PREAMBLE:

Nigeria Data Protection Bureau [hereafter referred to as “Data Controller” or NDPB] is an establishment of the Federal Government of Nigeria. The central mandate of NDPB is to implement the Nigeria Data Protection Regulation (NDPR).


Our contact information is provided under SECTION12 of this Data Privacy Policy.


This privacy policy is in furtherance of the Nigeria Data Protection Regulation (NDPR), Section 37 of the Constitution of the Federal Republic of Nigeria (CFRN) 1999 (as amended) and all other legal instruments designed to protect the privacy rights of natural persons.


As the “Data Controller”, we are cognizant of the privacy rights of all natural persons who are part of NDPB or interact with us on all our data processing mediums or platforms. These classes of people are our “Data Subjects”. As a responsible establishment, we are committed to safeguarding the privacy rights of our data subjects through this strict privacy policy. It shall complement extant legal regulatory framework as an internal standard of care we owe our “Data Subjects”.


SECTION 1:- OUR GUIDING PRINCIPLES ON DATA PROCESSING

In processing your personal data, we adhere strictly to the principles of data processing as set out in Article 2.1 of the NDPR. Thus we shall ensure that Personal Data shall only be:


  • a) Collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject;
  • b) Adequate, accurate and without prejudice to the dignity of human person;
  • c) Stored only for the period within which it is reasonably needed; and
  • d) Secured against all foreseeable hazards and breaches such as theft, cyber attack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.

SECTION 2:- CONSENT OF DATA SUBJECT

Except as otherwise required by operation of law or principles of law, your consent as the Data Subject is the entry point for data processing. You have the right to give, withhold or otherwise withdraw your consent to data processing. For further understanding of the operation of the principle of consent under data processing see Articles 2.1(a), 2.2, 2.3 and 2.4 of the NDPR. Those who seek information on our website or other platforms shall be deemed to have given constructive consent to receiving information of specific or of general nature through us from time to time.


SECTION 3:- OUR SCOPE OF DATA PROCESSING

In varying degrees vis-à-vis the service we provide for you or your level of engagement with us, we do process your personal data. Below is a table containing the major types of personal data, the purpose and the lawful basis for processing them :


S/N PURPOSE OF COLLECTION TYPE OF DATA LAWFUL BASIS
1 REGISTRATION Name, Phone, Email Address, Contact Address, Sex, Date of Birth, passport and educational record. To provide public service to data subjects
2 NOTIFICATIONS Name, Phone, Email Address, Contact Address, Sex and Date of Birth. To provide public service to data subjects
3 DATA ANALYTICS Name, Phone, Email Address, Contact Address, Sex and Date of Birth. To ensure that our services suit the purpose of data subjects and to measure our performance
4 SECURITY Name, Phone, Email Address, Contact Address, Sex, Date of Birth and passport. For safety and security of lives and property.
5 EMPLOYMENT Name, Phone, Email Address, Contact Address, Sex, Date of Birth, passport, medical record, educational record. For due diligence
6 CONTRACT Name, Phone, Email Address, Contact Address, Sex, For due diligence

Please note that the categories of data and the lawful basis provided are not exhaustive. We are governed by the NDPR as to the requirement for consent in all circumstances. See section 4 below.

SECTION 4:- RIGHTS OF DATA SUBJECTS

We hold your privacy rights very dear to our operations. Apart from the right to give, withhold or withdraw consent, you have rights to all relevant information that may guide you in making informed decisions about your personal data. For example, you have the right to be notified of anyone or any place to which we may transfer your personal data. Your rights under the NDPR include but are not limited to the following:


  • a) right to data portability,
  • b) right to erasure,
  • c) right to limit processing and
  • d) right to obtain your data.

See Part 3 of the NDPR for details of the rights of data subjects.

SECTION 5:- WITHOLDING RELEVANT DATA

There are types of personal data that are mandatory for us to process in order carry out your instruction or perform our legal mandate for your benefit. If you withhold such information, it may be impracticable to carry out our mandate in relation to you. If you seek more clarification on our data processing contact our designated Data Protection Officer as provided under SECTION 12 below.


SECTION 6:- TRANSFER OF DATA TO A THIRD-PARTY

As a public establishment, third parties may wish to provide opportunities on our platform for mutual benefits or in public interest. The type of data usually processed for this may be your digital contact such as E-Mail. You have the right to decline such third party offers and further restrict the processing of your personal data. You can simply unsubscribe to the notices sent for the purpose of the offers.


SECTION 7:- TECHNICAL INFORMATION

Customarily, websites are designed to collect certain information from the visitor. Our website is also designed to collect your IP address and other information that your web browser typically shares with the websites that you visit. The purpose of this is to know you better and to automatically and dynamically engage with you through your actions on our website.


SECTION 8:- PERSONAL DATA SECURITY AND INTEGRITY

We use cutting-edge technologies and foolproof protocols to provide you with comprehensive layers of security in the area of personal data. Thus, we are constantly vigilant in preventing cyber-attacks, fraudulent intrusion, unauthorized access, loss or corruption of personal data. We are equally cognizant of the obligations imposed on us by law in terms of data protection. Accordingly, we conduct reviews of process and privacy impact assessment, carry out trainings and obtain strict warranties where applicable.


SECTION 9:- PURPOSE AND STORAGE LIMITATION

The purpose of data processing usually determines the length of time within which your personal data is stored with us and the residue of data actually stored for this purpose. We collect and store personal data that is reasonably required by law or best practice to serve you or respond to legitimate enquiry about our transaction with you. We take this responsibility very seriously in the knowledge of the need for you to enjoy your privacy as guaranteed under the 1999 Constitution of the Federal Republic of Nigeria and international human rights law.


SECTION 10:- CAVEAT ON WEBSITE LINKS:

Our website may contain links to other websites. Save and except as otherwise expressly stated by us, any link to another website is not covered by our privacy policy. We strongly advise that you should satisfy yourself with the details of any privacy policy provided on other websites or links.


SECTION 11:- TRANSFER TO THIRD PARTIES AND COUNTRIES

In carrying out our mandate effectively, we may require the services of third parties who may be within or outside the NDPR jurisdiction (Nigeria). Examples of such services include but are not limited to the following:


  • a) Internet connectivity,
  • b) cloud storage,
  • c) data analytics,
  • d) data security,
  • e) software development, and
  • f) Legitimate Public interest.

In transferring your data to third parties, we shall be guided by extant public policy and the NDPR as regards the adequacy level of the foreign jurisdictions. See PART 2 Article 2.11 and PART 3 under the NDPR for details of your right under this section.

SECTION 12:- USE OF SPECIAL DATA PROCESSING CODES (COOKIES)

“Cookies”, in computer parlance, are text files that are downloaded to your browsing devices such as phones or computers when you browse pages of websites. They contain small amounts of data and their essential function is to intelligently memorize your preferences and therefore present them to you as choices when you are browsing – even at different times. Note that various websites use cookies for different purposes some of which may undermine your privacy rights. We have taken measures to ensure that all methods adopted by us to engage automatically with you do not violate your privacy rights under the NDPR. In the case of cookies, we ensure that they have security protocols and are not vulnerable to abuses by anyone.


SECTION 13:- DATA PRIVACY SERVICE UNIT (DPSU).

We have provided a platform to respond promptly and satisfactorily to all your requests, suggestions and complaints. This is called the DPSU. We have a Data Protection Officer responsible for prompt action on your data privacy. Contact the DPSU via this link: dpo@ndpb.gov.ng


Our DPSU serves as the internal mechanism to carry out the following services amongst others:

  • a) Data protection regulations compliance and breach services
  • b) Data protection and privacy advisory services
  • c) Data protection capacity building
  • d) Data Regulations Contracts drafting and advisory
  • e) Data protection and privacy breach remediation planning and support services
  • f) Information privacy audit
  • g) Data privacy breach impact assessment
  • h) Data Protection and Privacy Due Diligence Investigation
  • i) Data Protection Officer

SECTION 14:- REMEDIATION

Our data subjects are encouraged to report any complaint or concern about their data privacy through the DPSU. Our team at the DPSU shall take action to redress any grievance within 7 working days.


SECTION 15:- ALTERATION OF PRIVACY POLICY

The Data Controller reserves the right to alter the foregoing policy for the purpose of advancing data privacy rights, public interest or complying with lawful directives of the Federal Government.