An Overview Of Third-Party Data Processing Agreements In Nigeria - Data Protection

Sandra Eke¹

INTRODUCTION

A third-party data processing agreement is a crucial component in the realm of personal data protection and privacy. It is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data.^{^[2]} In an era where information is a valuable asset, organizations often need to collaborate with external entities to process data efficiently. This agreement establishes the terms and conditions under which a third party may handle, store, or otherwise process personal data on behalf of another organization, usually the data controller.³ As a business owner, having a data processing contract, affords you some level of comfort and assurances, that the external parties your business is engaging, would be compelled to adhere to the necessary compliance requirements required of them under the requisite data protection instruments, if they process personal data on the instructions of your business. When entrusting a processor with processing activities, a data controller/processor is expected to engage only processors providing sufficient guarantees to implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data, as they would be held liable for the actions or inactions of the third-party processors who process personal data on their behalf.⁴ This article would shed some light on third party data processing contracts in Nigeria and the imminent benefits of utilizing them.

WHO NEEDS TO ENTER INTO A DATA PROCESSING CONTRACT?

According to the provisions of the Nigeria Data Protection Act (NDPA), all data controllers who engage data processors and all data processors who engage other data processors to process personal data on their behalf are required to enter into a data processing agreement.⁵ This obligation extends to all Controllers and Processors including Controllers and Processors in both the public and private sectors. Thus, any external party that carries out any operation or set of operations on personal data, whether or not by automated means, such as, by collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing by transmission, disseminating or otherwise making available, restricting, erasing or destroying personal data upon a data controller/processor's instruction, is obligated to enter into a data processing agreement with the data controller/processor.⁶

THE PURPOSE AND BENEFITS OF DATA PROCESSING AGREEMENTS (DPAs)

3.1 Legal Compliance

Under the NDPA and other data protection instruments in Nigeria, data processing by a third party is governed by a written contract between the third party and the data controller/processor.⁷ In addition, the NDPA/NDPR also require any person engaging a data processor to ensure that they comply with the principles and obligations set out in the data protection legislations.⁸ Thus, a data processing contract helps ensure compliance with these requirements.

3.2 Accountability and Clear Responsibilities

The agreement clearly defines the roles, obligations and responsibilities of the data controller and the data processor.⁹ This helps in avoiding misunderstandings and ensures that each party understands its obligations regarding data protection. It also helps to create an accountability framework between a controller and a data processor or data processor to another processor, by establishing clear contractual obligations. The agreement outlines the scope of the data processing activities, specifying the types of data involved and the purpose for which it will be processed. This ensures clarity and transparency, which are crucial elements in complying with data protection instruments in Nigeria.¹⁰

3.3 Protecting the rights of data subjects

One key importance of DPAs is that they help ensure that the rights of data subjects are preserved and protected.¹¹ The agreement usually outlines how the data processor should assist the data controller/processor in fulfilling data subject rights requests, such as the right to access, rectification, erasure, data portability etc.

3.4 Data Security

The DPA typically includes provisions related to the security measures the data processor must implement to protect the personal data it processes on behalf of the data controller or another processor.¹² This helps in ensuring the confidentiality, integrity, and availability of the data. It addresses the obligations of the third-party regarding data security. It typically includes provisions for safeguarding the confidentiality, integrity, and availability of the data.¹³ This is fundamental in protecting sensitive information from unauthorized access, disclosure, or alteration.

3.5 Data Breach Mitigation

The DPA often delves into the specifics of data breaches and the notification process. In the event of a data breach incident, it outlines the data processor's obligation to inform the data controller or other processor promptly.¹⁴ This facilitates a swift response to mitigate potential risks and ensures compliance with legal requirements.

EXAMPLES OF THIRD-PARTY DATA PROCESSING IN ORGANISATIONS

Below, are some instances of data processing services provided by third parties in most organizations: software-as-a-service solutions such as newsletter or accounting tools, outsourced information technology services, operators of input masks (forms) that can be integrated on your website (e.g. mailchimp), cloud-based crm tools, external call centres or customer service centres, external payroll services, external maintenance of servers and computers, file and data media destruction by external service providers, hosting services etc.¹⁵ These external services all necessitate the use of a data processing agreement between the companies utilizing these services and the vendors engaged by them.

Notable examples of organisations who have entered into data processing agreements with their third-party processors is the New York Times (NYT). The NYT engages Google BigQuery to gather and analyze data about the kind of articles people read, how long they stay on site, and how often they use the company's application.¹⁶ This kind of business relationship is usually governed by a data processing agreement.

Another company who makes DPAs available to its third-party data processors is Proton Mail. As part of its compliance efforts, the company made data processing contracts available to all its enterprise users to download, review, and sign.¹⁷

EFFECT OF FAILURE TO PREPARE DATA PROCESSING AGREEMENTS WITH DATA PROCESSORS

Companies that fail to adhere to the requisite data protection obligations, such as entering into data processing agreements with their data processors, could face liabilities such as fines and penalties, especially if their actions result in a serious data breach incident. Under the data protection statutes in Nigeria, violators of data protection laws and regulations can be issued with enforcement and compliance orders by the data protection supervisory authority (i.e. the Nigeria Data Protection Commission (NDPC)) which is intended to serve as penalty measures and deterrence to defaulting data controllers or processors.¹⁸ These penalty measures include but are not limited to the payment of monetary damages, closure of business operations, ordering the data controller or processor to account for the profits realized from the violation etc.¹⁹

CONCLUSION

A well-crafted third-party data processing agreement serves as a vital instrument in the responsible and lawful handling of data. It establishes a framework for collaboration while prioritizing data protection, security, and legal compliance. As the digital landscape evolves, such agreements become increasingly essential in fostering trust between organizations and their external partners in the intricate realm of data processing. Thus, in choosing a data processor, organisations are advised to take reasonable measures to ensure that their data processors do not have a record of violating the principles outlined in the data protection instruments in Nigeria to reduce the occurrence of data breach incidents and avoid facing severe penalties and sanctions from the regulatory commission.²⁰ These measures may include, conducting thorough due diligence on the data protection measures and security practices of a third-party before engaging them, collaborating with third-party processors in conducting Data Protection Impact Assessments for high-risk processing activities, choosing third-party processors that adhere to recognized data compliance requirements, certifications and standards related to data protection and security, ensuring that employees of the third-party processor are adequately trained on data protection and privacy principles to minimize the risk of human error etc.²¹

Footnotes

1. Sandra Eke, Associate, Intellectual Property and Technology Department, S.P.A Ajibade & Co, Lagos, Nigeria.

2. GDPR.EU, "What is a GDPR data processing agreement?" https://gdpr.eu/what-is-data-processing-agreement/ accessed 14 December 2023.

3. See, Art 12.3(a) NDPR Implementation Framework 2020.

4. See, Section 29(1)(c) the Nigeria Data Protection Act (NDPA) 2023, Gazette No.119, Vol. 110 (1st July 2023).

5. See, Section 29(2) NDPA. See also, Art. 28(3) EU General Data Protection Regulation (GDPR) (2018) 2016/679.

6. See, Section 65 NDPA.

7. See, Section 29(2) NDPA and Reg. 2.7 NDPR.

8. See, Section 29(1)(a) NDPA and Reg 2.7 NDPR.

9. See, Art 12.3(a) NDPR Implementation Framework.

10. See, Section 24(1)(a) NDPA.

11. See, Section 29(1)(b) NDPA.

12. See, Section 29(1)(c) NDPA.

13. Ibid.

14. This would help the data controller or processor engaging another processor fulfil its breach notification obligations under the data protection instruments in Nigeria.

15. TURING, "What Is a Data Processing Agreement & Why Do You Need One? available at: https://www.turing.com/resources/what-is-a-data-processing-agreement accessed 19th December 2023.

16. Ironclad, "What Is a Data Processing Agreement (DPA)?" https://ironcladapp.com/journal/contracts/what-is-a-data-processing-agreement-dpa/#:~:text=A%20data%20
processing%20agreement%2C%20or,a%20GDPR%20data%20processing%20agreement accessed 14 December 2023.

17. GDPR.EU, "What is a GDPR data processing agreement?" https://gdpr.eu/what-is-data-processing-agreement/ accessed 14 December 2023.

18. See, Sandra Eke et al, "A Review Of The Nigeria Data Protection Act 2023" available at: https://www.mondaq.com/nigeria/privacy-protection/1389752/a-review-of-the-nigeria-data-protection-act-2023 accessed 15th December 2023.

19. Ibid. Violators of the provisions of the NDPA can be awarded high monetary penalties of up to N10,000,000 and 2% of their annual gross revenue, if they are data controllers or data processors of major importance, while the standard maximum amount is the greater of N2,000,000 and 2% of the annual gross revenue of the data controller or data processor of no major importance.

20. See, Reg. 2.4(b) NDPR.

21. UpGuard, "Ensuring Data Protection for Third Parties: Best Practices" available at: https://www.upguard.com/blog/data-protection-for-third-parties#:~:text=Implement%20Security%20Measures%3A%20Once%20
policies,security%2C%20and%20data%20disposal%20processes accessed 20^th December 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Nigeria: An Overview Of Third-Party Data Processing Agreements In Nigeria

Login to Mondaq.com

Why Register with Mondaq

Your Organisation