# Nigeria Data Protection Act (NDP Act) 2023 — Comprehensive Study Guide > **Purpose:** Exam prep material for the IIM CDPO (Certified Data Protection Officer) certification > **Last Updated:** 2 March 2026 > **Sources:** NDPA 2023 text, ICLG Nigeria Chapter 2025-2026, DLA Piper Data Protection Guide, NDPC official materials --- ## Table of Contents 1. [Executive Summary](#1-executive-summary) 2. [Key Definitions](#2-key-definitions) 3. [Principles of Data Processing](#3-principles-of-data-processing) 4. [Lawful Basis for Processing](#4-lawful-basis-for-processing) 5. [Rights of Data Subjects](#5-rights-of-data-subjects) 6. [Obligations of Data Controllers & Processors](#6-obligations-of-data-controllers--processors) 7. [Cross-Border Data Transfer Rules](#7-cross-border-data-transfer-rules) 8. [Data Protection Impact Assessment (DPIA)](#8-data-protection-impact-assessment-dpia) 9. [Data Breach Notification](#9-data-breach-notification) 10. [Enforcement, Penalties & Sanctions](#10-enforcement-penalties--sanctions) 11. [Role of NDPC](#11-role-of-ndpc) 12. [NDP Act vs GDPR — Comparison Table](#12-ndp-act-vs-gdpr--comparison-table) 13. [Study Flashcards — 50 Q&A Pairs](#13-study-flashcards--50-qa-pairs) --- ## 1. Executive Summary ### Overview The **Nigeria Data Protection Act 2023 (NDPA)** is Nigeria's principal data protection legislation, signed into law by President Bola Ahmed Tinubu on **12 June 2023** (coinciding with Nigeria's Democracy Day). It replaced the regulatory-level Nigeria Data Protection Regulation 2019 (NDPR) with a comprehensive legislative framework, elevating data protection to the status of an Act of the National Assembly. ### Key Objectives - **Protect fundamental rights and freedoms** of data subjects as guaranteed under the Constitution of the Federal Republic of Nigeria (Section 37 — right to privacy) - **Establish the Nigeria Data Protection Commission (NDPC)** as an independent regulatory body (succeeding the Nigeria Data Protection Bureau) - **Promote data processing practices** that safeguard personal data security and privacy - **Protect data subjects' rights** and provide means of recourse and remedies for breaches - **Strengthen the legal foundations** of Nigeria's digital economy and ensure participation in regional and global economies through trusted use of personal data ### Structure of the Act The NDPA is organized into **eight parts** and multiple schedules: | Part | Content | |------|---------| | I | Objectives, Scope and Application | | II | Establishment of the Nigeria Data Protection Commission | | III | Functions, Powers and Governance of the NDPC | | IV | Funding and Financial Provisions | | V | Obligations of Data Controllers and Processors | | VI | Rights of Data Subjects | | VII | Enforcement | | VIII | Miscellaneous Provisions | ### Territorial Scope - Applies to processing of personal data of **data subjects in Nigeria** (Section 2(1)) - **Extraterritorial reach:** Applies to businesses established in other jurisdictions where they process personal data of data subjects in Nigeria (Section 2(2)) - **Exclusion:** Does not apply to mere transit of data originating outside Nigeria ### Material Scope Exemptions (Section 3) - Processing solely for **personal or household purposes** (provided it doesn't violate fundamental right to privacy) - Partial exemptions (from Part V obligations only) for: - Criminal law enforcement by competent authorities - National public health emergencies - National security - Journalism, education, artistic and literary purposes - Legal claims (court, administrative, or out-of-court) **Important:** These exemptions are **not absolute** — data controllers/processors must still comply with: data processing principles (S.24), lawful basis (S.25), DPO designation (S.32), breach notification (S.40), and all data subject rights (Part VI). ### Subsidiary Legislation - **NDPR 2019** — remains in force, read alongside the NDPA (NDPA prevails where conflict exists) - **NDPR Implementation Framework 2020** — issued by NITDA - **General Application and Implementation Directive (GAID)** — issued by NDPC on 20 March 2025, effective from 19 September 2025 (will replace the NDPR) ### Historical Context | Year | Development | |------|------------| | 1999 | Constitution guarantees right to privacy (S.37) | | 2019 | NDPR issued by NITDA (regulatory instrument) | | 2020 | NDPR Implementation Framework | | 2022 | Nigeria Data Protection Bureau (NDPB) created by Executive Order | | 2023 | **NDP Act signed into law (12 June 2023)** | | 2024 | DCPMI registration guidance notice issued | | 2025 | GAID issued (March); effective September 2025 | --- ## 2. Key Definitions ### Core Definitions (From the NDPA) | Term | Definition | |------|-----------| | **Personal Data** | Any information relating to an individual who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual | | **Data Subject** | An individual to whom personal data relates | | **Data Controller** | An individual, private entity, public commission, agency, or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data | | **Data Processor** | An individual, private entity, public authority, or any other body who processes personal data on behalf of or at the direction of a data controller or another data processor | | **Processing** | Any operation or set of operations performed on personal data, whether or not by automated means, including: collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction. **Excludes** the mere transit of data originating outside Nigeria | | **Sensitive Personal Data** | Personal data relating to: (a) genetic and biometric data for uniquely identifying a person; (b) race or ethnic origin; (c) religious or similar beliefs (conscience/philosophy); (d) health status; (e) sex life; (f) political opinions and affiliations; (g) trade union membership; (h) other information prescribed by the NDPC | | **Personal Data Breach** | A breach of security of a data controller or data processor leading to or likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed | | **Data Controller/Processor of Major Importance (DCPMI)** | A data controller or data processor domiciled, resident in, or operating in Nigeria that processes personal data of more than the prescribed number of data subjects in Nigeria, or processes data of particular value/significance to the economy, society, or security of Nigeria | | **Pseudonymisation** | Processing of personal data so it can no longer be attributed to a specific data subject without use of additional information, provided such additional information is kept separately and subject to technical and organisational measures | | **Consent** | Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they signify agreement to processing of their personal data | ### Additional Important Definitions | Term | Definition | |------|-----------| | **Data Protection Compliance Organisation (DPCO)** | An entity licensed by the NDPC for training, auditing, consulting, and rendering services/products to ensure compliance with the NDPA | | **Automated Decision-Making** | A decision based solely on automated processing by automated means, without any human involvement | | **Binding Corporate Rules (BCRs)** | Personal data protection policies and procedures adhered to by members of a group of firms under common control regarding transfer of personal data among members | | **Data Portability** | The ability of data to be transferred easily from one IT system to another through safe and secured means in a standard format | | **Child** | Any person below the age of **18 years** (for purposes of the NDPA) | ### DCPMI Classification (Per Guidance Notice) | Level | Threshold | Examples | |-------|-----------|---------| | **MDP-OHL** (Ordinary High Level) | >200 data subjects per 6 months | Primary/secondary schools, primary health centres, third-party processors | | **MDP-EHL** (Extra High Level) | >1,000 data subjects per 6 months | Government MDAs, microfinance banks, universities, hospitals | | **MDP-UHL** (Ultra High Level) | >5,000 data subjects per 6 months | Commercial banks, telecoms, insurance companies, multinationals, social media platforms | --- ## 3. Principles of Data Processing The NDPA establishes **seven core principles** under **Section 24**, closely mirroring the GDPR but with Nigerian-specific nuances. ### Principle 1: Lawfulness, Fairness, and Transparency **Section 24(1)(a)** Personal data shall be processed in a **fair, lawful, and transparent** manner in relation to the data subject. - The GAID clarifies that transparency entails **due disclosure of all material facts** that help data subjects and the NDPC make informed decisions - Data controllers may use **Records of Processing Activities** and **privacy policies** to achieve transparency ### Principle 2: Purpose Limitation **Section 24(1)(b)** Personal data must be collected for **specified, explicit, and legitimate purposes** and not further processed in a way that is incompatible with those purposes. - The purpose must be determined **before** collection begins - Further processing for archiving in the public interest, scientific/historical research, or statistical purposes is generally compatible ### Principle 3: Data Minimisation **Section 24(1)(c)** Personal data must be **adequate, relevant, and limited to the minimum necessary** for the purposes for which it was collected or further processed. - Controllers must ensure data collected is proportionate to the stated purpose - No excessive data collection ### Principle 4: Storage Limitation **Section 24(1)(d)** Personal data must be retained for **not longer than is necessary** to achieve the lawful basis for which it was collected or further processed. **Retention periods (NDPR Implementation Framework):** - 3 years after last active use of a digital platform - 6 years after last transaction in a contractual agreement - Immediate deletion upon evidence of death (unless legal obligation to retain) - Immediate deletion upon data subject request (if no statutory bar) **GAID provision:** Storage duration shall lapse not later than **6 calendar months** after the original purpose is accomplished (subject to other legal obligations). Effective from 19 September 2025. ### Principle 5: Accuracy **Section 24(1)(e)** Personal data must be **accurate, complete, not misleading**, and where necessary, kept up to date having regard to the purposes for which it is collected or further processed. - Reasonable steps must be taken to ensure inaccurate data is erased or rectified without delay ### Principle 6: Security (Integrity and Confidentiality) **Section 24(1)(f)** Personal data must be processed in a manner that ensures **appropriate security**, including protection against: - Unauthorised or unlawful processing - Accidental access, loss, destruction, or damage - Any form of data breach **Section 39(1)** reinforces this: controllers and processors must implement **appropriate technical and organisational measures** for security, integrity, and confidentiality. ### Principle 7: Accountability **Section 24(3)** Data controllers and processors owe a **duty of care** in respect of data processing and shall **demonstrate accountability** in respect of the principles contained in the NDPA. - Third-party processing must be governed by a **written contract** - Controllers must ensure third parties adhere to contractual terms and the NDPA --- ## 4. Lawful Basis for Processing **Section 25** of the NDPA provides **six lawful bases** for processing personal data. At least one must apply for processing to be lawful. ### The Six Lawful Bases | # | Lawful Basis | Description | Key Notes | |---|-------------|-------------|-----------| | 1 | **Consent** | Data subject has given and **not withdrawn** consent for the specific purpose(s) | Must be freely given, specific, informed, and unambiguous. As easy to withdraw as to give. Withdrawal doesn't affect prior lawful processing (S.35) | | 2 | **Contractual Necessity** | Processing necessary for performance of a **contract** to which the data subject is a party, or to take pre-contractual steps at the data subject's request | Must be genuinely necessary, not merely useful | | 3 | **Legal Obligation** | Processing necessary for compliance with a **legal obligation** to which the controller/processor is subject | Must be a specific legal requirement, not a general desire to comply | | 4 | **Vital Interests** | Processing necessary to **protect the vital interests** of the data subject or another natural person | Typically life-or-death situations; narrow interpretation | | 5 | **Public Interest / Official Authority** | Processing necessary for performance of a task in the **public interest** or in the exercise of **official public mandate** vested in the controller | For government bodies and entities with statutory mandates | | 6 | **Legitimate Interests** | Processing necessary for the **legitimate interests** of the controller, processor, or a third party to whom data is disclosed | Subject to a balancing test against the data subject's fundamental rights, freedoms, and interests | ### Conditions for Valid Consent (Section 26) - Must be **freely given** — no coercion or undue influence - Must be **specific** — for a particular purpose or purposes - Must be **informed** — data subject knows what they are consenting to - Must be **unambiguous** — clear affirmative action - Where processing of **sensitive personal data** is based on consent, the consent must be **explicit** (Section 26(3)) - Data subject must be informed of the right to withdraw consent **before** granting it (Section 26(4)) - **Burden of proof** that consent was obtained rests on the data controller ### Legitimate Interests Test (Additional Requirements) Under the NDPA and GAID, legitimate interests can only be relied upon if: 1. The interests **do not override** the fundamental rights, freedoms, and interests of the data subject 2. They are **compatible** with other lawful bases (except consent) 3. The data subject would have a **reasonable expectation** that their data would be processed in the manner envisaged ### Processing of Sensitive Personal Data Section 30 of the NDPA imposes **additional requirements** for processing sensitive personal data: - Generally requires **explicit consent** - May be processed without consent where necessary for: - Employment law obligations - Protection of vital interests where data subject is incapable of consenting - Processing by non-profit bodies with appropriate safeguards - Data manifestly made public by the data subject - Legal claims - Public health - Archiving, research, or statistical purposes ### Processing of Children's Data (Section 31) - A child = any person below **18 years** - Data controllers must apply appropriate mechanisms to **verify age and consent** - Parental/guardian consent required for children's data - NDPC may make special regulations for children aged **13 and above** regarding online services - Privacy policies must be in **child-friendly form** - Consent must not be sought in circumstances that violate or endanger a child's rights --- ## 5. Rights of Data Subjects The NDPA provides data subjects with comprehensive rights under **Part VI (Sections 34-38)**. These rights are largely similar to GDPR rights but with some Nigerian-specific features. ### Complete List of Data Subject Rights | Right | Section | Description | |-------|---------|-------------| | **Right to be Informed** | S.27 | Before collection, controllers must inform data subjects of: identity/contact of controller, DPO contact, purpose, legal basis, recipients, cross-border transfers, retention period, all rights, automated decision-making, and consequences of not providing data | | **Right of Access** | S.34(1)(b) | Right to obtain a copy of personal data in commonly used electronic format, without constraint or unreasonable delay. Free of charge unless manifestly unfounded/excessive | | **Right to Rectification** | S.34(1)(c) | Right to have inaccurate, out-of-date, incomplete, or misleading personal data corrected or deleted. Where error is by the controller, rectification is at no cost to the data subject | | **Right to Erasure (Right to be Forgotten)** | S.34(1)(d), S.34(2) | Right to erasure without undue delay where: data no longer necessary for original purpose, or no other lawful basis to retain. Not absolute — controller interests may override in certain circumstances | | **Right to Restrict Processing** | S.34(1)(v) | Right to request restriction of processing or object to processing. Applies when: accuracy contested, processing unlawful, controller no longer needs data but subject needs it for legal claims, or objection pending verification | | **Right to Withdraw Consent** | S.35 | Right to withdraw consent at any time. Must be as easy to withdraw as to give. Withdrawal does not affect lawfulness of prior processing. Must be informed of this right before consenting | | **Right to Object** | S.36 | Right to object to processing. Controller must discontinue unless it demonstrates public interest or other legitimate grounds overriding the data subject's rights. **For direct marketing: objection is absolute** | | **Right Not to be Subject to Automated Decision-Making** | S.37 | Right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects | | **Right to Data Portability** | S.38 | Right to: (a) receive personal data in structured, commonly used, machine-readable format; (b) transmit to another controller without hindrance; (c) have data transmitted directly between controllers where technically possible. Under GAID: only when legal basis is consent or contractual necessity | | **Right to Complain** | S.34 | Right to lodge a complaint with the NDPC | | **Right to Information on Cross-Border Transfers** | NDPR Reg 3.1(8) | Right to be informed of appropriate safeguards when data is transferred to a foreign country or international organisation | ### Exercising Rights — Key Procedural Points - Data subject access requests should be responded to within **one month** of receipt - Information should be provided **free of charge** (reasonable fee permitted for manifestly unfounded/excessive requests) - Controllers must communicate rectification, erasure, or restriction to all recipients unless impossible or disproportionate effort - Under the GAID, grievances can be filed by the data subject directly, an authorised representative, or a **civil society organisation acting in the public interest** ### Limitations on Rights The data subject's rights may be limited where: - Data is used to exercise **freedom of expression and information** (subject to constitutional limits) - Processing is necessary to comply with a **legal obligation** - Processing is for **public health** purposes in the public interest - Processing is for **archiving, scientific research, or statistical purposes** - Processing is necessary for **preventative or occupational medicine** (by health professionals under professional secrecy obligations) --- ## 6. Obligations of Data Controllers & Processors ### Pre-Collection Obligations (Section 27) Before collecting personal data directly from a data subject, the controller must inform them of: 1. Identity and contact details of the controller 2. Contact details of the Data Protection Officer (DPO) 3. Purpose of processing and legal basis 4. Legitimate interests pursued (if applicable) 5. Recipients or categories of recipients 6. Intention to transfer data cross-border and safeguards 7. Retention period or criteria for determining it 8. All data subject rights 9. Right to withdraw consent (where applicable) 10. Right to lodge complaints with NDPC 11. Whether provision of data is statutory/contractual requirement 12. Existence of automated decision-making including profiling ### Data Protection Officer (DPO) Requirements (Section 32) **Mandatory appointment for DCPMIs.** DPO responsibilities: - **Advise** the controller/processor and employees on NDPA obligations - **Monitor compliance** with the NDPA and related policies - **Act as contact point** for the NDPC on data processing issues DPO qualifications: - Expert knowledge of data protection law and practices - Ability to carry out prescribed tasks - Must be **resident in Nigeria** (for Nigeria-based organisations) - Must have **full access to management team** in Nigeria A single DPO may cover multiple entities if it doesn't impair their ability to perform duties. ### Data Processing Agreements (Third-Party Processing) - Processing by a third party must be governed by a **written contract** - The contract must ensure the processor: - Processes data only on documented instructions of the controller - Ensures confidentiality - Implements appropriate security measures - Assists with data subject rights - Assists with breach notification - Deletes or returns data after services end - Makes available information to demonstrate compliance ### Security Obligations (Section 39) Data controllers and processors must implement **appropriate technical and organisational measures** to ensure: - Security of personal data - Integrity of personal data - Confidentiality of personal data Measures include but are not limited to: - Protection against hackers - Firewalls - Secure storage with authorised access only - Data encryption technologies - Organisational policies for handling personal data - Email system protection - Continuous staff capacity building Factors to consider: - Amount and sensitivity of data - Likelihood of harm to data subjects - State of the art and cost of implementation ### Registration Requirements for DCPMIs - Must register with NDPC **within 6 months** of commencement of the Act or becoming a DCPMI - Registration is a **one-time** process - Registration information required: name/address of controller, DPO details, data categories, purposes, recipients, international transfers, security measures **Registration fees:** | Level | Fee | |-------|-----| | MDP-OHL | ₦10,000 | | MDP-EHL | ₦100,000 | | MDP-UHL | ₦250,000 | ### Compliance Audit Return (CAR) - DCPMIs must file annual compliance audit returns - **Deadline:** 31 March each year (for entities established before 12 June 2023) - New entities: within 15 months of establishment, then annually - UHL and EHL categories must file through a **licensed DPCO** ### Record Keeping - Must maintain **Records of Processing Activities** - Privacy policies must be displayed on all data collection mediums - Privacy policies must include: consent details, data description, purpose, technical methods, third-party access, processing principles, remedies, timeframes ### Entities Exempt from DCPMI Registration Even if thresholds are met: - Community-Based Associations - Faith-Based Organisations - Foreign Embassies and High Commissions - Judicial establishments - Multigovernmental/Intergovernmental Organisations --- ## 7. Cross-Border Data Transfer Rules ### General Rule (Section 41) Transfer of personal data outside Nigeria is **permitted** if the recipient is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an **adequate level of protection**. ### Adequacy Assessment Factors The controller/processor must assess and the NDPC may evaluate: 1. **Enforceable data subject rights** and ability to seek administrative/judicial redress, and the rule of law 2. **Appropriate instruments** between the NDPC and a competent authority in the recipient jurisdiction 3. **Access of public authorities** to personal data in the recipient country 4. **Existence of effective data protection law** 5. **Independent, competent data protection authority** with adequate enforcement powers 6. **International commitments** and membership of multilateral/regional organisations ### NDPC Powers on Cross-Border Transfers - May **determine** if a country, region, or sector has adequate protection - May **approve** binding corporate rules, codes of conduct, certification mechanisms - May **designate categories** of personal data subject to additional transfer restrictions - May require controllers/processors to **notify** it of transfer measures and their adequacy ### Derogations (Transfers Without Adequacy) In the absence of adequate protection, transfers are permitted if: | # | Derogation | Notes | |---|-----------|-------| | 1 | **Consent** | Data subject consented after being informed of risks due to absence of adequate protections | | 2 | **Contractual necessity** | Transfer necessary for performance of a contract or pre-contractual steps | | 3 | **Sole benefit of data subject** | Not reasonably practicable to obtain consent, or data subject would likely give it | | 4 | **Important public interest** | Must be a recognised public interest | | 5 | **Legal claims** | Necessary for establishment, exercise, or defence of legal claims | | 6 | **Vital interests** | Data subject physically or legally incapable of giving consent | ### Documentation Requirement Data controllers/processors must **record the basis for transfer and adequacy of protection** in the recipient country. --- ## 8. Data Protection Impact Assessment (DPIA) ### When Required (Section 33) A DPIA is required where processing personal data could potentially pose a **substantial risk to the rights and freedoms** of a data subject, taking into consideration: - Nature of the processing - Scope of the processing - Context of the processing - Purposes of the processing ### High-Risk Processing Examples Processing likely to require a DPIA includes: - Systematic and extensive evaluation of personal aspects (profiling) - Large-scale processing of sensitive personal data - Systematic monitoring of publicly accessible areas - Use of new technologies - Processing that could affect vulnerable groups (including children) ### DPIA Content A DPIA should include: - Description of the processing operations and purposes - Assessment of the necessity and proportionality of processing - Assessment of risks to the rights and freedoms of data subjects - Measures to address risks, including safeguards, security measures, and mechanisms to ensure protection ### Consultation with NDPC Where the DPIA indicates **high probability of risks**, the controller must **consult the NDPC before processing**. The NDPC may: - Provide guidance on mitigating risks - Require modifications to the processing - Prohibit the processing if risks cannot be mitigated --- ## 9. Data Breach Notification ### Processor-to-Controller Notification (Section 40) When a data processor (or sub-processor) becomes aware of a breach, it must: 1. **Notify the data controller** (or the processor that engaged it) without undue delay 2. **Describe the nature** of the breach including (where possible): - Categories and approximate number of data subjects concerned - Categories and approximate number of records concerned 3. **Respond to all information requests** from the controller/engaging processor ### Controller-to-NDPC Notification - **Timeline:** Within **72 hours** of becoming aware of the breach - **Threshold:** Breach is likely to result in a **risk to the rights and freedoms** of individuals - **Content of notification:** - Name and contact details of a point of contact - Description of the nature of the breach - Categories and approximate numbers of data subjects and records concerned - Likely consequences of the breach - Measures taken or proposed to address the breach ### Controller-to-Data Subject Notification - **Threshold:** Breach is likely to result in a **high risk** to the rights and freedoms of a data subject - **Timing:** **Immediately** upon determination of high risk - **Method:** Communication in **plain and clear language** - **Content:** Description of breach, likely consequences, advice about mitigation measures, contact details - **Alternative method:** If direct communication involves disproportionate effort/expense or is not feasible, the controller may make a **public communication** in one or more widely used media sources ### Key Differences from GDPR - Similar 72-hour notification timeline to the NDPC - Immediate notification to data subjects for high-risk breaches (GDPR says "without undue delay") - Emphasis on plain and clear language including **advice about mitigation measures** --- ## 10. Enforcement, Penalties & Sanctions ### Complaint Process 1. Data subject lodges a complaint with the NDPC 2. NDPC investigates (unless complaint is frivolous or vexatious) 3. NDPC determines if a violation has occurred or is likely ### Compliance Orders (Section 47) The NDPC may issue: - **Warning** that an act/omission is likely to violate the NDPA - **Compliance order** requiring adherence to specific provisions - **Cease and desist order** requiring the controller/processor to stop processing ### Enforcement Orders (Section 48) After completing an investigation, the NDPC may: 1. **Require the controller/processor to remedy the violation** 2. **Order compensation** to the data subject for injury, loss, or harm 3. **Order accounting of profits** realised from the violation 4. **Order payment of penalty or remedial fee** 5. **Refer the matter** to appropriate regulatory agencies for sanction/prosecution ### Penalties — Administrative Fines | Category | Maximum Fine | |----------|-------------| | **DCPMI** | **2% of annual gross revenue** of the preceding year **OR ₦10 million**, whichever is **greater** | | **Non-DCPMI** | **2% of annual gross revenue** of the preceding year **OR ₦2 million**, whichever is **greater** | ### Criminal Sanctions - A controller/processor who **fails to comply with NDPC orders** commits an offence - Liability on conviction: - **Fine:** Up to the higher maximum amount (DCPMI) or standard maximum amount (non-DCPMI) - **Imprisonment:** Up to **1 year** - **Or both** ### Factors in Determining Sanctions The NDPC must consider: 1. Nature, gravity, and duration of the infringement 2. Purpose of the processing 3. Number of data subjects affected 4. Level of damage and mitigation measures implemented 5. Intent or negligence 6. Degree of cooperation with the NDPC 7. Types of personal data involved ### Civil Remedies - Data subjects may seek **compensation** for material and non-material damage - Civil society organisations may act on behalf of data subjects - The NDPC may refer matters for **prosecution** --- ## 11. Role of NDPC (Nigeria Data Protection Commission) ### Establishment - Established under the NDPA as the **successor to the Nigeria Data Protection Bureau (NDPB)** - Independent supervisory and regulatory authority for data protection in Nigeria - Headquartered at No. 12 Clement Isong Street, Asokoro, Abuja ### Key Functions 1. **Regulatory:** Regulate the processing of personal information in Nigeria 2. **Supervisory:** Monitor and enforce compliance with the NDPA 3. **Advisory:** Advise the Federal Government on data protection matters 4. **Standard-setting:** Issue regulations, guidelines, and codes of conduct 5. **Registration:** Register DCPMIs and license DPCOs 6. **Investigation:** Investigate complaints and breaches 7. **Enforcement:** Issue compliance orders, enforcement orders, and impose sanctions 8. **International cooperation:** Collaborate with foreign data protection authorities 9. **Awareness:** Promote public awareness of data protection rights and obligations 10. **Research:** Conduct and commission research on data protection ### Powers - **Investigate** any complaint (unless frivolous or vexatious) - **Issue compliance orders** (warnings, cease and desist) - **Issue enforcement orders** (remedies, compensation, fines) - **Institute criminal proceedings** for NDPA breaches - **Approve** binding corporate rules, codes of conduct, certification mechanisms for cross-border transfers - **Determine** adequacy of data protection in foreign countries - **Prescribe** categories of personal data subject to additional restrictions - **Designate** additional categories of sensitive personal data - **License** Data Protection Compliance Organisations (DPCOs) - **Collaborate** with sector-specific regulators (CBN, NCC, FCCPC) - **Collaborate** with security agencies (e.g., Office of the Inspector General of Police) for enforcement ### Governance - Led by a **Commissioner/CEO** (currently Dr. Vincent Olatunji) - Governing Council provides oversight - Funded through appropriations, fees, and other sources ### DPCO Licensing - DPCOs are entities licensed by the NDPC - They provide: training, auditing, consulting, compliance services - UHL and EHL DCPMIs must file compliance audits through licensed DPCOs --- ## 12. NDP Act vs GDPR — Comparison Table | Feature | NDP Act 2023 (Nigeria) | GDPR (EU) | |---------|----------------------|-----------| | **Date of Enactment** | 12 June 2023 | 25 May 2018 | | **Supervisory Authority** | Nigeria Data Protection Commission (NDPC) | National DPAs (e.g., CNIL, ICO) + EDPB | | **Territorial Scope** | Processing of personal data of data subjects **in Nigeria** | Processing of personal data of data subjects **in the EU/EEA** | | **Extraterritorial Application** | Yes — applies to foreign entities processing data of Nigerian data subjects | Yes — applies to foreign entities offering goods/services to EU data subjects or monitoring their behaviour | | **Definition of Personal Data** | Nearly identical to GDPR | Any information relating to an identified or identifiable natural person | | **Lawful Bases** | **6 bases** (same as GDPR: consent, contract, legal obligation, vital interests, public interest, legitimate interests) | **6 bases** (identical categories) | | **Consent Age for Children** | **18 years** (with NDPC empowered to make rules for 13+) | **16 years** (member states may lower to 13) | | **DPO Requirement** | Mandatory for **DCPMIs** | Mandatory for public authorities, large-scale processing, or systematic monitoring | | **Registration Requirement** | **DCPMIs must register** with the NDPC (processing >200 data subjects in 6 months) | **No registration requirement** (GDPR eliminated this) | | **Breach Notification Timeline** | **72 hours** to NDPC; **immediately** to data subjects for high risk | **72 hours** to DPA; **without undue delay** to data subjects for high risk | | **Maximum Administrative Fine** | **2% of annual gross revenue OR ₦10 million** (DCPMI) / **₦2 million** (non-DCPMI) | **Up to €20 million OR 4% of global annual turnover** | | **Criminal Penalties** | Yes — up to **1 year imprisonment** | Generally left to member states; most impose criminal penalties | | **Cross-Border Transfer Mechanism** | Adequacy decisions, BCRs, contractual clauses, codes of conduct, certification + derogations | Adequacy decisions, SCCs, BCRs, codes of conduct, certification + derogations | | **Right to be Forgotten** | Yes (Section 34(1)(d)) | Yes (Article 17) | | **Right to Data Portability** | Yes (Section 38) — only for consent/contract bases (per GAID) | Yes (Article 20) — only for consent/contract bases | | **DPIA Required** | Yes — for processing posing **substantial risk** | Yes — for processing likely to result in **high risk** | | **Sensitive Data Categories** | 7 categories + NDPC may prescribe others | 8 categories (adds criminal conviction data explicitly) | | **Compliance Audit Filing** | **Mandatory annual filing** for DCPMIs | No equivalent requirement | | **DPCO System** | **Unique to Nigeria** — licensed entities that audit and train on compliance | No equivalent | | **Joint Controllers** | Not explicitly detailed (covered indirectly) | Explicitly addressed (Article 26) | | **Data Protection by Design/Default** | Addressed through security obligations (S.39) | Explicitly mandated (Article 25) | | **Lead Supervisory Authority** | Single authority (NDPC) | One-stop-shop mechanism across EU | | **Exclusion of Data Transit** | Explicitly excludes **mere transit** of data originating outside Nigeria | No explicit equivalent exclusion | ### Key Differences to Remember for Exam 1. **Registration system** — Nigeria requires DCPMI registration; GDPR eliminated registration 2. **DPCO system** — unique to Nigeria 3. **Fine levels** — significantly lower in Nigeria (2%/₦10M vs 4%/€20M) 4. **Child consent age** — 18 in Nigeria vs 16 (or lower) in EU 5. **Criminal penalties** — explicitly included in NDPA (up to 1 year imprisonment) 6. **Compliance audit filing** — mandatory in Nigeria; no GDPR equivalent 7. **Breach notification to data subjects** — "immediately" in Nigeria vs "without undue delay" in GDPR --- ## 13. Study Flashcards — 50 Q&A Pairs ### Basics & Scope **Q1:** When was the Nigeria Data Protection Act signed into law? **A1:** 12 June 2023, by President Bola Ahmed Tinubu. **Q2:** What is the principal data protection legislation in Nigeria? **A2:** The Nigeria Data Protection Act 2023 (NDPA). **Q3:** What legislation did the NDPA effectively replace? **A3:** It elevated the NDPR 2019 (a regulation) to legislative status. The NDPR remains in force and is read alongside the NDPA until the GAID takes effect, but the NDPA prevails where there is conflict. **Q4:** What is the territorial scope of the NDPA? **A4:** It applies to processing of personal data of data subjects in Nigeria (Section 2(1)) and has extraterritorial reach to foreign entities processing data of data subjects in Nigeria (Section 2(2)). **Q5:** What processing activities are excluded from the NDPA's scope? **A5:** Processing solely for personal or household purposes (provided it doesn't violate the right to privacy), and the mere transit of data originating outside Nigeria. **Q6:** Name five types of processing partially exempt from Part V obligations under Section 3. **A6:** (1) Criminal law enforcement by competent authorities; (2) National public health emergencies; (3) National security; (4) Journalism/education/artistic/literary purposes; (5) Legal claims (court, administrative, or out-of-court). **Q7:** Are the exemptions under Section 3 absolute? **A7:** No. Even exempt processing must comply with: data processing principles (S.24), lawful basis (S.25), DPO designation (S.32), breach notification (S.40), and all data subject rights (Part VI). ### Definitions **Q8:** Define "Personal Data" under the NDPA. **A8:** Any information relating to an individual who can be identified or is identifiable, directly or indirectly, by reference to identifiers such as name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, psychological, cultural, social, or economic identity. **Q9:** What constitutes "Sensitive Personal Data" under the NDPA? **A9:** Data relating to: genetic/biometric data for identification, race/ethnic origin, religious/philosophical beliefs, health status, sex life, political opinions/affiliations, trade union membership, and any other category prescribed by the NDPC. **Q10:** Define "Data Controller" under the NDPA. **A10:** An individual, private entity, public commission, agency, or any other body who, alone or jointly with others, determines the purposes and means of processing personal data. **Q11:** Define "Data Processor" under the NDPA. **A11:** An individual, private entity, public authority, or any other body who processes personal data on behalf of or at the direction of a data controller or another data processor. **Q12:** What is a DCPMI? **A12:** A Data Controller or Processor of Major Importance — one that is domiciled/resident/operating in Nigeria and processes personal data of more than the prescribed number of data subjects in Nigeria, or processes data of particular value/significance to the economy, society, or security of Nigeria. **Q13:** What is the threshold for DCPMI classification? **A13:** Processing personal data of at least 200 data subjects within a 6-month period (per the Guidance Notice). Three levels: OHL (>200), EHL (>1,000), UHL (>5,000). **Q14:** What is a DPCO? **A14:** A Data Protection Compliance Organisation — an entity licensed by the NDPC for training, auditing, consulting, and ensuring compliance with the NDPA. **Q15:** What does "Processing" exclude under the NDPA? **A15:** The mere transit of data originating outside Nigeria. ### Principles **Q16:** List the seven principles of data processing under Section 24 of the NDPA. **A16:** (1) Lawfulness, fairness, and transparency; (2) Purpose limitation; (3) Data minimisation; (4) Storage limitation; (5) Accuracy; (6) Security (integrity and confidentiality); (7) Accountability. **Q17:** What does the accountability principle require? **A17:** Data controllers and processors owe a duty of care and must demonstrate accountability in respect of the principles. Third-party processing must be governed by a written contract. **Q18:** What is the storage limitation under the GAID (effective September 2025)? **A18:** Personal data storage shall lapse not later than 6 calendar months after the original purpose of processing is accomplished, subject to other legal obligations. ### Lawful Basis **Q19:** List all six lawful bases for processing under Section 25. **A19:** (1) Consent; (2) Contractual necessity; (3) Legal obligation; (4) Vital interests; (5) Public interest/official authority; (6) Legitimate interests. **Q20:** What are the requirements for valid consent under the NDPA? **A20:** Must be freely given, specific, informed, and unambiguous. For sensitive data, consent must be explicit. The data subject must be informed of the right to withdraw before consenting. It must be as easy to withdraw as to give. **Q21:** What three conditions must be met for the legitimate interests basis? **A21:** (1) Interests must not override the data subject's fundamental rights, freedoms, and interests; (2) Must be compatible with other lawful bases (except consent); (3) Data subject would have a reasonable expectation of such processing. **Q22:** What is the age of a child under the NDPA for consent purposes? **A22:** 18 years. The NDPC may make regulations for children aged 13 and above regarding online services. ### Data Subject Rights **Q23:** List all data subject rights under the NDPA. **A23:** Right to be informed, access, rectification, erasure (right to be forgotten), restrict processing, withdraw consent, object to processing, not be subject to automated decision-making, data portability, and lodge a complaint with the NDPC. **Q24:** Under what conditions can a data subject exercise the right to data portability? **A24:** Only when the legal basis for processing is consent or contractual necessity (per the GAID). Not applicable against controllers performing public duties. **Q25:** Is the right to object to direct marketing absolute under the NDPA? **A25:** Yes. Once a data subject objects to processing for direct marketing purposes, it is absolute and the controller must terminate processing immediately for that purpose. **Q26:** What is the timeline for responding to a data subject access request? **A26:** Within one month of receipt, provided free of charge (unless manifestly unfounded or excessive). **Q27:** Can civil society organisations file complaints on behalf of data subjects? **A27:** Yes. Under the GAID, a Standard Notice to Address Grievance can be served by the data subject, an authorised representative, or a civil society organisation acting in the public interest. ### Obligations **Q28:** When is appointment of a DPO mandatory? **A28:** For Data Controllers and Processors of Major Importance (DCPMIs). Also mandatory for: government organs, organisations processing >10,000 data subjects per annum, organisations processing sensitive data regularly, and holders of critical national information infrastructure. **Q29:** What are the three functions of a DPO under Section 32(3)? **A29:** (1) Advise the controller/processor and employees on NDPA obligations; (2) Monitor compliance with the NDPA and related policies; (3) Act as contact point for the NDPC. **Q30:** What are the DCPMI registration fees? **A30:** MDP-OHL: ₦10,000; MDP-EHL: ₦100,000; MDP-UHL: ₦250,000. **Q31:** What is the deadline for filing the Compliance Audit Return (CAR)? **A31:** 31 March each year for DCPMIs established before 12 June 2023. New entities: within 15 months of establishment, then annually. **Q32:** Which DCPMI categories must file their CAR through a licensed DPCO? **A32:** UHL and EHL categories. ### Cross-Border Transfers **Q33:** What is the general rule for cross-border data transfers under the NDPA? **A33:** Transfers are permitted if the recipient is subject to a law, BCRs, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection. **Q34:** Name four factors the NDPC considers in assessing adequacy. **A34:** (1) Enforceable data subject rights and judicial redress; (2) Existence of an effective data protection law; (3) Independent, competent data protection authority with enforcement powers; (4) International commitments and membership of multilateral organisations. **Q35:** List three derogations allowing transfer without adequacy. **A35:** (1) Informed consent of the data subject; (2) Transfer necessary for contractual performance; (3) Transfer necessary for important reasons of public interest. ### DPIA **Q36:** When is a DPIA required under the NDPA? **A36:** When processing personal data could potentially pose a substantial risk to the rights and freedoms of a data subject, considering the nature, scope, context, and purposes of processing. **Q37:** What must a controller do if a DPIA indicates high probability of risks? **A37:** Consult the NDPC before processing. The NDPC may provide guidance, require modifications, or prohibit the processing. ### Breach Notification **Q38:** What is the breach notification timeline to the NDPC? **A38:** Within 72 hours of becoming aware of the breach, if it is likely to result in a risk to the rights and freedoms of individuals. **Q39:** When must data subjects be notified of a breach? **A39:** Immediately, when the breach is likely to result in a high risk to their rights and freedoms. **Q40:** What must a breach notification to data subjects include? **A40:** Description of the breach in plain and clear language, likely consequences, advice about mitigation measures the data subject could take, and contact details of a point of contact. **Q41:** What alternative is available if direct notification to data subjects is not feasible? **A41:** The controller may make a public communication in one or more widely used media sources such that the data subjects are likely to be informed. ### Enforcement & Penalties **Q42:** What is the maximum administrative fine for a DCPMI? **A42:** 2% of annual gross revenue of the preceding year OR ₦10 million, whichever is greater. **Q43:** What is the maximum fine for a non-DCPMI? **A43:** 2% of annual gross revenue of the preceding year OR ₦2 million, whichever is greater. **Q44:** Can individuals face imprisonment under the NDPA? **A44:** Yes. Failure to comply with NDPC orders is a criminal offence liable to a fine, imprisonment for up to 1 year, or both. **Q45:** What factors does the NDPC consider when determining sanctions? **A45:** Nature/gravity/duration of infringement, purpose of processing, number of data subjects, level of damage and mitigation, intent or negligence, degree of cooperation, types of personal data involved. ### NDPC **Q46:** What body did the NDPC succeed? **A46:** The Nigeria Data Protection Bureau (NDPB), which was created by Executive Order in 2022. **Q47:** Can the NDPC institute criminal proceedings? **A47:** Yes, where it determines an organisation has breached the NDPA. **Q48:** Which entities are exempt from DCPMI registration even if they meet thresholds? **A48:** Community-Based Associations, Faith-Based Organisations, Foreign Embassies/High Commissions, Judicial establishments, and Multigovernmental Organisations. ### Comparison & Application **Q49:** Name three key differences between the NDP Act and the GDPR. **A49:** (1) NDPA requires DCPMI registration; GDPR eliminated registration; (2) NDPA fines cap at 2%/₦10M vs GDPR's 4%/€20M; (3) Child consent age is 18 in Nigeria vs 16 (or 13) in the EU. **Q50:** What is the GAID, and when does it take effect? **A50:** The General Application and Implementation Directive, issued by the NDPC on 20 March 2025. It takes effect on 19 September 2025 and will replace the NDPR 2019 and NDPR Implementation Framework as the primary subsidiary legislation under the NDPA. --- ## Quick Reference Card | Item | Detail | |------|--------| | **Act Name** | Nigeria Data Protection Act 2023 | | **Date Signed** | 12 June 2023 | | **President** | Bola Ahmed Tinubu | | **Regulator** | Nigeria Data Protection Commission (NDPC) | | **NDPC Head** | Commissioner/CEO | | **Predecessor Regulation** | NDPR 2019 | | **Predecessor Body** | Nigeria Data Protection Bureau (NDPB) | | **Upcoming Change** | GAID effective 19 September 2025 (replaces NDPR) | | **Lawful Bases** | 6 (consent, contract, legal obligation, vital interests, public interest, legitimate interests) | | **Data Subject Rights** | 10 rights | | **Breach Notification** | 72 hours to NDPC; immediately to data subjects (high risk) | | **Max Fine (DCPMI)** | 2% of annual gross revenue OR ₦10 million (greater) | | **Max Fine (Non-DCPMI)** | 2% of annual gross revenue OR ₦2 million (greater) | | **Max Imprisonment** | 1 year | | **Child Age** | Under 18 | | **DCPMI Threshold** | >200 data subjects per 6 months | | **DPO Mandatory** | For DCPMIs | | **Audit Filing Deadline** | 31 March annually | --- *End of Study Guide. Good luck with the CDPO exam, Sir Sid! 🎯*