deletion of personal data without delay in applicable circumstances;
- the exercise of the rights of a data subject shall be in conformity with constitutionally guaranteed principles of law for the general protection and enforcement of fundamental rights; and
- right to restrict the processing of personal data.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes. The NDPA and GAID requires a data controller of major importance to appoint a Data Protection Officer who must be an expert in data protection law and practices for the purpose of ensuring compliance with the NDPA and related policies of the data processor. The GAID also mandates this requirement for a data processor of major importance.
(NDPA, Section 32; GAID, Article 7(i), 11.)
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Data controllers are mandated to conduct a data protection impact assessment (“DPIA”) before processing personal data if such processing could potentially pose a high risk to the rights and freedoms of data subjects. If the DPIA reveals that the security measures implemented by the data controllers are insufficient and that the processing of personal data will affect the Data Subject's rights, the Data controllers must consult the Commission.
The GAID provides that a DPIA is mandatory in the following circumstances:
- evaluation or scoring (profiling);
- automated decision-making with legal or similar significant effect;
- systematic monitoring;
- when sensitive or highly personal data is involved;
- when personal data processing relates to vulnerable or differently abled data subjects;
- when considering the deployment of innovative processes or application of new technological or organisational solutions which may pose a significant risk to the privacy of data subjects.
- development of software for the purposes of enabling communication with data subjects;
- financial services involving the processing of personal data through digital devices;
- health care services;
- e-Commerce services;
- deployment of surveillance cameras in places that may be accessed by members of the public;
- development and implementation of any legal instrument or policy which requires the processing of personal data of members of the general public;
- educational services involving processing of various records relating to students or pupils;
- hospitality services; and
- cross-border data transfer.
The GAID further provides that the introduction of new technologies, processing techniques or directives mandating processing personal data on a large scale, will require a DPIA.
(NDPA, Section 28(1) and (2); GAID, Article 7(o), 28.).
Does this jurisdiction have any specific data breach notification requirements?
There are specific data breach notification requirements under the NDPA and the GAID.
Where personal data is breached during storage or processing, the processor must notify the controller or hiring processor.
Data controllers are also mandated to report personal data breaches to the NDPC within seventy-two (72) hours of knowledge of such breach and immediately notify the data subject of the personal data breach where such is likely to negatively impact the freedom and rights of the data subject.
A notification of data breach to NDPC must include the following:
- a description of the circumstances of the loss or unauthorised access or disclosure;
- the date or time during which the breach occurred;
- a description of the personal information involved in the data breach;
- an assessment of the risk or harm to individuals as a result of the breach;
- an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the breach;
- a description of the steps the data controller/data processor has taken to notify the data subjects of the breach and the steps it has taken to reduce the risk to individuals;
- the contact details of a representative of the data controller/data processor for the purpose of responding to NDPC’s investigation on the breach.
(NDPA, Section 40; GAID, Article 33.)
What restrictions apply to the international transfer of personal data / information?
Personal data can be transferred out of Nigeria subject to the supervision of the NDPC where they determine that the data recipient is subject to a binding law, rules, contractual clauses, code of conduct, etc. that affords an adequate level of protection with respect to the personal data. (NDPA, 41(1)(a)),
However, where this is absent, data can be transferred out of the jurisdiction where one of the conditions set out below applies:
- the consent of the data subject has not been withdrawn after having been informed of the possible risks of such transfer due to the absence of adequate protections;
- for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject before entering the contract;
- for the sole benefit of a data subject and it is not reasonably practicable to obtain the consent of the data subject to that transfer, and if it were reasonably practicable, the data subject would likely give it;
- public interest reasons;
- for the establishment, exercise, or defence of legal claims; or
- to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent.
In addition, the GAID provides for a Cross-Border Data Transfer Instrument (“CBDTI”) to be approved by the NDPC in the absence of an adequacy decision, upon which the transfer of data outside Nigeria may be effected. Further, a special circumstance necessitating transfer of personal data without the adequacy decision or approved CBDTI, is jural or fiduciary obligations; that is transfer on the basis of a compelling legal right or duty of the data controller or data processor. (GAID, Schedule 5).
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes, the data protection laws of Nigeria have an extra-territorial effect on organisations outside Nigeria.
The NDPA and GAID applies to all transactions and business activities involving the processing of personal data of all natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.
(NDPA, Section 2(1)(c); GAID, Article 1(4) (c-d).)
What rules specifically deal with marketing?
Data processing for the purpose of marketing is contemplated and permissible under the data protection regime. The data protection laws have provided that the data subject shall have the option to object to the processing of personal data relating to him which the data controller intend to process for the purpose of marketing and consent of a data subject is required for any direct marketing activity, which includes profiling. The data subject also has the right to request the erasure of their personal data where it is being processed for direct marketing purposes.
(NDPA, Section 36 (3) (4)); GAID, Article 18(1) (a), 38(1) (d).)
Do different rules apply to business-to-business and business-to-consumer marketing?
No. The same rules apply to both contexts of marketing, provided that the business activity involves the processing of the personal data of natural persons and/or data subjects within the meaning of the NDPA and GAID.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Electronic marketing is captured under the same general rules relating to marketing as discussed above.
(NDPA, Sections 36(3) (4); GAID, Article 18(1) (a), 38(1) (d).)
What rules specifically deal with cookies?
Cookie policies must align with fundamental data processing principles established in the NDPA, particularly in section 24 (please refer to the principles outlined in paragraph 2 above). Generally, the use of cookies on any website or digital platform requires the prior consent of the user, and such consent must be freely given, informed, specific and unambiguous. However, there are specific exceptions for necessary cookies, which the GAID defines as those that enable core functionality such as security, network stability management, and accessibility, and do not include sensitive data, financial data, or any privately stored data. All other types of cookies require explicit user consent through specific "yes or no" options (alternatively presented as "accept" or "reject" choices).
Furthermore, website owners have mandatory obligations to display cookie notices on their website homepages. The cookie notice must provide users with a clear opportunity to either accept or decline cookies, and it must be strategically positioned to significantly obstruct the middle, left, or right side of the homepage. This positioning requirement ensures that users cannot easily ignore or overlook the notice. This means that placing cookie notices at the bottom of webpages, where they might be ignored or go unnoticed, would constitute a lack of transparency in data processing. Cookie notices cannot also be positioned in locations that require users to scroll through the website before encountering them.
The cookie notices and other cookie-related information must be presented in a clear and easily understandable manner. Website owners must notify users of the presence of cookies on their website, clearly explain the purpose for which such cookies are used, and identify the organisation responsible for deploying or managing the cookies. Users must also be informed of the process for withdrawing their consent to the use of cookies at any time.
(NDPA, Section 24, GAID, Articles 7(l), 19.)
What are the consequences of non compliance with data protections laws (including marketing laws)?
The NDPA provides two types of orders the NDPC can make. Where the NDPC upon investigation is satisfied that a data controller or data processor has violated or is likely to violate any provision of the NDPA, the NDPC may make a compliance or enforcement order.
The Compliance order may include:
- warning that a certain act or omission is likely to be a violation of one or more provisions under the NDPA or any subsidiary legislation or order issued under it;
- requirement that the data controller or processor complies with such provisions, including complying with the requests of a data subject to exercise one or more rights under the NDPA; and
- cease and desist order requiring the data controller or processor to stop or refrain from doing an act, which is in violation of the NDPA.
The enforcement order stated above may include:
- requiring the data controller or data processor to remedy the violation;
- ordering the data controller or data processor to pay compensation to a data subject, who has suffered injury, loss, or harm as a result of a violation;
- ordering the data controller or data processor to account for the profits realised from the violation; or
- ordering the data controller or data processor to pay a penalty or remedial fee of either a higher maximum amount, in the case of a data controller or data processor of major importance or a standard maximum amount, in the case of a data controller or data processor not of major importance.
Further, data controllers or data processors of major importance that are found to have breached the provisions of the NDPA may be subject to the payment of a fine of whichever is greater between the sum of N10,000,000 or 2% of its annual gross revenue from the preceding financial year.
Other data controllers or processors may be liable to pay a fine of whichever is greater between the sum of N2,000,000 or 2% of their annual gross revenue from the preceding financial year
(NDPA, Sections 47 & 48)
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Please refer to Question 11 above.
What upcoming data protection developments should multinational organisations be aware of?
Multinational organisations should be aware of the fact that the GAID will fully come into effect on September 19, 2025. As such the NDPC will be on the look out for compliance. Beyond the implementation of the GAID in September 2025, we do not foresee any major changes or new initiatives emerging within the data protection regulatory framework at this time.