š³š¬ Nigeria
Informations
Extracts :
Extract :
No mention of the subject rignt related to Citizens outside their jurisdiction
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
No mention of the subject rignt related to Persons within their jurisdiction
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
No mention of the subject rignt related to Legal entities
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
No mention of the data controller's obligation/responsibility to Organizations located outside the jurisdiction processing regulated subjects data.
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Extracts :
Extract :
"Data controller: means an individual, private entity, public commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing personal data.
Data controller or data processor of major importance: means a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the NDPC may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, so- ciety or security of Nigeria as the NDPC may designate.
Data processor: means an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor. Data subject: means an individual to whom personal data relates."
Reference :
Switzerland Data protection overview | DataGuidance
Information on Switzerland data protection
Extracts :
Extract :
"The NDPA applies where:
ā¢ data controller or data processor is domiciled in, resident in, or operating in Nigeria;
ā¢ processing of personal data occurs within Nigeria; or
ā¢ the data controller or the data processor is not domiciled in, resident in, or operating in Nigeria, but is processes personal data of a data subject in Nigeria.
The NDPR applies to Nigerian citizens regardless of where they reside. The NDPR will apply to a data controller so long as the data of a Nigerian citizen is collected. The NDPR will have extra-territorial scope in its application. (Section1.2(b) of the NDPR)."
Reference :
Switzerland Data protection overview | DataGuidance
Information on Switzerland data protection
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
"Authorisation and Advisory Powers: The NITDA can issue administrative orders to protect the subject-matter of an allegation pending the outcome of investigation.
Imposition of administrative fines for infringements of specified GDPR provisions: NITDA has the power to issue a monetary fine following an administrative process that complies with principles of fair hearing and judicial safeguards. A decision on the money value shall be based on the following considerations:
1. a. nature, gravity and severity of the breach;
2. b. the number of data subjects affected;
3. c. damage suffered by data subjects;
4. d. opportunity for curtailment left unexplored; and
5. e. whether the breach is the first by the offending entity."
Reference :
ICLG Website
Link to reference Extracts :
Extract :
"The NDPR outlines that depending on the violation, a penalty may be up to either: 2% of annual gross revenue of the preceding year or payment of the sum of NGN 10 million (approx. ā¬20,000), whichever is greater where the data controller is dealing with more than 10,000 data subjects; or payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of NGN 2 million (approx. ā¬4,000) whichever is greater where the data controller is dealing with fewer than 10,000 data subjects."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"The NDPR outlines that depending on the violation, a penalty may be up to either: 2% of annual gross revenue of the preceding year or payment of the sum of NGN 10 million (approx. ā¬20,000), whichever is greater where the data controller is dealing with more than 10,000 data subjects; or payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of NGN 2 million (approx. ā¬4,000) whichever is greater where the data controller is dealing with fewer than 10,000 data subjects."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
"Under the NDPR, the data subject has the right to lodge a complaint with NITDA."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"The Bill provides for various offences and sanctions under Part XI, including fines of potentially NGN 10 million (approx. ā¬22,900) or imprisonment for up to two years."
2022
Reference :
Nigeria Data protection overview | DataGuidance
Updated DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The GDPR specifically provides for DPIAs in certain circumstances. Although the text of the NDPR itself does not reference DPIAs, the NDPR Implementation Framework provides that DPIAs are required in certain circumstances, similar to those listed by the GDPR."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"The NDPR does not define pseudonymised data."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"Although the text of the NDPR itself
does not specify a requirement for data controllers to report data breaches, the NDPR Implementation Framework provides that data controllers should immediately notify the data subject of the personal data breach where the personal data breach will likely result in high risks to the freedoms and rights of the data subject."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"Although the text of the NDPR itself does not specify a requirement for data controllers to report data breaches, the NDPR Implementation Framework clarifies that have a duty to report of personal data breaches to NITDA within 72 hours of knowledge of such breach."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"Under the NDPR, there is no obligation for data processors to notify the data controller of the breach."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
"Data Security: Section 24(1)(f) provides that a Data Controller or Data Processor shall ensure that Personal Data is processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach. Section 39(1) also requires a Data Controller and Data Processor to implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of Personal Data in its possession."
2022
Reference :
Data Protection Laws and Regulations Nigeria 2023-2024
Information on NGA | ICLG
Extracts :
Extract :
"Under the NDPR, data subjects have the right to withdraw their consent to the processing of their personal data at any time. In addition, a data subject may choose to object to the processing of personal
data relating to him which the data controller intends to process for the purpose of marketing (Section
2.8 of the NDPR)."
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
There is the right for portability
Reference :
The Nigeria Data Protection Act, 2023
Information on NGA | KPMG
Link to reference Extracts :
Extract :
"8.7. Right not to be subject to automated decision-making
Prior to collecting personal data from a data subject, the data controller has to provide the data subject
with information regarding the existence of automated decision-making (Section 3.17(l) of the NDPR)."
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.1. Right to be informed
A data controller is required to take appropriate measures to provide any information relating to processing
to the data subject in a concise, transparent, intelligible and easily accessible form, using clear
and plain language, and for any information relating to a child. The information shall be provided in
writing, or by other means, including, where appropriate, by electronic means (Section 3.1(1) of the
NDPR)."
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.1. Right to be informed
A data controller is required to take appropriate measures to provide any information relating to processing
to the data subject in a concise, transparent, intelligible and easily accessible form, using clear
and plain language, and for any information relating to a child. The information shall be provided in
writing, or by other means, including, where appropriate, by electronic means (Section 3.1(1) of the
NDPR)."
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.2. Right to access
A data subject has the right to receive the personal data concerning him or her, which he or she has
provided to a controller, in a structured, commonly used and machine-readable format, and has the
right to transmit those data to another controller without hindrance from the controller to which the
personal data have been provided (Section 3.1(14) of the NDPR)."
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
A data subject has the right to be notified by the data controller of the rectification of data (Section
3.1(13) of the NDPR)."
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.4. Right to erasure
A data subject has the right to the erasure of personal data (Section 3.1(You have -19073 days left in your 13) of the NDPR)."
2021
Reference :
Nigeria Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
"Section 7.3 of the NDPR also provides for circumstances where an organisation seeks to transfer Personal Data to another entity within its group of companies or an affiliate company. In such instance, it is sufficient for the organisation to transfer the Personal Data on the basis of a binding corporate rule ("BCR") or to sign a Standard Contracting Clause/s ("SCC") which is to be adopted by industry and the NITDA. The BC or SCC may be included in the data protection audit report or submitted separately to NITDA for approval."
Reference :
ICLG Website
Link to reference Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
Extracts :
Extract :
"The NDPR does not require the data controller to consult the supervisory authority prior to any processing that would result in a high risk."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"The NDPR and the GDPR both provide for an obligation to appoint a DPO. "
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"The NDPR Implementation Framework provides that a DPO should have professional expertise in Nigerian data protection laws and practices and an in-depth understanding of applicable data protection laws."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
"The NDPR Implementation Framework stipulates that DPOs must have the requisite knowledge to perform the following tasks: inform and advise the organisation, management, employees and third parties processors of their obligations under the NDPR; monitor compliance with the NDPR and with the organisation's own data protection objectives; assign responsibilities, raise awareness and train members of staff involved in processing operations; advise on DPIAs and monitor its performance; and liaise with NITDA and/or the DPCO on data protection matters."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
Yes. A business may appoint a single DPO to cover multiple entities.
Reference :
ICLG Website
Link to reference Extracts :
Extract :
Extracts :
Extract :
"Yes. Regulation 3.1(7) of the NDPR lists the identity and contact details of the DO as part of the information a Data Controller is required to provide to the Data Subject before collecting his/her Personal Data. Therefore, the DO should be identified in the Data Controller's privacy policy, notice or any equivalent document."
Reference :
ICLG Website
Link to reference Extracts :
Extract :
"The NDPR does not provide for exemptions to the requirement to report breaches."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
Extract :
Extracts :
Extract :
Extract :
Extracts :
Extract :
Extract :
Extracts :
Extract :
Extract :
Extracts :
Extract :
Extract :
Extracts :
Extract :
"Prior to the NDPA, the Nigerian Data Protection Regulation, 2019 ('NDPR') which was issued at the time by the National Information Technology Development Agency ('NITDA') was the go-to regulation on data protection. Although enforceable, it remains a subsidiary legislation, and there was no specific commission to oversee data protection. The NDPR was a placeholder until the enactment of the NDPA, and NITDA had to stretch itself to oversee data protection."
Reference :
Switzerland Data protection overview | DataGuidance
Information on Switzerland data protection
Extracts :
Extract :
Data entered based on reference.
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The NDPR does not impose the obligation to maintain a record of processing activities on either the controller or the processor."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - NGA
Extracts :
Extract :
| Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| National Data Protection Bureau (NDPB) | NDPB | Regulator | Under the government authority | 2022 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|