Data Processing Agreement (Nigeria)

A Data Processing Agreement in Nigeria sets out the rights, duties and consideration binding the parties to it.

Section 37 of the NDPA 2023 requires that where a data controller engages a data processor, the processing must be governed by a binding contract or other legal act that stipulates: the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects involved; the obligations and rights of the data controller; and specific mandatory processor obligations set out in Section 37(3) of the NDPA.

The mandatory processor obligations under NDPA 2023 Section 37(3) include: processing personal data only on documented instructions from the data controller; binding all persons authorised to process the data to confidentiality; implementing appropriate technical and organisational security measures under Section 24 of the NDPA; not engaging sub-processors without prior specific or general written authorisation from the data controller; assisting the controller in fulfilling data subject rights requests; assisting in meeting security and incident notification obligations; deleting or returning all personal data at the end of the processing relationship; and providing all information necessary to demonstrate compliance with the NDPA.

The NDPA 2023 reflects the international standard established by the EU General Data Protection Regulation (GDPR) Article 28, which also requires a binding contract between controllers and processors. Nigerian organisations working with international clients or partners will find the NDPA DPA requirements substantially compatible with GDPR Article 28 requirements, enabling a single contract to satisfy both frameworks.

The Nigeria Data Protection Commission (NDPC), established under the NDPA, can investigate the terms and implementation of data processing agreements and impose administrative fines on both data controllers and data processors that fail to comply with NDPA Section 37. Both parties to a DPA share compliance obligations — a data processor that acts outside the controller's instructions or in violation of NDPA obligations becomes an independent data controller for the non-compliant processing and bears direct liability.

The legal framework governing the Data Processing Agreement (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a Data Processing Agreement (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.

A Nigeria Data Processing Agreement is required under NDPA 2023 Section 37 whenever a data controller engages any third party to process personal data on its behalf. The obligation applies regardless of the size of the processing activity or the value of the underlying commercial relationship.

Cloud service providers: any Nigerian company that stores customer or employee personal data in a cloud platform (AWS, Microsoft Azure, Google Cloud, or Nigerian cloud providers) must have a DPA with the cloud provider, as the cloud provider is processing personal data on the company's behalf. Most major cloud providers offer their own standard DPA terms; Nigerian data controllers should review these against NDPA 2023 requirements.

Payroll and HR service providers: companies that outsource payroll processing, recruitment, or HR management to third-party service providers must have a DPA, as these activities involve processing employees' personal data (salary, bank details, tax identification numbers, health insurance data) by the service provider.

Marketing and analytics platforms: companies that share customer data with email marketing platforms, CRM systems, data analytics providers, or advertising platforms must have a DPA, as these platforms process personal data on behalf of the company for marketing, analytics, or advertising purposes.

Financial service providers using third-party technology: banks, FinTech companies, and insurance companies that use third-party technology platforms — core banking software providers, payment processing platforms, credit bureau data processors — must have DPAs with each processor. The CBN outsourcing guidelines additionally require formal contracts with IT service providers handling customer data.

NGOs and development organisations that share beneficiary data with third-party programme management platforms or with sub-grantee organisations processing data on the NGO's behalf require DPAs to comply with NDPA 2023 and with donor data protection requirements.

Parties in Nigeria should prepare a Data Processing Agreement (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

A Nigeria Data Processing Agreement must contain the following mandatory elements specified in NDPA 2023 Section 37 and best practice provisions.

Parties and recitals: identification of the data controller (the party determining the purposes and means of processing) and the data processor (the party processing on behalf of the controller), with their CAMA 2020 RC numbers, TIN numbers, registered addresses, and a brief description of the commercial relationship giving rise to the DPA.

Subject matter, duration, nature, and purpose of processing: a clear description of what personal data will be processed (data categories), who the data subjects are (employees, customers, beneficiaries), the specific processing operations to be carried out, and the business purpose for which processing is being carried out. The duration of the DPA must align with the duration of the underlying commercial agreement.

Processing only on controller instructions: an express provision requiring the processor to process personal data only on documented instructions from the controller, and to notify the controller immediately if it believes an instruction violates the NDPA 2023 or other applicable law. This is a mandatory NDPA Section 37(3)(a) requirement.

Confidentiality obligations: a requirement that all persons who process the personal data under the agreement are bound by confidentiality obligations under NDPA Section 37(3)(b) — either by statute (for public officers) or by contract.

Technical and organisational security measures: specification of the security measures the processor must implement under NDPA Section 24, which may include encryption at rest and in transit, access controls, penetration testing requirements, ISO 27001 certification, and incident detection and response capabilities.

Sub-processor provisions: terms governing the processor's use of sub-processors — whether general or specific authorisation is required; the requirement that sub-processors be bound by the same data protection obligations as the processor; and the processor's liability for sub-processor non-compliance under NDPA Section 37(3)(d).

Data subject rights assistance: the processor's obligation to assist the controller in responding to data subject rights requests (access, correction, deletion, portability, objection) within the timelines required by the NDPA.

Data breach notification: the processor's obligation to notify the controller without undue delay (and at most within 24 hours of becoming aware) of any personal data breach, to enable the controller to meet its 72-hour NDPC notification obligation under NDPA Section 40.

Data return and deletion: procedures and timelines for returning or securely deleting all personal data at the end of the processing relationship, with written confirmation of deletion, in compliance with NDPA data retention obligations.

Audit rights: the controller's right to audit the processor's compliance with the DPA, either directly or through an appointed third-party auditor.

Additional compliance elements for a Data Processing Agreement (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.