Legal Obligations For Third-Party Service Providers Under The NDPA And GAID 2025 In Nigeria.

Introduction

The Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025, provide a comprehensive legal structure governing the collection, processing, and storage of personal data in Nigeria. A significant aspect of this framework addresses the obligations of data processors, particularly third-party service providers tasked with managing personal data on behalf of data controllers. This article discusses the legal responsibilities of these service providers under the NDPA and GAID and highlights strategies to ensure compliance and mitigate legal risks.

Overview of the NDPA and GAID

The NDPA¹is Nigeria's primary data protection law, established to ensure that personal data is processed in accordance with the fundamental right to privacy. The Act applies to all entities that collect, process, store, or transfer personal data within and outside Nigeria, provided the processing activities involve Nigerian residents. Effective from September 19, 2025, the GAID provides detailed guidance on implementing the NDPA's provisions. Significantly, it repeals the Nigerian Data Protection Regulation (NDPR) 2019, thereby establishing uniformity in data protection practices across Nigeria. The GAID clarifies the NDPA's objectives, scope, and application, including data protection rights for various categories of data subjects.

Under the NDPA and the GAID, the key stakeholders are:

• Data Controllers: These are Individuals, Private entities, public commissions, agencies, or any other Organizations that, either independently or in conjunction with other parties, determine the purposes and methods of processing personal data².
• Data Processors: These are entities that process data on behalf of data controllers. These often includes third-party service providers such as IT firms, cloud storage providers, and outsourced HR or marketing services.

Key Legal Obligations for Data Processors

1. Compliance With the Principles and Obligations of the Act

Data processors are required to process personal data lawfully, fairly, and transparently. This includes ensuring security, confidentiality, and adherence to fundamental principles such as processing data for specific and legitimate purposes, collecting relevant and necessary data, and ensuring data accuracy³. They are also obligated to implement appropriate technical and organizational measures to guard against unauthorized access, loss, or breach⁴.

GAID 2025 introduces more stringent compliance requirements. These include mandatory registration for data processors of major importance and annual Compliance Audit Returns (CARs) for Ultra-High Level (UHL) and Extra-High Level (EHL) processors⁵. Ultra-High Level (UHL) processors are those that manage extensive volumes of data or engage in essential data processing functions, while the Extra-High Level (EHL) processors handle data that carries significant consequences for the public interest or the rights and freedoms of individuals.

These obligations reinforce accountability, protect the rights of data subjects, and help processors avoid regulatory penalties.

2. Implementation of Security Measures

Both the NDPA and GAID⁶ mandate that data processors establish and maintain suitable technical and organizational measures to protect personal data from unauthorized access, loss, destruction, alteration, or disclosure⁷. These measures should be proportionate to the sensitivity of the data being processed and include safeguards such as encryption, pseudonymization, access controls, and regular security assessments⁸. Processors are also expected to continuously evaluate and update their security protocols to address emerging risks, ensuring continued compliance with regulatory standards and the protection of the rights of data subjects⁹.

3. Data Privacy Impact Assessment

Data controllers bear the responsibility of conducting a Data Privacy Impact Assessment (DPIA) before undertaking any processing of personal data that may pose a high risk to the rights and freedoms of data subjects¹⁰. Where the assessment identifies significant risks, the data controller must consult the relevant regulatory authority before proceeding¹¹. This requirement ensures that adequate safeguards are in place to mitigate potential risks and uphold data protection standards.

4. Data Breach Notification

In the event of a personal data breach, data processors are required to promptly notify the data controller upon becoming aware of the incident¹². Where the breach is likely to pose a risk to the rights and freedoms of individuals, the data controller must report it to the relevant regulatory authority within 72 hours¹³. This notification should include a detailed description of the breach, including, where feasible, the categories and estimated number of affected data subjects and records¹⁴. These requirements are crucial for ensuring regulatory compliance, mitigating potential harm, and maintaining data protection standards.

5. Data Transfers

A data controller or processor can only transfer personal data from Nigeria to another country where the recipient is subject to a legal, corporate, or contractual framework that ensures an adequate level of data protection¹⁵. In the absence of such safeguards, a transfer is only permissible under specific conditions, such as the informed and unrevoked consent of the data subject, the necessity of the transfer for contractual performance, or where the transfer exclusively benefits the data subject¹⁶. Pending the issuance of further regulations, the GAID 2025¹⁷provides the interim criteria for assessing the adequacy of data protection regimes of foreign countries, with particular attention to their enforcement of fundamental rights and relevant court decisions. Furthermore, data controllers and processors must maintain comprehensive records documenting the legal basis for all cross-border data transfers to ensure regulatory compliance¹⁸.

6. Data Protection Officers (DPOs)¹⁹

A data controller of major importance is required to appoint a Data Protection Officer (DPO) who possesses expertise in data protection law and practices. The DPO is responsible for advising the data controller or processor, as well as their employees, on adhering to data protection regulations²⁰. Additionally, the DPO must oversee compliance with applicable laws and internal policies while acting as the primary point of contact with the regulatory authority on matters related to data processing²¹.

7. Registration

Data controllers and data processors of major importance are required to register with the Nigeria Data Protection Commission (NDPC) within six months after the commencement of the Nigeria Data Protection Act (NDPA) or upon becoming a controller or processor of major importance²². This registration ensures regulatory oversight and compliance with data protection obligations. The GAID 2025²³ reinforces this requirement, emphasizing timely registration as a pre-requisite for lawful data processing and effective regulatory oversight.

Legal Consequences and Non-Compliance

Non-compliance with data protection obligations may result in significant legal consequences for data controllers and data processors:

1. Failure to Comply with Regulatory Orders: A data controller or processor who fails to adhere to directives issued by the Commission commits an offence and is liable to prescribed penalties. These sanctions may include substantial fines, imprisonment, or both, with stricter penalties applied to controllers and processors of major importance¹.

2. Monetary Penalties: Financial penalties for non-compliance vary based on the status of the data controller or processor:

• For data controllers or processors of major importance: The maximum fine that may be imposed is the higher of ₦10,000,000 or 2% of the entity's annual gross revenue in the preceding financial year².

• For other data controllers or processors: The standard maximum fine that may be imposed is the higher of ₦2,000,000 or 2% of the entity's annual gross revenue in the preceding financial year³.

• Late Filing of Compliance Audit Returns (CARs): This may also attract administrative penalties, including a 50% surcharge on the applicable filing fee⁴. The GAID⁵specifies Compliance Audit Returns (CAR) fees ranging from ₦100,000 to ₦1,000,000, depending on the volume of data subjects processed.

3. Determining Sanctions: In assessing penalties, the Commission considers various factors, including the nature, severity, and duration of the violation; the purpose of the data processing; the number of affected data subjects; and the extent of harm caused. Additional considerations include whether the infringement resulted from negligence or intent, the measures taken to mitigate damage, the level of cooperation with the Commission, and the sensitivity of the data involved⁶.

4. Liability of Corporate Entities: Where a corporate entity or firm commits an offence, both the organization and its principal officers may be held liable. However, the principal officers can avoid liability if they can establish that the offence was committed without their consent or connivance, and that they exercised due diligence to prevent the commission of the offence⁷.

Footnotes

1 Ibid.

2 Section 65 Nigeria Data Protection Act, 2023

3 Section 29 Nigeria Data Protection Act, 2023

4 Section 29(1)(c) Nigeria Data Protection Act, 2023

5 Article 9 & 10 of the General Application and Implementation Directive (GAID) 2025

6 Nigeria Data Protection Act, 2023 & Article 29 of GAID 2025

7 Section 39(1) Nigeria Data Protection Act, 2023

8 Section 39(2) Nigeria Data Protection Act, 2023

9 Section 39(2) (g-h) Nigeria Data Protection Act, 2023

10 Section 28(1) Nigeria Data Protection Act, 2023 & Article 28 of GAID 2025

11 Section 28(2) Nigeria Data Protection Act, 2023

12 Article 33 GAID 2025

13 Section 40(2) Nigeria Data Protection Act, 2023

14 Ibid.

15 Section 41(1) Nigeria Data Protection Act, 2023

16 Section 43(1) Nigeria Data Protection Act, 2023

17 Schedule 5 GAID, 2025

18 Section 41(2) Nigeria Data Protection Act, 2023

19 Article 7 GAID 2025

20 Section 32(1) Nigeria Data Protection Act, 2023

21 Section 32(3) Nigeria Data Protection Act, 2023

22 Section 44(1-2) Nigeria Data Protection Act, 2023

23 Article 9 GAID 2025

24 Section 49 Nigeria Data Protection Act, 2023

25 Section 48(4) Nigeria Data Protection Act, 2023

26 Section 48(5) Nigeria Data Protection Act, 2023

27 Article 10(9) GAID 2025

28 Schedule 10 GAID 2025

29 Section 48(6) Nigeria Data Protection Act, 2023

30 Section 53(1-2) Nigeria Data Protection Act, 2023

Originally published on 28 May, 2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.