NDPR and the Protection of Personal Data of Legal Entities in Nigeria1
Data privacy has become one of the defining socio-cultural and economic issue of our time.2 The challenges of data security in our world today instigated the development of data protection laws and regulations. Some of these laws and regulations appear to be centered on safeguarding the interest of only natural persons in relation to the processing of their personal data and implicitly excludes information concerning legal entities from such protection. The European Union General Data Protection Regulation (GDPR) guarantees the protection of natural persons with regard to the processing of their personal data.3 Also, the privacy protection laws of some states in the United States extend protection of personal information to only individuals.4 For instance, the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth5 applies to all persons that own or license personal information about a resident of the Commonwealth. The California Consumer Privacy Act (CCPA)6 focuses on the interest of consumers and applies to any business that collects consumers' personal information.7 Similarly, the Singapore Personal Data Protection Act (PDPA)8 extends protection of personal data to only natural persons. In Ghana, the Data Protection Act9 also applies to the processing of personal data of individuals.
This position is not uncommon as data privacy rights are recognized as fundamental human rights which are usually granted to natural persons. For instance, the Constitution of the Federal Republic of Nigeria protects the privacy of citizens including their homes, correspondence, telephone conversations and telegraphic communications.10 Article 12 of the Universal Declaration of Human Rights11 guarantees the privacy of persons, their family, home or correspondence. However, the privacy and data protection laws of South Africa12 and Switzerland extend protection of personal data to legal entities in addition to natural persons. The Swiss Federal Act on Data Protection (FADP)13 protects the privacy and the fundamental rights of both natural and legal entities when their data is processed. Based on the proposed revision of the FADP, data relating to legal entities will no longer be protected by the FADP and only data concerning individuals will fall within the scope of the revised FADP.14
From the objectives and scope of the Nigerian Data Protection Regulation ("the NDPR"), it appears that the NDPR applies to transactions intended for the processing of personal data in respect of only natural persons15 as no express reference is made to the protection of personal data relating to legal entities. The NDPR defines a data subject as an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.16 The NDPR also defines personal data as information relating to an identified or identifiable natural person which may be a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, etc.17 Thus, any information that relates to an identified natural person or which may be used to identify a natural person is considered as personal data.
Considering the broad definition of personal data in the NDPR, information concerning legal entities and natural persons may overlap as an entity's personal data may also be classified as personal data relating to a natural person and vice versa. In other words, personal data concerning an entity may also belong to a natural person and may be used to identify a natural person. For example, an entity's employee database, membership database and bank transaction records constitute both information concerning the entity and natural persons such as its employees or members. The information from the databases and records may also be used to identify the employees and members. In addition, an entity may also share the same name, address and other contact information as its proprietors or shareholders, which is common with small enterprises at the initial stage of their operations.
Generally, breach of privacy of data relating to entities may have implications on its members as entities do not exist in isolation as they are made up of shareholders, partners, members or employees. It is debatable whether the NDPR extends protection to personal data regarding a legal entity where such data also belong to a natural person or may be used to identify a natural person. According to the NDPR, anyone who is entrusted with the personal data of a data subject or who is in possession of the personal data of a data subject shall also be accountable for his acts and omissions in respect of data processing.18 Based on this broad provision, it may be argued that recipients of personal data who were either entrusted with or are in possession of personal data concerning an entity may be held accountable for their acts and omissions in processing the data if the data also belongs to a natural person or can be used to identify a natural person, notwithstanding how the data is classified. Recipients of such data may be held accountable especially if it is apparent that such data also belong to an individual or may be used to identify an individual. Where it is not apparent that the information obtained from the entity also belongs to a natural person or may identify a natural person, the manner in which the information was represented by the entity may be relevant in determining whether the data controller or recipient of such data will be held accountable for his acts and omissions in respect of processing the data. However, there is no clear provision on this issue in the NDPR.
In response to whether the GDPR applies to companies, the European Commission (EC) stated that the rules only apply to personal data about individuals and do not govern data relating to legal entities. The EC also stated that information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. In addition, the EC has indicated that the rules apply to all personal data relating to natural persons in the course of a professional activity, such as the employees of a company/organization, business email addresses like firstname.lastname@example.org or employees business telephone numbers.19 The PDPA20 expressly excludes business contact information21 from protection obligations under the Act. Business contact information include an individual's name, position name or title, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes.22
It may be argued that the scope of data protection laws should be extended to data concerning legal entities as a possible breach of an entity's data may influence individuals or natural persons, or result in privacy breach of their personal data, as entities do not exist in isolation but are made up of shareholders, proprietors and employees who are mostly natural persons. In Britain, the 1978 Lindop Report on Data Protection considered whether the definition of data subjects in the legislation should also include associations and bodies in addition to individuals.23 The conclusion from the report was that both categories of persons need proper protection though each should be contained in separate legislations.
The absence of an express provision regarding protection of information concerning legal entities in the NDPR may be said to undermine the importance of their data in relation to processing in Nigeria. However, corporate entities enjoy certain privileges on privacy which are guaranteed in professional relationships as certain laws impose a fiduciary duty of confidentiality on professionals.24 In addition, legal entities may also include data protection clauses in their agreements as protective measures against data privacy and protection breaches.
Given the broad definition of personal data and the absence of an express provision regarding protection of information concerning legal entities in the NDPR, it is vital that recipients of data observe the principles of data processing and take the appropriate data security measures stipulated in the NDPR in processing personal data relating to legal entities, to prevent possible breach of the Regulation.
1. Bisola Scott and Sandra Eke, Associates, IP and Technology Department, SPA Ajibade & Co., Lagos, NIGERIA.
2. Mary Meehan, Data Privacy Will Be The Most Important Issue In The Next Decade, available at
4. ICLG, US: Data Protection 2019, available at https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa, accessed on 17th May 2020.
5. Also known as 201 Code of Massachusetts Regulations (CMR) 17.00, available at https://www.mass.gov/doc/201-cmr-17-standards-for-the-protection-of-personal-information-of-residents-of-the/download., accessed on 10th May 2020.
6. 2018, available at https://iapp.org/resources/article/california-consumer-privacy-act-of-2018/#S145, accessed on 31st may 2020. The CCPA defines a consumer as a natural person who is a California resident.
7. Ibid. ICLG, US: Data Protection 2019, available at https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa accessed on 17th May 2020.
9. 2012, available at https://nita.gov.gh/wp-content/uploads/2017/12/Data-Protection-Act-2012-Act-843.pdf accessed on 31st April 2020.
10. Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended).
11. United Nations, Universal Declaration of Human Rights, available at https://www.un.org/en/universal declaration-human-rights/, accessed on 30th April 2020.
12 The South Africa Protection of Personal Information Act defines personal information as "information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person..." 2013, available at https://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf, accessed on 31st May 2020.
13. Art. 1 and Art. 2, Federal Act on Data Protection (FADP) of 19 June 1992 (Status as of 1 March 2019), available at https://www.admin.ch/opc/en/classified-compilation/19920153/201903010000/235.1.pdf, accessed on 20th May 2020.
14. Homburger, Revision of the Swiss Federal Act on Data Protection, available at https://media.homburger.ch/karmarun/image/upload/homburger/SyYb88eQI-Revision%20of%20the%20Swiss%20Federal%20Act%20on%20Data%20Protection.pdf accessed on 31sst May 2020.
15. Article 1.0(a) and 1.2(a) NDPR 2019, available at https://nitda.gov.ng/wp-content/uploads/2019/01/Nigeria%20Data%20Protection%20Regulation.pdf, accessed on 10th may 2020
16. Ibid., Art 1.3(k).
17. Ibid., Art 1.3(p).
18. Ibid., Art. 2.1(3).
19. European Commission, Do the data protection rules apply to data about a company? available at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/do-data-protection-rules-apply-data-about-company_en, accessed in 20th April 2020.
20. Section 4(5) PDPA 2012 available at https://nita.gov.gh/wp-content/uploads/2017/12/Data-Protection-Act-2012-Act-843.pdf, accessed on 31st May 2020.
21. Section 4(5) PDPA 2012. As part of the Openness Obligation, it is mandatory for organisations to appoint a DPO, or a panel of individuals, to be responsible for ensuring that the organisation complies with the PDPA. The organisation has to make the business contact information of the DPO public. OneTrust DataGuidance, Sinagapore - Data Protection Overview, available at https://www.dataguidance.com/notes/singapore-data-protection-overview, accessed on 2nd June 2020.
23. I. N. Walden and R. N. Savage, "Data Protection and Privacy Laws: Should Organisations Be Protected?"
The International and Comparative Law Quarterly Vol. 37, No. 2 (Apr., 1988), pp. 33e, available at https://www.jstor.org/stable/760158?seq=2#metadata_info_tab_contents, accessed on 10th May 2020.
24. For instance, under Rule 19(1) of the Rules of Professional Conduct (2007), all oral or written communication made by a client to his attorney in the normal course of professional employment are privileged', therefore any tangible material created by an attorney as a result of any communication made by a client to an attorney in the normal course of his or her engagement as an attorney is privileged. In the case of Habib Nigeria Bank Limited v. Fathudeen Syed M. Koya [1990 - 1993] 5 NBLR p. 368 at 387 a case which involved an alleged disclosure by a bank of a customer's transactional information, the Court of Appeal held that it is elementary knowledge that the bank owed its customer a duty of care and secrecy and a disclosure of personal information is a breach of that duty
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.