Professional Documents
Culture Documents
Data Protection
2022
Ninth Edition
Contributing Editors:
Q&A Chapters
Australia Isle of Man
35 MinterEllison: Anthony Borgese, Helen Cheung, 162 DQ Advocates Limited: Kathryn Sharman &
Zoe Zhang & Tony Issa Sinead O’Connor
Belgium Israel
49 Sirius Legal: Bart Van den Brande 172 Naschitz, Brandes, Amir & Co., Advocates:
Dalit Ben-Israel & Maya Peleg
Brazil
61 ASBZ Advogados: Luiza Sato, Guilherme Braguim, Italy
Igor Baden Powell & Geórgia Costa 187 FTCC Studio Legale Associato: Pierluigi Cottafavi &
Santina Parrello
Canada
71 McMillan LLP: Lyndsay A. Wasser & Japan
Kristen Pennington 198 Mori Hamada & Matsumoto: Hiromi Hayashi &
Masaki Yukawa
China
84 King & Wood Mallesons: Susan Ning & Han Wu
Korea
210 D’LIGHT Law Group: Iris Hyejin Hwang & Hye In Lee
Denmark
97 Lund Elmer Sandager: Torsten Hylleberg,
Mexico
Emilie Ipsen & Anders Linde Reislev 220 OLIVARES: Abraham Diaz Arceo, Gustavo Alcocer &
France Carla Huitron
108 White & Case LLP: Clara Hainsdorf & Bertrand Liard
Nigeria
229 Udo Udoma and Belo-Osagie: Jumoke Lambo &
Germany
118 Noerr Partnerschaftsgesellschaft mbB: Chisom Okolie
Daniel Ruecker, Julian Monschke,
Pascal Schumacher & Korbinian Hartl Norway
241 Wikborg Rein Advokatfirma AS: Gry Hvidsten &
Greece Emily M. Weitzenboeck
127 Nikolinakos & Partners Law Firm:
Dr. Nikos Th. Nikolinakos, Dina Th. Kouvelou & Pakistan
254 S. U. Khan Associates Corporate & Legal
Alexis N. Spyropoulos
Consultants: Saifullah Khan & Saeed Hasan Khan
India
139 Peru
Khaitan & Co LLP: Harsh Walia & 263 Iriarte & Asociados: Erick Iriarte Ahón &
Supratim Chakraborty
Fátima Toche Vega
Indonesia
150 Poland
H & A Partners in association with Anderson 272 Leśniewski Borkiewicz & Partners S.K.A.: Grzegorz
Mōri & Tomotsune: Steffen Hadi, Sianti Candra &
Leśniewski, Mateusz Borkiewicz & Jacek Cieśliński
Dimas Andri Himawan
Table of Contents
Nigeria
Nigeria
Jumoke Lambo
12 Relevant Legislation and Competent 1.4 What authority(ies) are responsible for data
protection?
Authorities
The NITDA and the Nigeria Data Protection Bureau are the prin-
1.1 What is the principal data protection legislation?
cipal regulatory authorities responsible for enforcing the NDPR
in Nigeria. On 4th February 2022, the President of the Federal
Nigeria does not have a principal legislation on data protection. Republic of Nigeria, President Muhammadu Buhari announced
The principal data protection regulation in Nigeria is the Nigeria the establishment of a dedicated data protection agency for Nigeria,
Data Protection Regulation 2019 (“NDPR”) which is a subsid- the Nigeria Data Protection Bureau (“NDPB”). This means that,
iary legislation issued pursuant to the National Information going forward, the NDPB and not the NITDA will be respon-
Technology Development Agency Act 2007. sible for the enforcement of data protection regulations and for
the administration of all related data protection matters in Nigeria.
1.2 Is there any other general legislation that impacts The NDPB will, until the substantive data protection regulation is
data protection? passed, continue to operate within the existing regulatory frame-
work i.e. the NDPR and the NDPR Implementation Framework.
Enacting a substantive Data Protection Bill which will create a
The following laws and regulations impact data protection in
regulatory framework for the establishment and administration of
Nigeria:
the NDPB and related data protection matters is one of the top
a. The Constitution of the Federal Republic of Nigeria 1999
priorities of the NDPB. Pending the establishment of the frame-
(as amended).
work and the stabilisation of operations, the NITDA continues to
b. The NDPR Implementation Framework 2020, issued
regulate data protection in Nigeria on a transitional basis.
by the National Information Technology Development
Other sector-specific regulatory authorities like the CBN and the
Agency (“NITDA”) (“Implementation Framework”).
NCC may also enforce the various regulations that touch on data
c. The Child Rights Act, 2003.
protection within their sectors.
d. The Cybercrimes (Prohibition, Prevention, Etc.) Act, 2015.
e. The Freedom of Information Act, 2011.
f. The National Health Act, 2014. 22 Definitions
g. The HIV and AIDS (Anti-Discrimination) Act, 2014.
2.1 Please provide the key definitions used in the
relevant legislation:
1.3 Is there any sector-specific legislation that impacts
data protection?
■ “Personal Data”
The NDPR defines “Personal Data” as any information
The following sector-specific law, regulations and guidelines
relating to an identified or identifiable natural person (“Data
have an impact on data protection in Nigeria:
Subject”); an identifiable natural person is one who can be
a. The Consumer Code of Practice Regulations 2007
identified, directly or indirectly, in particular by reference
(“NCC Regulations, 2007”) published by the Nigerian
to an identifier such as a name, an identification number,
Communications Commission (“NCC”).
location data, an online identifier or to one or more factors
b. The Registration of Telephone Subscribers Regulations
specific to the physical, physiological, genetic, mental,
2011, published by the NCC.
economic, cultural or social identity of that natural person.
c. The Consumer Protection Regulations 2020, issued by the
It can be anything from a name, address, a photo, an email
Central Bank of Nigeria (“CBN”), Nigeria’s apex bank.
address, bank details, posts on social networking websites,
d. The Nigerian Communications Commission Lawful
medical information, and other unique identifiers such as,
Interception of Communications Regulations, 2019.
but not limited to: media access control address; internet
e. The Guidelines for the Management of Personal Data by
protocol address; international mobile equipment identity
Public Institutions in Nigeria 2020, issued by the NITDA.
number; international mobile subscriber identifier number;
f. The Official Secrets Act 1962.
SIM; personal identifiable information; and others.
■ “Processing”
The NDPR defines “Processing” as any operation or set
32 Territorial Scope
of operations which is performed on Personal Data or on
sets of Personal Data, whether or not by automated means, 3.1 Do the data protection laws apply to businesses
established in other jurisdictions? If so, in what
such as collection, recording, organisation, structuring,
circumstances would a business established in another
storage, adaptation or alteration, retrieval, consultation, jurisdiction be subject to those laws?
use, disclosure by transmission, dissemination or other-
wise making available, alignment or combination, restric-
tion, erasure or destruction. According to Regulation 1.2 of the NDPR, the NDPR will apply
■ “Controller” to businesses established in other jurisdictions where the busi-
According to the NDPR, a “Data Controller” is any nesses are involved in the processing of the Personal Data of
person who either alone, jointly with other persons or in natural persons who are Nigerian citizens irrespective of where
common with other persons or a statutory body deter- they reside or Nigerian residents.
mines the purposes for and the manner in which Personal
Data is processed or is to be processed. 42 Key Principles
■ “Processor”
Although the NDPR does not expressly define the term, 4.1 What are the key principles that apply to the
“Data Processor”, the term is used interchangeably with processing of personal data?
“Data Administrator”. The NDPR defines a data admin-
istrator simply as a person or an organisation that processes ■ Transparency
data. Regulation 2.1(1) of the NDPR provides that Personal Data
■ “Data Subject” shall be collected and processed in accordance with specific,
The NDPR defines a “Data Subject” as any person, who legitimate and lawful purpose consented to by the Data
can be identified, directly or indirectly, by reference to an Subject. This means that the processing of Personal Data
identification number or to one or more factors specific to should be lawful and fair. The processing activity should be
his physical, physiological, mental, economic, cultural or transparent to the Data Subject and easily comprehensible.
social identity. ■ Lawful basis for processing
■ “Sensitive Personal Data” Regulation 2.2 of the NDPR provides five lawful bases for
Under the NDPR, “Sensitive Personal Data” means any processing Personal Data:
data relating to religious or other beliefs, sexual orienta- a. where the Subject has given consent to the processing
tion, health, race, ethnicity, political views, trades union of his or her Personal Data for one or more specific
membership, criminal records or any other sensitive purposes;
personal information. b. where processing is necessary for the performance of a
■ “Data Breach” contract to which the Data Subject is party or in order
According to the NDPR, a “Personal Data Breach” means any to take steps at the request of the data Subject prior to
breach of security leading to the accidental or unlawful destruc- entering into a contract;
tion, loss, alteration, unauthorised disclosure of, or access to, c. where processing is necessary for compliance with a
Personal Data transmitted, stored or otherwise processed. legal obligation to which the Data Controller is subject;
■ Other key definitions d. where processing is necessary in order to protect the
The NDPR and Implementation Framework do not define vital interests of the Data Subject or of another natural
the term, “Pseudonymous Data”, but the Implementation person; or
Framework references the term in one of the questions e. where processing is necessary for the performance of a
provided in the Audit Template for NDPR Compliance as task carried out in the interest of the general public or
one of the questions to ask a Data Controller or Processor in the exercise of an official public mandate vested in
when carrying out their Data Protection Compliance the Data Controller.
Audit, in Annexure A of the NDPR. ■ Purpose limitation
The NDPR does not recognise the concept of “Direct The principle of purpose limitation in relation to data protec-
Personal Data” or “Indirect Personal Data”. The NDPR tion is encapsulated in Regulation 2.1(1)(a) of the NDPR
also provides for the following key definitions: which provides that the Personal Data obtained from the
■ “Data Portability” Data Subject shall only be processed in accordance with the
The NDPR defines Data Portability as the ability of data specific, legitimate and lawful purpose consented to by the
to be transferred easily from one computer to another Data Subject. The Regulation enables further processing to be
through a safe and secured means in a standard format. done only for archiving, scientific research, historical research
■ “Data Protection Compliance Organisation” or statistical purposes for public interest.
This refers to an entity or organisation that is duly ■ Data minimisation
licenced by the NITDA for the purpose of training, Regulation 2.1(1)(b) of the NDPR requires the Personal Data
auditing, consulting and rendering services and prod- being processed to be adequate, accurate and without preju-
ucts to ensure compliance with the NDPR or any foreign dice to the dignity of the human person. Therefore, when
data protection law that has effect in Nigeria. processing Personal Data, the Data Controller or Processor
■ “Data Subject Access Request” must ensure that the Personal Data to be processed is adequate,
Under the NDPR, this means the mechanism for an relevant and ought to be on a “need-to-know” basis in relation
individual to request a copy of their personal data under to the purposes for which it is being processed.
a formal process which may include the payment of a fee.
a. The accuracy of the Personal Data is contested by the ought to be informed of the existence of automated deci-
Data Subject for a period enabling the Data Controller sion-making, including profiling and, at least, in those
to verify the accuracy of the Personal Data. cases, meaningful information about the logic involved, as
b. The processing is unlawful, and the Data Subject well as the significance and the envisaged consequences of
opposes the erasure of the Personal Data and requests such processing for the Data Subject.
the restriction of their use instead. ■ Right to complain to the relevant data protection
c. The Data Controller no longer needs the Personal authority(ies)
Data for the purposes of the processing, but they are Data Subjects are entitled under section 9 of the
required by the Data Subject for the establishment, Implementation Framework to report any breach of the
exercise or defence of legal claims. NDPR to NITDA through any of NITDA’s advertised
d. The Data Subject has objected to processing, pending channels.
the verification whether the legitimate grounds of the ■ In addition to the above, the Data Subject also has the
Data Controller override those of the Data Subject. following rights. The right to:
Regulation 3.1(12) also provides that where processing has a. know the details of the Data Controller;
been restricted, such Personal Data shall, except for storage, b. be informed about the transfer of his/her Personal
only be processed with the Data Subject’s consent or for the Data to another country; and
establishment, exercise or defence of legal claims or for the c. be notified where his/her Personal Data is to be
protection of the rights of another natural or legal person or processed for further purposes that are different from
for reasons of important public interest in Nigeria. the ones for which he/she had given his/her consent.
The Data Controller shall also communicate any restric-
tion to each recipient to whom the Personal Data has
5.2 Please confirm whether data subjects have the
been disclosed, unless this proves impossible or requires a right to mandate not-for-profit organisations to seek
disproportionate effort. The Data Controller is also obli- remedies on their behalf or seek collective redress.
gated to inform the Data Subject about those recipients if
the data Subject requests it.
According to Regulation 4.1(8) of the NDPR, the mass media
■ Right to data portability
and civil societies may uphold accountability and foster the
Under Regulation 3.1(14), the Data Subject has the right to
objectives of the NDPR. Section 9.1 of the Implementation
receive the Personal Data concerning him or her, which he
Framework further provides that, in addition to Data Subjects,
or she has provided to a Data Controller, in a structured,
civil societies or professional organisations may report a breach
commonly used and machine-readable format, and have
of the NDPR to the NITDA.
the right to transmit the data to another Data Controller
without hindrance from the initial Data Controller to
which the Personal Data had been provided, where: 62 Children’s Personal Data
a. the processing is based on consent; or
b. on a contract; and 6.1 What additional obligations apply to the processing
c. the processing is carried out by automated means. of children’s personal data?
In exercising this right, the Data Subject is entitled to have
the Personal Data transmitted directly from one Data Under the NDPR, for the purpose of processing Personal
Controller to another, where this is technically feasible. Data, a child is any person below the age of 13. Where the
Provided that this right shall not apply to processing neces- Personal Data of children is to be processed, section 5.5 of the
sary for the performance of a task carried out in the public Implementation Framework imposes an obligation on the Data
interest or in the exercise of an official authority vested in Controller or Processor to ensure that its privacy policy is made
the Data Controller. in a child-friendly form with the aim of making the children and
■ Right to withdraw consent their parents/guardians have a clear and easy understanding of
A Data Subject is entitled to withdraw his/her consent to the data processing activity before granting their consent to the
the processing of his/her personal data at any point in time. processing of their child/ward’s Personal Data.
Regulation 2.3(2)(c) provides that prior to giving consent, Furthermore, Regulation 2.4(a) prohibits seeking or accepting
a Data Subject is to be informed of his/her right and the consent in respect of processing Personal Data in any circum-
method to withdraw his/her consent at any given time, stance that may endanger a child’s rights.
without affecting the lawfulness of the processing based on
consent that had been carried out by the Data Controller 72 Registration Formalities and Prior
before the request for the withdrawal by the Data Subject.
■ Right to object to marketing Approval
Regulation 2.8 of the NDPR provides that a Data Subject
is entitled to object to the processing of his/her data which 7.1 Is there a legal obligation on businesses to register
the Data Controller intends to process for the purpose of with or notify the data protection authority (or any
other governmental body) in respect of its processing
marketing. His/her right to object can be expressed in
activities?
relation to any form of data processing free of charge.
■ Right against automated decision-making and profiling
Section 5.3.1 of the Implementation Framework provides Generally, under the NDPR, there is no legal obligation on
that the Data Controller must obtain the consent of the a business (Data Controller/Processor) to register with the
Data Subject, before the Data Controller makes a deci- NITDA in respect of its processing activities. Businesses are,
sion based solely on automated processing which produces however, required to notify and seek the approval (i.e. obtain
legal effects concerning or significantly affecting the an adequacy decision) of the Honourable Attorney General
data Subject. Regulation 3.1(7)(l) provides that prior to of the Federation (“HAGF”) through the NITDA where the
the processing of the Personal Data, the Data Subject processing of Personal Data involves the transfer of Personal
Data to a foreign country or to an international organisation. b. any purpose for which the personally identifiable informa-
Section 2.12 of the NDPR provides that in the absence of any tion is collected;
decision by the NITDA or HAGF as to the adequacy of the safe- c. any notice given to individuals regarding the collection
guards in a foreign country, a transfer or a set of transfers of and use of personal information relating to that individual;
Personal Data to a foreign country or an international organi- d. any access given to individuals to review, amend, correct,
sation shall take place only on one of the following conditions: supplement, or delete personal information relating to that
a. the Data Subject has explicitly consented to the proposed individual;
transfer, after having been informed of the possible risks e. whether or not consent is obtained from an individual
of such transfers for the Data Subject due to the absence of before personally identifiable information is collected,
an adequacy decision and appropriate safeguards and that used, transferred, or disclosed and any method used to
there are no alternatives; obtain consent;
b. the transfer is necessary for the performance of a contract f. the policies and practices of the organisation for the secu-
between the Data Subject and the Data Controller or the rity of personally identifiable information;
implementation of pre-contractual measures taken at the g. the policies and practices of the organisation for the proper
Data Subject’s request; use of personally identifiable information;
c. the transfer is necessary for the conclusion or performance h. the organisation’s policies and procedures for privacy and
of a contract concluded in the interest of the Data Subject data protection;
between the data controller and another natural or legal i. the policies and procedures of the organisation for moni-
person; toring and reporting violations of privacy and data protec-
d. the transfer is necessary for important reasons of public tion policies; and
interest; j. the policies and procedures of the organisation for
e. the transfer is necessary for the establishment, exercise or assessing the impact of technologies on the stated privacy
defence of legal claims; or and security policies.
f. the transfer is necessary in order to protect the vital inter-
ests of the Data Subject or of other persons, where the data
7.3 On what basis are registrations/notifications made
subject is physically or legally incapable of giving consent. (e.g., per legal entity, per processing purpose, per data
The NDPR also requires Data Controllers or Processors to category, per system or database)?
conduct a detailed audit of their privacy and data protection prac-
tices and on an annual basis, submit a summary of their data protec-
Please see our answer to question 7.1 above.
tion audit to NITDA no later than 15 March of the following year
where the Data Controller or Processor has processed the Personal
Data of more than 2,000 Data Subjects in a period of 12 months. 7.4 Who must register with/notify the data protection
A soft copy of the summary of the audit must also be submitted to authority (e.g., local legal entities, foreign legal entities
the NITDA where a Data Controller or Processor has processed subject to the relevant data protection legislation,
the Personal Data of more than 1,000 data Subjects within a period representative or branch offices of foreign legal entities
subject to the relevant data protection legislation)?
of six months. Data Controllers and Processors are required to
comply with the provisions of the NDPR.
Pursuant to sections 3.7 and 6.5 of the Implementation
Framework, the Data Controller or processor may notify the
7.2 If such registration/notification is needed, must it be
NITDA in respect of an international transfer of Personal
specific (e.g., listing all processing activities, categories
of data, etc.) or can it be general (e.g., providing a broad Data and the filing of its data protection compliance audit
description of the relevant processing activities)? report through its Data Protection Officer (“DPO”) and Data
Protection Compliance Organisation (“DPCO”).
Where an adequacy decision is sought from the HAGF and
NITDA, Section 7.1 of the Implementation Framework requires 7.5 What information must be included in the
the Data Controller to provide the following information: registration/notification (e.g., details of the notifying
a. the list of countries where the Personal Data of Nigerian entity, affected categories of individuals, affected
categories of personal data, processing purposes)?
citizens and residents is being transferred in the regular
course of business;
b. the data protection laws of the relevant data protection Please see our answer to question 7.3 above.
office/administration of such countries listed in (i) above;
c. the privacy policy of the Data Controller, which is NDPR 7.6 What are the sanctions for failure to register/notify
compliant; where required?
d. an overview of the encryption method and data security
standards; and
Regulation 2.10 of the NDPR provides that the NITDA may
e. any other detail that assures the privacy of Personal Data is
impose fines in respect of a breach of the provisions of the
adequately protected in the target country.
NDPR. The range of fines imposed under the NDPR are as
With respect to the filing of the Data Controller or Processor’s
follows:
data protection compliance audit report with the NITDA,
a. in the case of a Data Controller dealing with more than
Regulation 4.1(5) of the NDPR requires the report to contain
10,000 Data Subjects, the payment of a fine of 2% of the
the following information:
organisation’s annual gross revenue of the preceding year
a. personally identifiable information the organisation
or the payment of the sum of N10,000,000.00, whichever is
collects on employees of the organisation and members of
greater; and
the public;
7.9 Is any prior approval required from the data The DPO is usually an employee or an external organisation
protection regulator? contracted to act in this capacity. As a result, the DPO would be
bound by the terms of its employment contract or any contract
No. Prior approval is not required from the NITDA to conduct for service that relates to disciplinary measures or other employ-
and file a data protection compliance audit. ment consequences.
7.10 Can the registration/notification be completed online? 8.4 Can a business appoint a single Data Protection
Officer to cover multiple entities?
7.12 How long does a typical registration/notification Section 3.7 of the Implementation Framework provides that a
process take? DPO should be chosen with due regard to the nature of the
business’ processing activities and data protection issues. It
The filing of a data protection compliance audit report with the further lists the qualities of the DPO to include:
NITDA on the online platform can be completed in one day of a. having professional expertise in Nigerian data protection
the receipt of the audit report and the payment of the applicable laws and practices;
filing fees.
10.7 What are the maximum penalties for sending 12.2 Please describe the mechanisms businesses
marketing communications in breach of applicable typically utilise to transfer personal data abroad in
restrictions? compliance with applicable transfer restrictions (e.g.,
consent of the data subject, performance of a contract
with the data subject, approved contractual clauses,
It is a Data Subject’s right to be informed and his/her consent compliance with legal obligations, etc.).
sought where the Data Controller intends to transfer personal
data of such Data Subject to a third party or intends to process
his/her Personal Data for marketing purposes. Regulation 2.10 In Nigeria, the NITDA implements an international data
of the NDPR, in addition to criminal prosecution, prescribes transfer under the supervision of the HAGF. However, in the
the following penalties for anyone who is found to be in breach absence of the decision of the agency or the HAGF on the data
of the data privacy rights of any Data Subject: protection safeguards in a foreign country, data can be trans-
a. in the case of a Data Controller dealing with more than ferred under any of the following conditions:
10,000 Data Subjects, payment of a fine of 2% of its annual a. that the Data Subject has explicitly consented to the
gross revenue of the preceding year or payment of the sum proposed transfer, after having been informed of the
of N10,000,000, whichever is greater; and possible risks of such transfers;
b. in the case of a Data Controller dealing with less than b. the transfer is necessary for the performance of a contract
10,000 Data Subjects, payment of the fine of 1% of its between the Data Subject and the Data Controller or the
annual gross revenue of the preceding year or payment of implementation of precontractual measures taken at the Data
the sum of N2,000,000, whichever is greater. Subject’s request;
c. the transfer is necessary for the conclusion or performance of a
contract concluded in the interest of the Data Subject between
112 Cookies the Data Controller and another natural or legal person;
d. the transfer is necessary for important reasons of public
11.1 Please describe any legislative restrictions on the interest;
use of cookies (or similar technologies). e. the transfer is necessary for the establishment, exercise or
defence of legal claims; and
According to section 5.6 of the Implementation Framework, the f. the transfer is necessary in order to protect the vital inter-
use of cookies on a website requires consent. A website owner ests of the Data Subject or of other persons, where the Data
is required to: Subject is physically or legally incapable of giving consent;
a. make the cookie information clear and easy to understand; Provided, in all circumstances, that the data Subject has been
b. notify users of the presence and purpose of the cookies; manifestly made to understand through clear warnings of
c. identify the entity responsible for the use of the cookies; the specific principle(s) of data protection that are likely to be
and violated in the event of transfer to a third country.
d. provide information on how to withdraw consent from the Section 7.3 of the NDPR also provides for circumstances
use of the cookie. where an organisation seeks to transfer Personal Data to another
entity within its group of companies or an affiliate company. In
such instance, it is sufficient for the organisation to transfer the
11.2 Do the applicable restrictions (if any) distinguish
between different types of cookies? If so, what are the Personal Data on the basis of a binding corporate rule (“BCR”)
relevant factors? or to sign a Standard Contracting Clause/s (“SCC”) which is
to be adopted by industry and the NITDA. The BCR or SCC
may be included in the data protection audit report or submitted
The NDPR does not distinguish between the different types of
separately to NITDA for approval.
cookies.
c. the transfer is necessary for the conclusion or performance 13.2 Is anonymous reporting prohibited, strongly
of a contract concluded in the interest of the data subject discouraged, or generally permitted? If it is prohibited or
between the data controller and another natural or legal discouraged, how do businesses typically address this issue?
person;
d. the transfer is necessary for important reasons of public Anonymous reporting is generally permitted.
interest;
e. the transfer is necessary for the establishment, exercise or
defence of legal claims; and
142 CCTV
f. the transfer is necessary in order to protect the vital inter-
ests of the data subject or of other persons, where the data 14.1 Does the use of CCTV require separate registration/
subject is physically or legally incapable of giving consent. notification or prior approval from the relevant data
protection authority(ies), and/or any specific form of
The HAGF may prohibit the international transfer of data public notice (e.g., a high-visibility sign)?
where it believes the data protection regime of the country is
inadequate. The NITDA has published a White List of countries
which have been certified by the NITDA as having adequate The NDPR applies to the processing of Personal Data notwithstanding
data protection laws. A Data Controller who intends to transfer the means by which the data processing is being conducted or intended
the personal data to a foreign jurisdiction has to provide the to be conducted in respect of natural persons in Nigeria of the Personal
following information; Data of Nigerian citizens who are resident outside Nigeria. The Use of
a. the list of countries where the Personal Data of Nigerian CCTV does not require a separate registration or prior approval from
citizens and residents is being transferred in the regular the NITDA but should ideally be brought to the attention of the Data
course of business; Subject. The improper use of CCTV can result in a breach of privacy
b. the data protection laws of the relevant data protection rights. It is recommended that a notice stating that CCTVs are being
office/administration of such countries listed above; used should be placed in a conspicuous part of the facility, such as the
c. the privacy policy of the Data Controller, which must be entrance so everyone is aware that CCTVs are being used.
NDPR compliant;
d. an overview of the encryption method and data security 14.2 Are there limits on the purposes for which CCTV
standards; and data may be used?
e. any other detail that assures the privacy of Personal Data is
adequately protected in the target country. Yes, the Data obtained can only be used for the purpose stated
We are not able to say how long the notification period takes, in the CCTV privacy policy.
it varies as it depends on the peculiarity of each situation, the
kind of data that is to be transferred and how long the NITDA
due diligence investigations on the foreign country takes. 152 Employee Monitoring
language. Prior to granting his consent, the Data Subject is also 16.2 Is there a legal requirement to report data breaches to
required to be notified of his right and method to withdraw his the relevant data protection authority(ies)? If so, describe
consent at any given time. Consent cannot be implied, i.e., inac- what details must be reported, to whom, and within
tivity or silence does not constitute consent. Section 5.4 of the what timeframe. If no legal requirement exists, describe
Implementation Framework further specifies the types of consent under what circumstances the relevant data protection
that are acceptable under the NDPR. It provides that consent authority(ies) expect(s) voluntary breach reporting.
can be explicit consent or an opt-in consent. Explicit consent is
given where the Data Subject provides a clear and documentable Yes. There is a legal requirement to report breach to the data
agreement, e.g. ticking a box, signing a form, sending an email or protection authority. Section 3.2 (ix) and 9.2 of the Implementation
signing a paper or document. Opt-in consent, on the other hand, Framework, provides that a Data Controller or Processor is
refers to a situation where consent can only be said to have been expected to report any incidence of breach to NITDA within 72
given when the Data Subject chooses to opt in to the processing hours of becoming aware of the breach. This timeline is required
of his/her Personal Data. to be documented in the organisation’s data protection policy and
The employees should, therefore, be informed of the kind of data privacy policy. The details to be reported include:
monitoring schemes that are in place and the purpose for such a. Description of the circumstances of the loss or unauthor-
monitoring activity, and the employers must ensure that the ised access or disclosure.
consent of the employees to monitoring must be express, and b. The date or time period during which the loss or unau-
freely given in accordance with the provisions of the NDPR and thorised access or disclosure occurred.
the Implementation Framework. c. A description of the personal information involved in the
loss or unauthorised access or disclosure.
d. An assessment of the risk of harm to individuals because
15.3 To what extent do works councils/trade unions/
employee representatives need to be notified or of the loss or unauthorised access or disclosure.
consulted? e. An estimate of the number of individuals to whom there is
a real risk of significant harm because of the loss or unau-
thorised access or disclosure.
The employer has no obligation under the data protection
f. A description of steps the organisation has taken to reduce
laws to inform trade union on the steps it takes to monitor its
the risk of harm to individuals.
employee unless it is a provision of a collective bargaining or
g. A description of any steps the organisation has taken to notify
other agreement with the trade union.
individuals of the loss or unauthorised access or disclosure.
h. The name and contact information for a person who can
15.4 Are employers entitled to process information on answer, on behalf of the organisation, the Agency’s ques-
an employee’s COVID-19 vaccination status? tions about the loss of unauthorised access or disclosure.
Employers can process information on an employee’s COVID-19 16.3 Is there a legal requirement to report data
vaccination status when the employee consents to such breaches to affected data subjects? If so, describe what
processing. Information on health falls within the definition of details must be reported, to whom, and within what
Sensitive Personal Data under the NDPR. The Implementation timeframe. If no legal requirement exists, describe
Framework provides that Sensitive Personal Data should be under what circumstances the relevant data protection
processed based on the explicit consent of a Data Subject. Since authority(ies) expect(s) voluntary breach reporting.
the COVID-19 vaccinations, a record of employees is part of
the health information of employees, therefore such sensitive Under section 9.4 of the Implementation Framework, the Data
personal data can only be processed where the explicit consent Controller is required to immediately notify the Data Subject of
of the employees has been obtained by the employer. a Personal Data breach where the breach will likely result in high
risks to the freedoms and rights of the data subject.
162 Data Security and Data Breach
16.4 What are the maximum penalties for data security
16.1 Is there a general obligation to ensure the security of breaches?
personal data? If so, which entities are responsible for ensuring
that data are kept secure (e.g., controllers, processors, etc.)?
The penalties stated in question 7.6 above are applicable.
Yes, there is. According to Regulation 2.6 of the NDPR, anyone 172 Enforcement and Sanctions
involved in data processing or the control of data is required to
develop security measures to protect data. Hence, both the Data
17.1 Describe the enforcement powers of the data
Controller and the Data Processor have the obligation to secure
protection authority(ies).
personal data. Where data is being transferred to a third party,
such transfer will be governed by a contract between both the
Data Controller and the third party. The contract will spell out the (a) Investigative Powers: Without prejudice to the right of
role of both the Data Controller and the third party in relation to a data subject to approach a court of competent jurisdic-
the protection of the data of the Data Subject. It is important to tion for the breach of his privacy rights, the NITDA can
note that under the NDPR, the Data Controller who engages the initiate the investigation of allegations of any breach of the
services of third-party processors remains primarily liable to the provisions of this Regulation. It can invite any party to
Data Subjects for the protection of the Personal Data it collects. respond to allegations made against it within seven days.
(b) Corrective Powers: Where NITDA has ascertained that
a party is in breach of the NDPR, NITDA may issue an
order for compliance with relevant provisions to curtail Nigerian citizens or residents in contravention of the provisions of the
further breaches. NDPR. Please see https://www.vanguardngr.com/2019/09/were-in-
(c) Authorisation and Advisory Powers: The NITDA can vestigating-truecaller-over-breach-of-privacy-rights-nitda/. We are,
issue administrative orders to protect the subject-matter of however, not aware of the outcome of these investigations.
an allegation pending the outcome of investigation.
(d) Imposition of administrative fines for infringements 182 E-discovery / Disclosure to Foreign
of specified GDPR provisions: NITDA has the power to
issue a monetary fine following an administrative process Law Enforcement Agencies
that complies with principles of fair hearing and judicial
safeguards. A decision on the money value shall be based 18.1 How do businesses typically respond to foreign
on the following considerations: e-discovery requests, or requests for disclosure from
a. nature, gravity and severity of the breach; foreign law enforcement agencies?
b. the number of data subjects affected;
c. damage suffered by data subjects; Businesses respond positively to such request subject to the
d. opportunity for curtailment left unexplored; and provisions of the NDPR.
e. whether the breach is the first by the offending entity.
(e) Non-compliance with a data protection authority: Any
18.2 What guidance has/have the data protection
person who is found to be in breach of the data privacy rights authority(ies) issued?
of any Data Subject will be liable, in addition to any other
criminal liability, to:
In the case of a Data Controller dealing with more than Some of the guidance issued include:
10,000 Data Subjects – a monetary fine of 2% of Annual a. A disclosure of such transfer is to made to the data subject.
Gross Revenue of the preceding year or payment of the sum This is by providing a publication to the data subject
of NGN10 million, whichever is greater. providing details of the third-party data recipient.
Where a Data Controller deals with less than 10,000 Data b. Obtaining the consent of the Data Subject.
Subjects – a fine of 1% of the Annual Gross Revenue of the c. Such transfer should be under the supervision of the HAGF.
preceding year or the sum of N2 million, whichever is greater. d. The country in which such foreign law enforcement agen-
In addition, any breach of the NDPR will be construed as a cies should be one that has a good structure in place for the
breach of the provisions of the NITDA Act and the conse- protection data obtained and processed.
quences of the Act would also apply in such circumstances.
(f) Prosecutorial Powers – The NITDA is empowered to 192 Trends and Developments
seek a fiat of the HAGF or may file a petition with any
authority in Nigeria. This may include: the Economic and 19.1 What enforcement trends have emerged during the
Financial Crimes Commission; the Department of State previous 12 months? Describe any relevant case law or
Security; the Nigerian Police Force; Independent Corrupt recent enforcement actions.
Practices (and other related offences) Commission; or the
Office of National Security Adviser. None that we are aware of.
17.2 Does the data protection authority have the power 19.2 What “hot topics” are currently a focus for the data
to issue a ban on a particular processing activity? If so, protection regulator?
does such a ban require a court order?
Jumoke Lambo is a Partner in the law firm of Udo Udoma and Belo-Osagie. She heads the firm’s Telecommunications, Media and Technology
practice group which includes the data protection practice. She co-heads the firms Aviation, Corporate Advisory and Employment teams.
Jumoke has over three decades’ experience in telecommunications law, data protection, cybersecurity, employment law, immigration law and
general corporate practice with an emphasis on corporate advisory, legislative drafting, mergers and acquisitions and foreign investment.
Jumoke was part of the committee that conducted a holistic review of the telecommunications framework in Nigeria and drafted the Nigerian
Communications Bill. Her work has also been noted in the International Financial Law Review’s Expert Guides. She has been recognised by
Business Day as one of Nigeria’s 20 top female lawyers in business law and Who’s Who Legal for her Employment Law expertise. Jumoke is a
member of the Nigerian Bar Association and the International Bar Association, as well as a fellow of the Centre for International Legal Studies.
Chisom Okolie is an Associate in the firm’s Telecommunications, Media and Technology, Corporate Finance and Energy teams. As a profes-
sional who understands the law and how it applies to clients’ businesses, she has advised on various areas of the law including: data protection;
debt financing; private equity; corporate re-structuring and mergers and acquisitions; energy; telecommunications, media and technology; and
entertainment practice.
Chisom has co-authored articles in the International Comparative Legal Guide series, Thomson Reuters Practical Law Journal, and has been recog-
nised for her contributions to the World Bank Group’s Doing Business Guide as well as its Women, Business and the Law Report.