Annotation of the Nigeria Data Protection Regulation 2019

This section outlines the objectives of the Regulation, focusing on four main goals. Firstly, it aims to protect the data privacy rights of individuals. Secondly, it aims to promote secure transactions involving the exchange of Personal Data. Thirdly, it seeks to prevent any unauthorized manipulation of Personal Data. Lastly, it strives to ensure that Nigerian businesses can compete globally by establishing a fair and effective legal regulatory framework for data protection that aligns with international best practices. Overall, these objectives aim to create a robust and balanced approach to data protection that benefits individuals, businesses, and the overall competitiveness of Nigeria in the global market.

Scope of the Regulation (Regulation1.2)

This section clarifies the scope of the Regulation with regards to the processing of Personal Data. Firstly, it states that the Regulation applies to all transactions involving the processing of Personal Data, regardless of the means or methods used, for natural persons in Nigeria. Secondly, it specifies that the Regulation applies to both natural persons residing in Nigeria and those residing outside Nigeria who are citizens of Nigeria. Finally, it emphasizes that the Regulation does not override any existing privacy rights granted to Nigerians or any natural person under current laws, regulations, policies, or contracts in force in Nigeria or any foreign jurisdiction. In summary, this section ensures that the Regulation’s coverage is comprehensive, inclusive, and respects existing privacy rights within and outside of Nigeria.

Definitions (Regulation 1.3)

The following definitions or terms will be applicable unless the specific context of the Regulation demands a different interpretation.

1. “Act” refers to the National Information Technology Development Agency (NITDA) Act of 2007.

1. “Computer” refers to Information Technology systems and devices, networked or not.

1. “Consent” is an indication of the Data Subject’s wishes that is freely given, specific, informed, and unambiguous. It can be expressed through a statement or a clear affirmative action, demonstrating the Data Subject’s agreement to the processing of Personal Data related to them.

1. “Data” refers to characters, symbols, and binary code that are performed by a computer. These data can be stored in any format or any device or transmitted as electronic signals.

• “Database” is a collection of data that is organized in a way that enables various operations such as access, retrieval, deletion, and processing of the data. Database also includes structured databases, unstructured databases, cached databases, and file system type databases.

• “Data Administrator” means an individual or an organization responsible for processing data.

• “Data Controller” means an individual, a group of individuals, or a statutory body that has the authority to determine the purposes and manner in which Personal Data is processed or will be processed.

• “Database Management System” means software that enables a computer to perform various tasks related to a database. These tasks include creating a database, adding, changing, or deleting data within the database, and allowing for the processing, sorting, and retrieval of data stored in the database.

1. “Data Portability” refers to the ability of data to be transferred easily from one IT system or computer to another. This transfer is facilitated through a safe and secure means in a standard format.

• “Data Protection Compliance Organization (DPCO)” refers to an entity that has obtained the necessary license from NITDA (National Information Technology Development Agency) for training, auditing, consulting, and providing services and products related to compliance with this Regulation or any foreign Data Protection Law or Regulation applicable in Nigeria.

• “Data Subject” refers to any person who can be identified, either directly or indirectly, by reference to an identification number or one or more specific factors related to their physical, physiological, mental, economic, cultural, or social identity. In other words, a Data Subject is an individual whose personal information can be used to identify them based on various aspects of their identity.

• “Data Subject Access Request” is a mechanism that allows an individual to formally request a copy of their data. This process may involve following a specific procedure and potentially paying a fee for the requested service.

• “Filing system” refers to a structured collection of Personal Data that can be accessed based on specific criteria. These criteria can include factors such as functionality or geography. The Filing system can be centralized, decentralized, or dispersed across various locations.

• “Foreign Country” means any sovereign state or autonomous/semi-autonomous territories within the international community. In other words, it encompasses nations and regions outside the jurisdiction or governance of the specific country or context being referred to.

• “Regulation” refers to the Nigeria Data Protection Regulation 2019, along with any subsequent amendments to it. In certain circumstances, Regulation may include other Regulations related to the processing of information concerning identifiable individuals. These regulations encompass various aspects such as obtaining, holding, using, or disclosing such information with the aim of safeguarding it against unauthorized access, use, or disclosure.

• “Personal Data” refers to any information that pertains to an identified or identifiable natural person, also known as a Data Subject. An identifiable natural person is someone who can be directly or indirectly identified, especially through an identifier such as a name, identification number, location data, online identifier, or other factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity. Personal Data can include various types of information, ranging from basic details like name and address to more specific data such as photos, email addresses, bank details, social media posts, medical information, and unique identifiers like MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII), and others.

• “Personal Identifiable Information (PII)” refers to information that has the potential to be used, either on its own or in combination with other data, to identify, contact, or locate a specific individual.

• “Processing” means any operation or series of operations carried out on Personal Data or sets of Personal Data, regardless of whether it is done manually or through automated means. These operations include activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other means of making the data available, alignment or combination, restriction, erasure, or destruction.

• “Personal Data Breach” refers to a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

• “Recipient” can be a natural or legal person, including a public authority, who accepts data from another party.

• “Relevant Authorities” refers to entities with the government’s mandate to handle matters related to Personal Data. This includes the National Information Technology Development Agency (NITDA) or any other statutory body or establishment dedicated, either fully or partially, to dealing with issues concerning Personal Data.

• “Relevant Authorities” refers to the National Information Technology Development Agency (NITDA) or any other statutory body or establishment dedicated, either fully or partially, to dealing with issues concerning Personal Data.

• “The Agency” refers to the National Information Technology Development Agency (NITDA).

• “Third Party” means any individual or entity, including natural or legal persons, public authorities, establishments, or any other bodies, that is distinct from the Data Subject, the Data Controller, the Data Administrator, and any persons specifically engaged by the Data Controller or the Data Administrator to process Personal Data.