Data Consent Form (Nigeria)
DATA CONSENT FORM
Nigeria Data Protection Act 2023 (NDPA) — Section 30 (Consent Requirements)
Data Controller: [Controller Name] (RC: [Controller RC])
Address: [Controller Address]
Data Protection Officer: [DPO Contact]
Date: [Consent Date]
DATA PROTECTION NOTICE
1. PERSONAL DATA WE COLLECT
[Controller Name] will collect the following categories of personal data from you: [Data Categories].
Sensitive personal data processing: [Sensitive Data]. Where sensitive personal data (as defined under NDPA 2023 Section 30(3)) is processed, your explicit consent is required and is captured by your signature below.
2. PURPOSE OF PROCESSING
Your personal data will be processed for the following specific purposes: [Processing Purpose].
3. DATA RETENTION
Your personal data will be retained for the following periods: [Retention Period]. After expiry of the retention period, your data will be securely deleted or anonymised.
4. DATA SHARING
Your personal data may be shared with the following third parties: [Data Sharing].
5. YOUR RIGHTS UNDER THE NDPA 2023
You have the following rights regarding your personal data under the Nigeria Data Protection Act 2023:
• Right of access (Section 34): you may request a copy of your personal data held by us.
• Right to correction (Section 35): you may request correction of inaccurate or incomplete data.
• Right to deletion (Section 36): you may request deletion of your data in certain circumstances.
• Right to object (Section 37): you may object to processing in certain circumstances.
• Right to data portability (Section 38): you may request a copy of your data in a portable format.
• Right to withdraw consent (Section 34): you may withdraw consent at any time.
To exercise your rights, contact: [Rights Contact].
6. WITHDRAWAL OF CONSENT
You may withdraw your consent at any time by: [Withdrawal Mechanism]. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
If you believe your data protection rights have been violated, you may lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng.
DATA SUBJECT DETAILS
Name: [Subject Name]
Identification: [Subject ID]
Contact: [Subject Contact]
CONSENT DECLARATION
I, [Subject Name], confirm that I have read and understood the Data Protection Notice above. I freely, specifically, informedly, and unambiguously consent to the collection and processing of my personal data (including sensitive personal data, where applicable) by [Controller Name] for the purposes stated above.
I understand that I may withdraw this consent at any time using the mechanism described above, without affecting the lawfulness of processing before withdrawal.
Signed: _________________________ Date: _________________________
Note: By signing this form, you give your affirmative consent as required by NDPA 2023 Section 30. Pre-ticked boxes or silence do not constitute valid consent.
Data Subject
________________
Signature
Data Controller Representative (Witness)
________________
Signature
What Is a Data Consent Form (Nigeria)?
A Data Consent Form in Nigeria records a party's informed permission for a specified act, authorising it to proceed.
The NDPA 2023 was enacted on 14 June 2023 and establishes a thorough data protection framework for Nigeria. Section 25 of the NDPA lists the lawful bases for processing personal data, of which consent is one — alongside performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests of the data controller. Where consent is the chosen lawful basis, the NDPA imposes specific requirements for how consent must be obtained, recorded, and managed.
Under Section 30 of the NDPA 2023, consent for data processing must be: freely given (not coerced or conditional on services where processing is unnecessary for the service); specific (identifying the precise purpose for which consent is given); informed (disclosing who the data controller is, what data will be processed, for what purpose, for how long, and who it will be shared with); and unambiguous (expressed through a clear affirmative action — pre-ticked boxes do not constitute valid consent under the NDPA). For sensitive personal data — including health data, biometric data, racial or ethnic origin, religious beliefs, political opinions, and financial data — the NDPA requires explicit consent, a higher standard than ordinary consent.
The Nigeria Data Protection Commission (NDPC), established under the NDPA, supervises compliance with data protection obligations including consent requirements. The NDPC has powers to investigate complaints from data subjects, conduct audits, and impose administrative fines on data controllers that obtain or process personal data without a valid lawful basis. Data subjects whose consent rights are violated may also bring civil claims for compensation under Section 49 of the NDPA.
Consent under the NDPA is not permanent: data subjects have the right to withdraw consent at any time under Section 34 of the NDPA, and withdrawal must be as easy as giving consent. Organisations that rely on consent as a lawful basis must have mechanisms to record consent, manage withdrawal, and cease processing when consent is withdrawn.
The legal framework governing the Data Consent Form (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a Data Consent Form (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.
When Do You Need a Data Consent Form (Nigeria)?
A Nigeria Data Consent Form is needed whenever an organisation processes personal data on the basis of the data subject's consent under the NDPA 2023, rather than another lawful basis.
Marketing and communications: organisations that send marketing emails, SMS messages, or other direct communications to individuals in Nigeria must obtain prior consent for such communications under the NDPA 2023 and the NCC Regulations on unsolicited bulk electronic messages. A consent form captures the specific consent for marketing communications, including the channels, frequency, and types of marketing covered.
Health and medical providers — hospitals, clinics, laboratories, pharmacies, and health insurers — must obtain explicit consent before processing health data under NDPA 2023 Section 30(3), as health data is a category of sensitive personal data requiring higher-standard explicit consent. Patient consent forms must specify the health data to be processed, the purpose (treatment, research, insurance), and sharing with third parties (specialists, insurance companies, health authorities).
Employers who process employee biometric data — fingerprint attendance systems, facial recognition access controls, health monitoring — must obtain explicit consent from employees before implementing such systems, as biometric data is a sensitive personal data category under the NDPA 2023.
Financial service providers and FinTech companies that process personal financial data beyond what is strictly necessary for providing the contracted service — such as analysing transaction patterns for marketing profiling, sharing data with credit bureaux, or using data for product development — need a consent form for these non-essential processing activities.
Researchers, universities, and market research organisations that collect and process personal data for surveys, research, or data products require consent forms capturing informed consent for research participation, data use, and potential publication of research findings.
Parties in Nigeria should prepare a Data Consent Form (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Data Consent Form (Nigeria)
A Nigeria Data Consent Form must contain the following elements to constitute valid consent under the NDPA 2023 and NDPC guidance.
Data controller identification: full legal name of the organisation collecting the data, registered address, RC number under CAMA 2020, and contact details for the Data Protection Officer (DPO) appointed under NDPA 2023 Section 32 (required for data controllers processing personal data of more than 2,000 data subjects in a 6-month period, or processing sensitive personal data).
Description of data to be collected: a specific, plain-language description of each category of personal data that will be collected — names, contact details, identification numbers, financial data, health data, biometric data — so the data subject knows exactly what they are consenting to.
Purpose of processing: a clear, specific statement of the purpose for which the data will be processed. Vague or catch-all purposes (e.g., 'for business purposes') do not meet the specificity requirement of NDPA 2023 Section 30. Multiple distinct purposes should be listed separately, allowing granular consent.
Data sharing and third parties: identification of any third parties with whom the data will be shared — named organisations, categories of recipients — and the purpose of sharing. For cross-border data sharing, the countries of transfer and safeguards should be disclosed per NDPA 2023 Section 43.
Retention period: the period for which the data will be retained, or the criteria used to determine the retention period, as required by the NDPA 2023 data minimisation and storage limitation principles.
Data subject rights: a clear statement of the data subject's rights under NDPA 2023 — right of access (Section 34), right to correction (Section 35), right to deletion (Section 36), right to object (Section 37), right to portability (Section 38), and right to withdraw consent — with contact details for exercising each right.
Consent withdrawal mechanism: a description of how the data subject can withdraw consent, which must be as simple as giving consent — typically an opt-out link, email address, or portal.
Affirmative consent action: a clear tick-box, signature line, or other affirmative mechanism by which the data subject gives consent. Pre-ticked boxes are invalid under the NDPA. The form must be designed so that consent is given by a positive, deliberate action.
Additional compliance elements for a Data Consent Form (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Consent Form (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/business/policies/data-consent-form-nigeria
"Data Consent Form (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/business/policies/data-consent-form-nigeria.
@misc{formslegal-data-consent-form-nigeria,
author = {{Forms Legal}},
title = {Data Consent Form (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/business/policies/data-consent-form-nigeria}},
note = {Free legal document template. Based on Companies and Allied Matters Act (CAMA) 2020}
}
Frequently Asked Questions
Valid consent under the Nigeria Data Protection Act 2023 (NDPA) must be freely given, specific, informed, and unambiguous, as required by Section 30 of the NDPA. Freely given means that consent is not coerced, bundled with unrelated terms, or made a condition of a service where the processing is unnecessary for that service — organisations cannot make consent a prerequisite for accessing goods or services where the processing is not actually needed to provide those goods or services. Specific means that the consent covers one or more identified purposes, not vague or generic activities — a single blanket consent for 'all data processing' is not valid under the NDPA. Informed means that the data subject has been given sufficient information about who is processing the data, what data, for what purpose, for how long, and who it will be shared with. Unambiguous means that consent must be expressed through a clear affirmative action — clicking a clearly labelled tick-box, signing a consent form, or pressing an 'I agree' button with clear information about what is being agreed. Pre-ticked boxes, silence, or inactivity do not constitute valid consent. For sensitive personal data categories (health, biometric, racial origin, religious beliefs, financial data), the NDPA requires explicit consent — a higher standard requiring a specific, express, and unambiguous statement of consent for each sensitive data category.
Yes, data subjects have an unconditional right to withdraw consent at any time under Section 34 of the Nigeria Data Protection Act 2023 (NDPA). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, but the data controller must cease processing based on that consent from the point of withdrawal. The NDPA requires that withdrawing consent be as easy as giving consent — organisations cannot make the withdrawal process more difficult, time-consuming, or bureaucratic than the process of giving consent. If consent was given by clicking a tick-box on a website, withdrawal must be achievable by a similarly simple mechanism (such as an unsubscribe link or account settings opt-out). After withdrawal, if the data controller continues to process the personal data, it must identify an alternative lawful basis for processing under NDPA Section 25 (such as legitimate interests or legal obligation) or must cease processing and, where appropriate, delete or anonymise the data. The Nigeria Data Protection Commission (NDPC) can receive complaints from data subjects whose right to withdraw consent has not been respected and has powers to direct remediation and impose fines on non-compliant data controllers under NDPA Section 48.
Under the Nigeria Data Protection Act 2023 (NDPA), a Data Protection Officer (DPO) is required for: (1) data controllers or processors that process personal data of more than 2,000 data subjects within a 6-month period; (2) organisations that engage in large-scale systematic monitoring of data subjects; or (3) organisations that process special categories of sensitive personal data (health data, biometric data, financial data, etc.) as a core activity. The DPO must have expert knowledge of data protection law and practice and must be given the organisational independence, resources, and authority to perform their functions under NDPA Section 32. The DPO's contact details must be published and communicated to data subjects — consent forms should include the DPO's contact details for data subjects wishing to exercise their rights. The DPO's key functions include advising the organisation on data protection compliance, monitoring compliance with the NDPA, training staff, and acting as the contact point for the Nigeria Data Protection Commission (NDPC). Organisations that do not meet the DPO threshold are still required to designate a responsible person for data protection compliance, even if not formally a DPO. The NDPC has indicated that it will prioritise enforcement against organisations that process personal data without adequate governance, including DPO appointment where required.
Processing personal data without a valid lawful basis — including processing without valid consent where consent is required — exposes organisations to significant regulatory and civil liability under the Nigeria Data Protection Act 2023 (NDPA). The NDPC has administrative sanctioning powers under NDPA Section 48: for general violations, fines of up to 2% of annual global turnover for the preceding financial year or NGN 10 million (whichever is higher); for serious violations — including processing sensitive personal data without a valid lawful basis, cross-border transfers in violation of NDPA Section 43, and systematic non-compliance — fines of up to 4% of annual global turnover or NGN 20 million (whichever is higher). Individual data subjects whose personal data is processed unlawfully may bring civil compensation claims under NDPA Section 49, and courts may award damages for distress, financial loss, and reputational harm. Organisations that breach data protection obligations may also face reputational consequences and loss of business trust. Sector-specific sanctions apply in addition: the CBN may impose separate regulatory fines on financial institutions that process financial customer data unlawfully; the National Health Act 2014 imposes penalties for unauthorised use of health records; and the NDLEA Act covers misuse of certain sensitive health-related data.
A Data Consent Form (Nigeria) does not legally require a lawyer in Nigeria, though legal advice is recommended. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) governs corporate documents through the Corporate Affairs Commission (CAC). The National Industrial Court of Nigeria (NICN) adjudicates employment disputes. The Nigeria Data Protection Regulation (NDPR) and NDPC impose data protection obligations. The Federal Inland Revenue Service (FIRS) requires tax compliance. Forms-legal.com provides this template as a starting point — always review with a qualified Nigerian lawyer for significant transactions. Under Nigeria law, Companies and Allied Matters Act (CAMA) 2020, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Nigeria)
A Data Processing Agreement (DPA) for Nigeria compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC requirements. Governs the relationship between data controllers and data processors, covering processing instructions, security obligations, sub-processor controls, data breach notification, and data subject rights support.
Data Privacy Impact Assessment (Nigeria)
A Data Privacy Impact Assessment (DPIA) template for Nigerian organisations compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC guidance. Covers risk identification, mitigation measures, consultation obligations, and documentation requirements for high-risk data processing activities.
Cybersecurity Policy (Nigeria)
A corporate cybersecurity policy for Nigerian organisations compliant with the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, CBN Cybersecurity Framework 2021, NDPC Nigeria Data Protection Act 2023, and the NCC Cybersecurity Regulations. Covers access controls, incident response, data protection, and staff obligations.