Personal Data Consent Form (Nigeria)
PERSONAL DATA CONSENT FORM
Nigeria Data Protection Act 2023 (NDPA 2023) | Nigeria Data Protection Commission (NDPC) | Nigeria Data Protection Regulation 2019 (NDPR 2019)
Date of Consent: [Consent Date]
DATA CONTROLLER
[Controller Name] (RC: [Controller CAC])
Address: [Controller Address]
Privacy Contact: [Controller Email]
Data Protection Officer: [DPO Contact]
DATA SUBJECT
Name: [Subject Name]
Email: [Subject Email] | Phone: [Subject Phone]
CONSENT DECLARATION
I, [Subject Name], hereby give my freely given, specific, informed, and unambiguous consent to [Controller Name] to collect, store, use, and otherwise process my personal data as set out below, in accordance with Section 25 of the Nigeria Data Protection Act 2023 (NDPA 2023).
1. CATEGORIES OF PERSONAL DATA
[Data Categories]
2. PURPOSES OF PROCESSING
[Processing Purposes]
3. DATA SHARING WITH THIRD PARTIES
[Data Sharing]
4. RETENTION PERIOD
[Retention Period]
5. YOUR RIGHTS UNDER THE NDPA 2023
Under the Nigeria Data Protection Act 2023, you have the following rights in relation to your personal data:
Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request correction of inaccurate or incomplete data.
Right to erasure: You may request deletion of your data where it is no longer necessary for the purposes for which it was collected ('right to be forgotten').
Right to data portability: You may request your data in a structured, machine-readable format.
Right to object: You may object to processing for direct marketing or profiling purposes.
Right to withdraw consent: You may withdraw this consent at any time by contacting us at [Controller Email]. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
To exercise your rights, contact our Data Protection Officer at [DPO Contact] or write to us at [Controller Address]. You may also file a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng.
6. DECLARATION
I confirm that I have read and understood this consent form. I give my consent freely and have not been coerced or misled. I understand that I may withdraw this consent at any time without affecting my rights.
For minors below 13 years of age, this consent must be signed by a parent or legal guardian.
Data Subject (or Parent / Guardian for minors)
________________
Signature
Authorised Representative of Data Controller
________________
Signature
What Is a Personal Data Consent Form (Nigeria)?
A Personal Data Consent Form in Nigeria grants documented consent to the action it describes, on the conditions it states.
The primary legal framework for personal data protection in Nigeria is the Nigeria Data Protection Act 2023 (NDPA 2023), which replaced the Nigeria Data Protection Regulation 2019 (NDPR 2019) as the principal legislation. The NDPA 2023, signed by President Bola Tinubu, establishes the Nigeria Data Protection Commission (NDPC) — formerly the Nigeria Data Protection Bureau (NDPB) — as the independent regulatory authority for data protection in Nigeria. The NDPC is responsible for issuing regulations, guidelines, and codes of practice; conducting audits; and enforcing data protection obligations on data controllers and processors.
Section 25 of the NDPA 2023 requires that where consent is the lawful basis for data processing, the consent must be freely given, specific, informed, and unambiguous. Consent obtained through vague or bundled terms, pre-ticked boxes, or coercion does not constitute valid consent under the NDPA 2023. Data controllers must be able to demonstrate that consent was validly obtained — a signed consent form provides this documentary proof.
The NDPA 2023 also requires data controllers processing the personal data of Nigerian citizens or residents to comply with data subject rights including: the right to access their data, the right to rectify inaccurate data, the right to erasure ('right to be forgotten'), the right to data portability, and the right to withdraw consent at any time. A compliant Personal Data Consent Form must inform data subjects of these rights at the time of consent collection.
The NDPR 2019 — which applied from 25 January 2019 until the NDPA 2023 came into force — introduced the requirement for organisations processing the personal data of more than 1,000 data subjects per year to file annual data protection audit reports with the NDPB (now NDPC), conducted by a NDPC-licensed Data Protection Compliance Organisation (DPCO).
The legal framework governing the Personal Data Consent Form (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a Personal Data Consent Form (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.
When Do You Need a Personal Data Consent Form (Nigeria)?
A Personal Data Consent Form in Nigeria is needed whenever an organisation collects personal data from individuals and relies on consent as the lawful basis for that data processing under the NDPA 2023.
A Personal Data Consent Form is required when a fintech company, bank, or CBN-licensed payment service provider collects customers' personal financial data — including BVN numbers, account details, and transaction histories — for credit assessment, KYC compliance, or marketing purposes, and wishes to rely on the data subject's consent as the processing basis.
A Personal Data Consent Form is needed when a hospital, clinic, or healthcare provider in Nigeria collects patients' health data (which constitutes sensitive personal data under Section 30 of the NDPA 2023) for treatment, research, or insurance purposes. Processing of health data requires explicit consent as a heightened standard.
A Personal Data Consent Form is required when an employer collects employees' personal data — including biometric data (fingerprints or facial recognition for attendance management), health information, or next-of-kin details — beyond the information strictly necessary for the employment relationship, and relies on consent as the processing basis.
A Personal Data Consent Form is needed when an e-commerce platform, social media company, or app developer collects Nigerian users' personal data for personalised advertising, third-party data sharing, or profiling purposes, where consent is the appropriate lawful basis under the NDPA 2023.
Parties in Nigeria should prepare a Personal Data Consent Form (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Personal Data Consent Form (Nigeria)
A valid Personal Data Consent Form in Nigeria must contain the following elements to constitute lawful, informed consent under the NDPA 2023 and NDPC guidelines.
Data Controller Identity: The full legal name, address, and contact details of the organisation collecting the data (the data controller). For companies, include the CAC RC number under CAMA 2020. A Data Protection Officer (DPO) contact should be provided where the data controller has appointed one under Section 33 of the NDPA 2023.
Data Subject Identity: The full name and contact details of the person giving consent. For minors (below 13 years under the NDPA 2023 or below 18 years for sensitive data), parental or guardian consent must be obtained.
Categories of Personal Data: A clear description of the types of personal data being collected — for example, name, address, date of birth, BVN, health data, or biometric data. Sensitive personal data (health, biometrics, political opinions, religious beliefs) must be specifically identified.
Processing Purposes: A specific statement of each purpose for which the data will be processed. Under the NDPA 2023 and the data minimisation principle, data may only be processed for the purposes stated at the time of collection.
Data Sharing: Whether the data will be shared with third parties — including the identity or categories of those third parties — and the purpose of sharing. Cross-border data transfers must comply with Section 43 of the NDPA 2023, which requires that the recipient country provides adequate data protection.
Retention Period: How long the data will be retained, and the criteria for determining retention periods in the absence of a fixed period.
Data Subject Rights: A statement of the data subject's rights under the NDPA 2023 — access, rectification, erasure, restriction, data portability, and objection to processing — and how to exercise them.
Right to Withdraw Consent: A clear statement that consent can be withdrawn at any time, the method for withdrawal, and confirmation that withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
Signature and Date: The data subject's signature and the date of consent (DD/MM/YYYY).
Additional compliance elements for a Personal Data Consent Form (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Personal Data Consent Form (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/business/policies/personal-data-consent-form-nigeria
"Personal Data Consent Form (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/business/policies/personal-data-consent-form-nigeria.
@misc{formslegal-personal-data-consent-form-nigeria,
author = {{Forms Legal}},
title = {Personal Data Consent Form (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/business/policies/personal-data-consent-form-nigeria}},
note = {Free legal document template. Based on Companies and Allied Matters Act (CAMA) 2020}
}Frequently Asked Questions
The Nigeria Data Protection Act 2023 (NDPA 2023) is the primary legislation governing personal data protection in Nigeria, signed into law on 12 June 2023. The NDPA 2023 replaced the Nigeria Data Protection Regulation 2019 (NDPR 2019) and established the Nigeria Data Protection Commission (NDPC) as the independent regulatory authority. Under Section 25 of the NDPA 2023, consent is one of six lawful bases for processing personal data. For consent to be valid, it must be freely given (not coerced or a condition of a service), specific (for a defined purpose), informed (the data subject knows who is collecting the data and why), and unambiguous (a clear affirmative act, not silence or pre-ticked boxes). Data controllers who rely on consent must be able to demonstrate that valid consent was obtained — a signed consent form is the primary evidence of this. Consent is not required where another lawful basis applies, such as contractual necessity, legal obligation, or legitimate interests.
Under the Nigeria Data Protection Act 2023 (NDPA 2023), the Nigeria Data Protection Commission (NDPC) has broad enforcement powers and can impose significant penalties for data protection violations. For companies, the maximum administrative fine is 2% of annual gross revenue in the preceding financial year or NGN 10 million, whichever is higher — for more serious violations (such as unlawful processing of sensitive personal data or systematic data breaches), the fine increases to 4% of annual gross revenue or NGN 20 million, whichever is higher. Individual officers who authorised or enabled serious violations may be personally liable. The NDPC can also order compensation to data subjects for harm suffered. Under the Nigeria Data Protection Regulation 2019 (NDPR 2019) — which applied before the NDPA 2023 — the maximum fine was NGN 10 million or 2% of annual gross revenue. The NDPC maintains a public register of enforcement actions.
Under Section 33 of the Nigeria Data Protection Act 2023 (NDPA 2023), data controllers and data processors are required to designate a Data Protection Officer (DPO) where: (a) the core activities involve large-scale regular and systematic monitoring of data subjects; or (b) the core activities involve large-scale processing of sensitive personal data categories such as health, biometric, or financial data. The DPO must have expert knowledge of data protection law and practices. Under the earlier Nigeria Data Protection Regulation 2019 (NDPR 2019), organisations processing the personal data of more than 1,000 data subjects per year were required to appoint a NDPB-licensed Data Protection Compliance Organisation (DPCO) to conduct an annual audit and file the audit report with the NDPB. The NDPA 2023 continues to recognise DPCOs and requires large data controllers to engage them for compliance audits.
Under Section 43 of the Nigeria Data Protection Act 2023 (NDPA 2023), a data controller may only transfer personal data of Nigerian data subjects to a third country or international organisation if: (a) the Nigeria Data Protection Commission (NDPC) has issued an adequacy decision for that country; (b) the data controller has implemented appropriate safeguards such as standard contractual clauses approved by the NDPC, binding corporate rules, or other NDPC-approved mechanisms; or (c) one of the specified derogations applies — for example, explicit data subject consent to the transfer, contractual necessity, or vital interests. Nigeria has not yet published a detailed list of countries with adequacy decisions. Data controllers transferring data to EU-based processors must also consider compliance with the GDPR's requirements for data transfers from the EU. The Data Processing Agreement (DPA) executed with processors outside Nigeria should include the NDPC's standard data transfer clauses.
The Nigeria Data Protection Act 2023 (NDPA 2023) requires data controllers to retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the storage limitation principle under Section 24(1)(e). There is no single prescribed retention period applicable to all categories of data — retention periods depend on the purpose of processing, contractual obligations, and applicable sector-specific regulations. For example: financial records including KYC data and transaction records must be retained for 5 to 7 years under CBN AML/CFT guidelines; employment records must be retained for the duration of employment plus 6 years under the Limitation Act (Cap L16, LFN 2004); health records must be retained as required by the applicable medical regulations. Data controllers should document their retention periods in a data retention schedule and delete or anonymise data that has exceeded the applicable retention period. The NDPC's audit process reviews retention practices for compliance.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Nigeria)
A Data Processing Agreement (DPA) for Nigeria compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC requirements. Governs the relationship between data controllers and data processors, covering processing instructions, security obligations, sub-processor controls, data breach notification, and data subject rights support.
Data Consent Form (Nigeria)
A Nigeria-compliant data consent form for collecting freely given, specific, informed, and unambiguous consent for processing personal data under the Nigeria Data Protection Act (NDPA) 2023. Covers purpose specification, data subject rights, withdrawal of consent, and sensitive personal data categories.
Data Privacy Impact Assessment (Nigeria)
A Data Privacy Impact Assessment (DPIA) template for Nigerian organisations compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC guidance. Covers risk identification, mitigation measures, consultation obligations, and documentation requirements for high-risk data processing activities.