The Nigeria Data Protection Act (NDPA) was passed into law on 12 June 2023, in a bid to codify and introduce structure to the Nigerian Data Protection Regime. Among other concepts, it introduces the concept of data controllers and data processors1 of ‘major importance’ who are mandated to register with the Nigeria Data Protection Commission (NDPC or “the Commission”). The NDPA further defines data controllers and processors of major importance as one domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the NDPC may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate.
The Act highlights that further regulations will be released, to provide more detailed requirements. You can read our newsletter on the NDPA by clicking this link.
Definition of a Data Controller/Processor of Major Importance
On the 14th of February 2024, the NDPC issued a Guidance Notice (“the Notice”) on the registration of data controllers and data processors of major importance pursuant to Sections 5d, 6(c), 44, 45 and 65 of the NPDA. The Guidance Notice highlights that, while the personal data of data subjects is being processed by various organizations or persons within and outside Nigeria, it is pivotal for the privacy and security of data subjects to ensure that their personal data be processed only by genuine processors for valid reasons recognized by law.
To this effect, it has highlighted that a data controller or data processor shall be deemed to be of major importance if it keeps or has access to a filing system for the processing of personal data where it:
- Processes the personal data of more than 200 data subjects in six months;
- Carries out commercial technology services on any digital device that has storage capacity and belongs to another individual.
- Processes personal data as an organization or a service provider in the listed major sectors of the economy.
- Is in a fiduciary relationship with a data subject by reason of which it is expected to keep confidential information on its behalf, taking into consideration the significant harm that may be done to a data subject if such data controller or processor is not under the obligations imposed on data controllers or processors of major importance.
The NDPC has now defined the metrics for who can be classified as a data processor/controller of major importance and are mandated to be registered with the NDPC on or before 30th June 2024.
Please click here to download the publication.
1 A data controller is an individual, private entity, public Commission, agency, or any other body who, alone or jointly with others, determines the purposes and means of processing personal data while a data processor is an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor.