The National Information Technology Development Agency (NITDA) is statutorily mandated by the NITDA Act of 2007 issued the Nigeria Data Protection Regulation to safeguard, regulate and protect the critical information infrastructure and data of individual and corporate bodies from breaches. This is an except from the regulation detailing the rights of a data subject.
PART THREE:
3.1 RIGHTS OF DATA SUBJECT
(1) The Controller shall take appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and for any information relating to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means.
(2) If the Controller does not act on the request of the Data Subject, the Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority.
(3) Except as otherwise provided by any public policy or Regulation, information provided to the Data Subject and any communication and any actions taken shall be provided free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
- a) Charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested; or,
- b) Write a letter to the Data Subject stating refusal act on the request and copy The Agency on every such occasion through a dedicated channel which shall be provided for such purpose.
(4) The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
(5) Where the Controller has reasonable doubts concerning the identity of the natural person making the request for information, the Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.
(6) The information to be provided to Data Subject may be provided in combination with standardized icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically, they shall be machine-readable.
(7) Prior to collecting Personal Data from a Data Subject, the Controller shall provide the Data Subject with all the following information:
- a) the identity and the contact details of the Controller;
- b) the contact details of the Data Protection Officer;
- c) the purpose(s) of the processing for which the Personal Data are intended as well as the legal basis for the processing;
- d) the legitimate interests pursued by the Controller or by a third party;
- e) the recipients or categories of recipients of the Personal Data, if any;
- f) where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organization and the existence or absence of an adequacy decision by The Agency;
- g) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
- h) the existence of the right to request from the Controller access to and rectification or erasure of Personal Data or restriction of processing concerning the Data Subject or to object to processing as well as the right to Data Portability;
- i) the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- j) the right to lodge a complaint with a relevant authority;
- k) whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data;
- l) the existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject;
- m) Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, the controller shall provide the Data Subject prior to that further processing with information on that other purpose, and with any relevant further information; and
- n) Where applicable, that the Controller intends to transfer Personal Data to a recipient in a foreign country or international organization and the existence or absence of an adequacy decision by The Agency.
(8) Where Personal Data are transferred to a foreign country or to an international organization, the Data Subject shall have the right to be informed of the appropriate safeguards for data protection in the foreign country. The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Considering the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
(9) The Data Subject shall have the right to request the Controller to delete Personal Data without delay, and the Controller shall delete Personal Data where one of the following grounds applies:
- a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or processed;
- b) the Data Subject withdraws consent on which the processing is based;
- c) the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
- d) the Personal Data have been unlawfully processed; and
- e) the Personal Data must be erased for compliance with a legal obligation in Nigeria.
(10) The Controller who has made the Personal Data public and is obliged to delete the Personal Data shall, take all reasonable steps, to inform Controllers processing the Personal Data of the Data Subject’s request.
(11) The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
- a) The accuracy of the Personal Data is contested by the Data Subject for a period enabling the Controller to verify the accuracy of the Personal Data;
- b) The processing is unlawful, and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead;
- c) The Controller no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims; and
- d) The Data Subject has objected to processing, pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
(12) Where processing has been restricted such Personal Data shall, except for storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in Nigeria.
(13) The Controller shall communicate any rectification or erasure of Personal Data or restriction to each recipient to whom the Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the Data Subject about those recipients if the Data Subject requests it.
(14) The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided, where:
(a) The processing is based on consent, or
(b) On a contract, and
(c) The processing is carried out by automated means.
(15) In exercising his right to Data Portability, the Data Subject shall have the right to have the Personal Data transmitted directly from one controller to another, where technically feasible. Provided that this right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
(16) The exercise of the foregoing rights shall be in conformity with constitutionally guaranteed principles of law for the general protection and enforcement of fundamental rights.