Nigeria data protection regulation (2)
Due diligence and prohibition of improper motives
(a) No consent shall be sought, given or accepted in any circumstance that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conducts;
(b) A party to any data processing contract, other than an individual data subject, shall take reasonable measures to ensure the other party does not have a record of violating the principles set out in Section 5 and he is accountable to NITDA or a reputable regulatory authority for data protection within or outside Nigeria; accordingly, every Data Processor or Controller shall be liable for the actions or inactions of third parties which handles the personal data of Data Subjects under this Regulation;
(c) In this section, “a party” shall include directors, shareholders, servants and privies of the contracting party; and record shall include report public record and reports in credible news media. Accordingly, the distinction between legal and natural persons for the purpose of limiting due diligence is irrelevant.
Privacy policy
Notwithstanding anything contrary in this Regulation or any instrument for the time being in force, any medium through which personal data is being collected or processed shall display a simple and conspicuous privacy policy that the class of Data Subjects being targeted can understand. The privacy policy shall in addition to any other relevant information contain the following:
a) what constitutes the Data Subject’s consent; b) description of collectable personal information; c) purpose of collection of personal data; d) technical methods used to collect and store personal information, cookies, JWT, web tokens etc.; e) access (if any) of third parties to personal data and purpose of access; f) a highlight of the principles stated in section 5; g) available remedies in the event of violation of the privacy policy; h) the time frame for remedy and i) any limitation clause, provided that no limitation clause shall avail any Data Controller who acts in breach of the principles set out in Section 6.
Data security
Anyone involved in data processing or the control of data shall develop security measures to protect data; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorised individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.
Third party data processing contracts
Data processing by a third party shall be governed by a written contract between the third party and the Data Controller. Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure adherence to this Regulation.
Objections by the data subject
The right of a Data Subject to object to the processing of his data shall be safeguarded at all times. Accordingly, a Data Subject shall have the option to:
a) Object to the processing of personal data relating to him whom the Data Controller intends to process for the purposes of marketing;
b) Be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.
Advancement of right to privacy
Notwithstanding anything to the contrary in this Regulation, the privacy right of a Data Subject shall be interpreted for the purpose of advancing and never for the purpose of restricting the safeguards the Data Subject is entitled to under any data protection instrument made in furtherance of fundamental rights and the Nigerian laws.
Penalty for default
Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable in addition to any other criminal liability, the following:
a) In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2 percent of Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater;
b) In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1 percent of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira whichever is greater.
Transfer to a foreign country
Any transfer of personal data which is undergoing processing or is intended for processing after transfer to a foreign country or to an international organisation shall take place subject to the other provisions of this Regulation and the supervision of the Honourable Attorney General of the Federation (HAGF).
Accordingly: a) a transfer of personal data to a foreign country or an international organisation may take place where the Agency has decided that the foreign country, territory or one or more specified sectors within that foreign country, or the international organisation in question ensures an adequate level of protection;
b) the HAGF shall take into consideration the legal system of the foreign country particularly in the areas of rule of law, respect for human rights and fundamental freedom, relevant legislation, both general and sectoral, including public security, defence, national security and criminal law and the access of public authorities to personal data;
c) implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another foreign country or international organisation which are complied with in that country or international organisation, caselaw, as well as effective and enforceable Data Subject rights and effective administrative and judicial redress for the Data Subjects whose personal data are being transferred;
d) the existence and effective functioning of one or more independent supervisory authorities in the foreign country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the Data Subjects in exercising their rights and for cooperation with the relevant authorities Nigeria; and
e) the international commitments of the foreign country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.