Privacy Policy (Nigeria)
PRIVACY POLICY
Nigeria Data Protection Act 2023 (NDPA 2023) | Nigeria Data Protection Regulation 2019 (NDPR) | Nigeria Data Protection Commission (NDPC)
Effective Date: [Effective Date]
Last Updated: [Last Updated Date]
Data Controller: [Organisation Name], [Organisation Address] (CAC No. [CAC Number])
Data Protection Officer: [DPO Name] | Email: [DPO Email]
Website: [Website URL]
1. INTRODUCTION
[Organisation Name] ("we", "us", or "our") is committed to protecting the privacy and personal data of individuals who interact with our products, services, and website. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with the Nigeria Data Protection Act 2023 (NDPA 2023), the Nigeria Data Protection Regulation 2019 (NDPR), and the guidelines of the Nigeria Data Protection Commission (NDPC).
This Privacy Policy applies to all personal data we process about our customers, users, employees, suppliers, and other individuals whose data we handle.
2. PERSONAL DATA WE COLLECT
We collect and process the following categories of personal data: [Data Categories]
We collect data directly from you (when you register, make a transaction, or contact us), automatically (through cookies and device data when you use our website or app), and from third parties (such as credit reference agencies, government databases, or your employer).
3. HOW AND WHY WE USE YOUR DATA
We process your personal data for the following purposes and on the following legal bases under Section 25 of the NDPA 2023:
[Processing Purposes]
4. HOW LONG WE KEEP YOUR DATA
We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with the storage limitation principle under Section 24(1)(e) of the NDPA 2023.
Retention periods: [Retention Period]
After the applicable retention period, personal data is securely deleted or anonymised.
5. WHO WE SHARE YOUR DATA WITH
We share your personal data with: [Third Party Sharing]
All third-party processors are bound by Data Processing Agreements under Section 29 of the NDPA 2023 and may only process your data on our documented instructions.
6. INTERNATIONAL DATA TRANSFERS
[Cross Border Transfers]
Where data is transferred outside Nigeria, we apply safeguards required by Sections 43–45 of the NDPA 2023, including standard contractual clauses or explicit consent.
7. COOKIES AND TRACKING TECHNOLOGIES
[Cookies Use]
You can manage your cookie preferences at any time through your browser settings or our cookie consent tool on [Website URL].
8. YOUR DATA SUBJECT RIGHTS
Under Sections 34–42 of the NDPA 2023, you have the following rights regarding your personal data:
Right of access: request a copy of your personal data. Right to rectification: correct inaccurate data. Right to erasure: request deletion of your data in certain circumstances. Right to restrict processing: limit how we use your data. Right to data portability: receive your data in a structured, machine-readable format. Right to object: object to processing based on legitimate interests or for direct marketing. Right to withdraw consent: withdraw consent at any time without affecting prior processing.
To exercise any of these rights: [Rights Exercise Contact]
You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng or by calling +234 (0) 906 000 1837.
9. DATA SECURITY
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, alteration, or disclosure, in accordance with Section 39 of the NDPA 2023. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the NDPC within 72 hours and affected data subjects without undue delay, as required by Section 40 of the NDPA 2023.
10. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time. Material changes will be communicated to you by email, in-app notification, or a prominent notice on [Website URL] before the changes take effect. The date of the latest revision is shown at the top of this policy.
If you have questions about this Privacy Policy, contact our Data Protection Officer at [DPO Email].
What Is a Privacy Policy (Nigeria)?
A Privacy Policy in Nigeria sets out the rules and standards the organisation expects those it covers to follow.
The Nigeria Data Protection Act 2023 (NDPA 2023) is the principal legislation governing privacy and personal data protection in Nigeria. The NDPA 2023, signed into law on 12 June 2023, established the Nigeria Data Protection Commission (NDPC) as an independent regulatory body responsible for enforcing data protection standards, issuing guidance, and investigating complaints. The NDPA 2023 superseded and upgraded the Nigeria Data Protection Regulation 2019 (NDPR), which was issued by the National Information Technology Development Agency (NITDA) under the NITDA Act 2007. The NDPR remains partially operative for transitional purposes until fully superseded.
Under Section 24 of the NDPA 2023, every data controller must process personal data lawfully, fairly, and in a transparent manner. Section 34 mandates that data controllers provide data subjects with a privacy notice — the Privacy Policy — at the time personal data is collected. The NDPA 2023 requires the Privacy Policy to state: the identity and contact details of the data controller; the purposes and legal basis for processing; the categories of personal data collected; whether data will be transferred to third parties or outside Nigeria; the data retention period; and the data subject's rights under Sections 34–42 of the NDPA 2023.
Organisations that process the personal data of 1,000 or more data subjects in a 12-month period, or that process sensitive personal data (health data, biometric data, financial data, children's data), must register with the NDPC as data controllers of major importance under Section 30 of the NDPA 2023. Such organisations must also appoint a Data Protection Officer (DPO) under Section 32 of the NDPA 2023 and conduct a Data Protection Impact Assessment (DPIA) for high-risk processing activities.
A Privacy Policy must be distinguished from a Cookie Policy, which specifically addresses the use of browser cookies and similar tracking technologies on websites, and from a Data Processing Agreement (DPA), which governs the relationship between a data controller and a data processor (a third party processing data on the controller's behalf). Websites operating in Nigeria that use cookies and similar technologies must comply with both the NDPA 2023 and the NCC Consumer Code of Practice Regulations for electronic communications services.
The legal framework governing the Privacy Policy (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a Privacy Policy (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.
When Do You Need a Privacy Policy (Nigeria)?
A Privacy Policy is required in Nigeria whenever an organisation, business, or individual collects or processes personal data of Nigerian residents in the course of a commercial, non-commercial, or professional activity.
A Privacy Policy is needed for every Nigerian business website, mobile application, or digital platform that collects users' names, email addresses, phone numbers, location data, payment information, or any other information that identifies or can identify a person. Under Section 34 of the NDPA 2023, the data controller must provide a privacy notice at or before the point of data collection.
A Privacy Policy is required for Nigerian companies that process employee personal data — including HR records, payroll information, biometric attendance data, and health records — under the Employees' Compensation Act 2010 and the NDPA 2023. The NDPC has issued guidance specifically addressing workplace data processing, and employers must publish an internal privacy notice for employees.
A Privacy Policy is needed for Nigerian fintech companies, banks, and financial institutions that process customers' Bank Verification Numbers (BVN), National Identification Numbers (NIN), transaction records, and financial data regulated by the Central Bank of Nigeria (CBN) Consumer Protection Regulations 2019 and the CBN Operational Guidelines for BVN.
A Privacy Policy is required for Nigerian healthcare providers, hospitals, and telemedicine platforms that process patients' medical records, diagnostic data, prescription information, and health histories — classified as sensitive personal data under Section 30 of the NDPA 2023 requiring heightened protection.
A Privacy Policy is needed for Nigerian e-commerce platforms, online retailers, and delivery services that collect customers' names, addresses, payment card details, and purchase histories to fulfil orders and for marketing purposes under the Federal Competition and Consumer Protection Commission Act 2018 (FCCPC Act).
A Privacy Policy is required for schools, universities, and educational institutions in Nigeria that collect and process students' personal data — including academic records, health information, and disciplinary records — governed by the NDPA 2023 and the Child Rights Act 2003 for students under 18 years of age.
Parties in Nigeria should prepare a Privacy Policy (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Privacy Policy (Nigeria)
A NDPA 2023-compliant Privacy Policy for Nigeria must contain the following mandatory elements.
Data Controller Identity: The full legal name, registered address, CAC registration number, and contact details of the data controller, together with the name and contact details of the Data Protection Officer (DPO) where one has been appointed under Section 32 of the NDPA 2023. For data controllers of major importance registered with the NDPC, the NDPC registration number should be stated.
Categories of Personal Data Collected: A specific list of the types of personal data collected — such as names, email addresses, phone numbers, BVN, NIN, payment data, location data, IP addresses, device identifiers, health data, and biometric data. Sensitive personal data under Section 30 of the NDPA 2023 (racial/ethnic origin, health data, biometric data, children's data, financial data) must be identified separately with their enhanced legal basis for processing.
Purposes and Legal Basis for Processing: Each processing purpose must be identified, together with its lawful basis under Section 25 of the NDPA 2023 — which includes consent (Section 25(1)(a)), performance of a contract (Section 25(1)(b)), legal obligation (Section 25(1)(c)), vital interests (Section 25(1)(d)), public task (Section 25(1)(e)), and legitimate interests (Section 25(1)(f)). A vague statement of purposes (such as 'improving services') without a specified legal basis is non-compliant.
Data Retention Period: The period for which personal data will be retained, or the criteria used to determine the retention period, in compliance with the data minimisation and storage limitation principles under Section 24(1)(d)–(e) of the NDPA 2023.
Data Sharing and Third Parties: Identification of categories of third parties with whom data is shared — processors, affiliates, payment gateways, analytics providers, government agencies — and the legal basis for each sharing arrangement. Data Processing Agreements must be in place with all processors under Section 29 of the NDPA 2023.
Cross-Border Data Transfers: Disclosure of any transfer of personal data outside Nigeria, and the safeguards in place — including NDPC-approved adequacy decisions, standard contractual clauses, binding corporate rules, or the data subject's explicit consent — required under Sections 43–45 of the NDPA 2023.
Data Subject Rights: A clear statement of data subjects' rights under Sections 34–42 of the NDPA 2023, including: right of access; right to rectification; right to erasure; right to restriction of processing; right to data portability; right to object; and right to withdraw consent. Contact information for exercising these rights must be provided.
Complaint Mechanism: The right to lodge a complaint with the NDPC at ndpc.gov.ng under Section 48 of the NDPA 2023, and the data controller's internal complaints handling procedure.
Cookies and Tracking Technologies: For websites and apps, a disclosure of the types of cookies and tracking technologies used (essential, analytics, marketing) and the mechanism for consenting to or opting out of non-essential cookies, in line with the Nigerian Communications Commission (NCC) Consumer Protection Regulations.
Policy Update Mechanism: The date of the last update and the procedure by which changes will be communicated to data subjects, including notification of material changes.
Additional compliance elements for a Privacy Policy (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/business/policies/privacy-policy-nigeria
"Privacy Policy (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/business/policies/privacy-policy-nigeria.
@misc{formslegal-privacy-policy-nigeria,
author = {{Forms Legal}},
title = {Privacy Policy (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/business/policies/privacy-policy-nigeria}},
note = {Free legal document template. Based on Companies and Allied Matters Act (CAMA) 2020}
}
Frequently Asked Questions
A Privacy Policy is legally required for any Nigerian business, organisation, or individual that collects or processes personal data in the course of a business or professional activity. Section 34 of the Nigeria Data Protection Act 2023 (NDPA 2023) mandates that every data controller provide a privacy notice to data subjects at or before the point of data collection. The Nigeria Data Protection Commission (NDPC) has the power under the NDPA 2023 to investigate non-compliant organisations and impose administrative fines of up to 2% of annual gross revenue or NGN 10,000,000 (whichever is higher) for first violations, and up to 4% of annual gross revenue for repeat violations. The NDPA 2023 applies to any organisation established in Nigeria and to foreign organisations that process the personal data of persons in Nigeria, meaning that multinational companies with Nigerian customers must also maintain NDPA 2023-compliant Privacy Policies.
A Nigerian Privacy Policy under the NDPA 2023 must cover all categories of personal data the organisation processes, including: basic identification data (names, addresses, phone numbers, email addresses); government identification numbers (NIN, BVN, TIN); financial data (bank account details, payment card information, transaction records); digital identifiers (IP addresses, device IDs, cookies, location data); employment data (HR records, salary, performance records); health and biometric data (classified as sensitive personal data under Section 30 of the NDPA 2023 requiring explicit consent or another enhanced legal basis); and children's data (persons under 18, subject to heightened protection under Section 30 of the NDPA 2023 and the Child Rights Act 2003). The NDPC's guidelines on sensitive personal data, published in 2023, provide detailed requirements for processing these special categories.
An organisation that fails to maintain a NDPA 2023-compliant Privacy Policy in Nigeria faces administrative sanctions from the Nigeria Data Protection Commission (NDPC). Under Section 48 of the NDPA 2023, the NDPC may investigate complaints filed by data subjects and, upon finding a violation, issue compliance orders, fines, and public reprimands. Administrative fines for violation of data subjects' rights (including the failure to provide a privacy notice under Section 34) are up to 2% of annual gross revenue or NGN 10,000,000 for the first offence, whichever is higher — and up to 4% for repeat violations. Data controllers of major importance (those processing data of 1,000 or more persons annually) that fail to register with the NDPC and appoint a DPO face separate fines. Affected data subjects may also bring civil claims before the Federal High Court for breach of data protection rights under Section 37 of the Constitution of the Federal Republic of Nigeria 1999.
A Nigerian business may transfer personal data outside Nigeria only under specific conditions set out in Sections 43–45 of the Nigeria Data Protection Act 2023 (NDPA 2023). Cross-border transfer is permitted where: the NDPC has issued an adequacy decision in respect of the receiving country (confirming it provides an adequate level of data protection); the transfer is subject to appropriate safeguards such as NDPC-approved standard contractual clauses (SCCs) or binding corporate rules (BCRs); the data subject has given explicit informed consent to the transfer; or the transfer is necessary for the performance of a contract with the data subject or for important public interest reasons. The NDPC has not yet published a list of countries with adequate data protection as of 2024, so most cross-border transfers must rely on SCCs or explicit consent. The Privacy Policy must disclose all cross-border transfers and the safeguards in place.
A Nigerian Privacy Policy should be reviewed and updated whenever there is a material change in the organisation's data processing activities — such as the introduction of a new product or service that collects new categories of data, a change in data sharing arrangements with third parties, the adoption of new technologies (AI profiling, biometric data collection), a change in the legal basis for processing, or an amendment to the NDPA 2023 or NDPC guidelines. As a matter of good practice, the NDPC recommends annual reviews of Privacy Policies to ensure they reflect current processing activities. When a Privacy Policy is materially updated, the data controller must notify affected data subjects of the changes — for example, by email notification, in-app alert, or website banner — and, where the changes affect previously collected data, obtain fresh consent if consent was the original legal basis for processing under Section 25(1)(a) of the NDPA 2023.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Nigeria)
A Data Processing Agreement (DPA) for Nigeria compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC requirements. Governs the relationship between data controllers and data processors, covering processing instructions, security obligations, sub-processor controls, data breach notification, and data subject rights support.
Data Consent Form (Nigeria)
A Nigeria-compliant data consent form for collecting freely given, specific, informed, and unambiguous consent for processing personal data under the Nigeria Data Protection Act (NDPA) 2023. Covers purpose specification, data subject rights, withdrawal of consent, and sensitive personal data categories.
Cybersecurity Policy (Nigeria)
A corporate cybersecurity policy for Nigerian organisations compliant with the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, CBN Cybersecurity Framework 2021, NDPC Nigeria Data Protection Act 2023, and the NCC Cybersecurity Regulations. Covers access controls, incident response, data protection, and staff obligations.