Navigating Data Compliance: A Guide For Foreign Companies On Nigeria's Data Protection Law And Cross-Border Data Transfers

A Data Controller is an individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data. They decide the objectives behind the collection and processing of personal data. A Data Processor on the other hand is an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor. They act in accordance with the directives of the data controller and are required to process personal data in compliance with data protection laws. Cross-border data transfer refers to the transmission of data from one jurisdiction to another, either electronically or physically. This can take place via the internet, physical storage media, or other forms of communication.

In certain situations, foreign-owned companies operating in Nigeria may need to transfer the personal data of Nigerian data subjects to their parent or affiliate entities in other jurisdictions. However, such transfers must comply with the requirements of Nigeria's data protection laws. This article aims to guide organizations engaged in cross-border data transfers on how to remain compliant and avoid potential sanctions from the regulatory authorities

Data Controllers and Data Processors of Major Importance

According to the provision of Section 65 of the Nigeria Data Protection Act 2023 and Article 8 of the NDPA General Application and Implementation Framework 2025, a data controller or data processor of major importance is a data controller or data processor that is domiciled, resident in, or operating in Nigeria and

1. processes or intends to process personal data of more than Two-Hundred (200) data subjects in six (6) months;
2. Carries out commercial Information Communication Technology (ICT) services on any digital device which has storage capacity for personal data and belongs to another individual; or
3. Processes personal data as an organization or a service provider in anyone of the following sectors: Aviation; Communication; Education; Electric Power; Export and Import; Financial; Health; Hospitality; Insurance; Oil and Gas; Tourism; E-Commerce; Public Service.

In order to ensure proportionality of obligations in relation to various levels of major data processing, the NDPA classifies data controllers and data processors into 3 (three) levels or categories of major data processing, namely:

1. Ultra-High Level (UHL)

Data controllers and data processors of major importance in this category are Commercial banks operating at national or regional level, Telecommunication companies, Insurance companies, Multinational companies, Electricity distribution companies, Oil and Gas companies, Public social media App developers and proprietors, Public e-mail App developers and proprietors, Communication devices manufacturers, Payment gateway service providers, Fintechs and organisations that process personal data of over Five-Thousand (5,000) data subjects in six (6) months. They are required to pay a statutory registration fee of N250, 000.

2. Extra-High Level (EHL)

Data controllers and data processors of major importance in this category are Ministries, Departments and Agencies (MDAs) of government, Micro Finance Banks, Higher Institutions, Hospitals providing tertiary or secondary medical services, Mortgage Banks and organisations that process personal data of over One-Thousand (1,000) data subjects but less than Five-Thousand (5,000) within six (6) months. They are required to pay a statutory registration fee of N100, 000.

3. Ordinary-High Level (OHL)

Data controllers and data processors of major importance in this category are Primary and Secondary Schools, Corporate Training Service Providers, Primary Health Centres, Independent Medical Laboratories, Hotels and Guest Houses with less than fifty (50) suites, Processors who process sensitive personal data of more than Two-Hundred (200) data subjects for commercial purposes and organizations that process personal data of over Two-Hundred (200) data subjects but less than One-Thousand (1000) within six (6) months. They are required to pay a statutory registration fee of N10, 000.¹

Cross-Border Data Transfer under the NDPA

Cross-border data transfer is the movement of data from one jurisdiction to another, either physically or electronically. This data transfer can occur through various means, such as the internet, physical storage devices, or other communication methods. Data Controllers who are subsidiaries of foreign companies in Nigeria can transfer data to their holdings in other jurisdictions, however this must be done in compliance to the provisions of the NDPA which regulates cross-border transfer of data from Nigeria.

There are various grounds for data transfer from Nigeria to another jurisdiction, namely:

1. Adequacy Decision by the NDPC
2. Cross Border Data Transfer Instrument (CBDTI) approved by the NDPC and
3. Other lawful bases.

1. Adequacy Decision by the NDPC

This is the determination of the adequacy of the appropriate safeguards by the Nigeria Data Protection Commission (NDPC) that permits the movement of data from Nigeria to another Jurisdiction. The NDPC may adjudge a country as affording adequate data protection based on the following conditions

1. Availability of enforceable data subject's rights, the ability of a data subject to enforce such rights through administrative or judicial redress, and the rule of law
2. Existence of any appropriate instrument between the NDPC and a competent authority in the recipient jurisdiction that ensures adequate data protection
3. Access of a public authority to personal data
4. Existence of an effective data protection law
5. Existence and functioning of an independent, competent data protection, or similar supervisory authority with adequate enforcement powers
6. International commitments and conventions binding on the relevant country and its membership of any multilateral or regional organisations.²

1. Cross Border Data Transfer Instrument (CBDTI) approved by the NDPC

The NDPC may approve CBDTI for a data controller or data processor or a group of data controller and processors in the absence of an adequacy decision. These instruments may be referred to as:

1. codes of conduct
2. certifications
3. binding corporate rules, or
4. Standard contractual clauses.³

• Other lawful bases for Cross border transfer

The NDP Act recognizes special circumstances which may necessitate cross-border data transfer without adequacy decision or approved CBDTI.

In the absence of adequacy of protection under the NDP Act, a data controller/data processor shall only transfer personal data from Nigeria to another country if the:

1. data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections;
2. transfer is necessary for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject, prior to entering into a contract ;
3. transfer is for the sole benefit of a data subject and:
4. it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
5. if it were reasonably practicable to obtain such consent, the data subject would likely give it;
6. transfer is necessary for important reasons of public interest
7. transfer is necessary for the establishment, exercise, or defense of legal claims ; or
8. transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent⁴

The NDPC is vested with the power to determine whether a country, region or specified sector within a country, affords an adequate level of protection. Where the NDPC is satisfied that Binding Corporate Rules, Standard Contractual Clauses, Codes of Conduct, Certification Mechanism or any similar instruments of data protection proposed to it meets appropriate standards of data protection, the DPA may approve such.

Recommended Compliance Checklist by Data Controllers and Data Processors

In order to comply with the provisions of the NDP Act, data controllers or data processors are, among others, expected to:

1. Register with the Commission as a data controller or data processor of major importance as the Commission may determine in accordance with the NDP Act.
2. Conduct a NDPA compliance audit within Fifteen (15) months of commencement of business and thereafter on an annual basis.
3. In the case of data controllers and data processors of major importance (Ultra High Level and Extra-High Level), file NDPA Compliance Audit Returns (CAR) with the Commission not later than the 31st of March of each year.
4. Prepare and keep semi-annual data protection reports which shall be a detailed analysis of data processing within six (6) months
5. Prepare and follow schedules on organization-wide, internal sensitization and training on data privacy and protection in order to foster a culture of compliance with the NDP Act and best practices.
6. Identify all obligations relating to data controllers or data processors under the NDP Act and prepare schedules of compliance
7. In the case of a data controller or data processor of major importance, designate a Data Protection Officer (DPO).
8. Develop or review its organizational privacy policies, the privacy policy shall be in compliance with the NDP Act
9. Publish its organizational privacy policies on its platforms with a view to sensitizing data subjects on data processing activities as well as their rights
10. Provide privacy and cookie notices at the homepage of its website. The cookie notice should give a data subject the opportunity to decline or accept the notice; a cookie notice must be displayed in such a way that it significantly obstructs the middle, the left or the right side of the home page of a website. Displaying a cookie notice at the bottom of a webpage where it may be ignored or be unnoticed by a data subject is tantamount to lack of transparency in data processing.
11. Ensure that the privacy policy and notice is transparent and appropriately provided on platforms/places where data processing is taking place.
12. Develop and circulate an internal data protection strategy or policy and basic privacy checklist to help members of staff and other relevant persons (such as vendors, agents and contractors) understand the organization's direction in connection with the processing of personal data and outline the steps they are to take to ensure the organization's direction is maintained
13. Conduct a Data Privacy Impact Assessment (DPIA) when required under the NDP Act, or when directed by the Commission.
14. Notify the Commission of personal data breaches within seventy-two (72) hours of becoming aware of the breach.
15. Notify a data subject immediately after becoming aware of a personal data breach that may pose high risk to his or her privacy;
16. Update agreements with third party processors to ensure compliance with the NDPA.
17. Design systems and processes to make data requests and access seamless for data subjects.
18. Design systems and processes to enable data subjects to easily correct or update their personal data
19. Design systems and processes to enable data subjects easily transfer data to another platform or person (natural or artificial);
20. At least within the six (6) months of commencement of business and then, at the minimum, on an annual basis, train its personnel on data protection law and practices; and 14
21. Clearly explain the complaints process to data subjects including the right to lodge a complaint with the Commission.

Conclusion

Implementing a robust data protection strategy is crucial for organizations to ensure compliance with the Nigeria Data Protection Act (NDPA) and maintain the trust of their customers and stakeholders. By following the outlined policies and procedures, organizations can protect personal data, respond to data breaches, and respect data subjects' rights. Key measures include conducting Data Privacy Impact Assessments, notifying the Commission and data subjects of breaches, updating agreements with third-party processors, and designing systems that facilitate data subject rights. Regular training of personnel and clear communication of complaints processes are also essential. By prioritizing data protection, organizations can build a strong foundation for data privacy and security.

Footnotes

1 Article 8(4) of NDPA-GAID 2025

2 Section 42(2) of NDPA 2023

3 Section 42(6) of NDPA 2023

4 Section 43(1) of NDPA 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.