NDPC Data Subject Rights Request (Nigeria)
DATA SUBJECT RIGHTS REQUEST
Nigeria Data Protection Act 2023 (NDPA 2023), Sections 34–39
Nigeria Data Protection Commission (NDPC)
Date: [Request Date]
TO:
[Controller Name]
[Controller Address]
Attention: [DPO Name]
Email: [DPO Email]
1. DATA SUBJECT IDENTITY
Full Name: [Subject Name]
Email: [Subject Email]
Phone: [Subject Phone]
Address: [Subject Address]
Identity Verification: [Identity Document] — [Identity Number]
2. RIGHTS REQUEST
I, [Subject Name], hereby formally exercise the following right(s) granted to me under the Nigeria Data Protection Act 2023 (NDPA 2023):
Right(s) Exercised: [Right Exercised]
2.1 Personal Data Concerned
[Personal Data Description]
2.2 Grounds for Request
[Grounds For Request]
2.3 Desired Outcome
[Desired Outcome]
3. RESPONSE OBLIGATION
Under Section 40 of the NDPA 2023 and NDPC implementing guidelines, [Controller Name] is required to respond to this request within one calendar month of receipt. If the request is complex or numerous, the response period may be extended by a further two months, but [Controller Name] must notify me of the extension and the reasons within the first month.
If [Controller Name] decides not to comply with this request, it must inform me within one month of the decision and the reasons, and must advise me of my right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) and to seek judicial remedy in the Federal High Court.
I note that under the NDPC guidelines, [Controller Name] may not charge a fee for responding to this request unless it is manifestly unfounded, excessive, or repetitive.
4. NDPC COMPLAINT NOTICE
If [Controller Name] fails to respond to this request within one month, or if the response is inadequate, I reserve the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at its headquarters in Abuja or through the NDPC complaint portal, pursuant to Section 48 of the NDPA 2023. Non-compliance may result in administrative sanctions of up to 2% of annual gross revenue or NGN 10 million (whichever is higher).
Data Subject
________________
Signature
What Is a NDPC Data Subject Rights Request (Nigeria)?
A NDPC Data Subject Rights Request in Nigeria puts a formal request before the recipient and sets out the grounds supporting it.
The Nigeria Data Protection Act 2023 was signed into law on 14 June 2023 and replaced the Nigeria Data Protection Regulation 2019 (NDPR 2019) as Nigeria's primary data protection legislation. The NDPA 2023 grants Nigerian residents (and other data subjects whose personal data is processed in Nigeria) a thorough set of rights analogous to those under the EU General Data Protection Regulation (GDPR), reflecting Nigeria's aspiration to achieve EU adequacy status for cross-border data transfers.
Under Section 34 of the NDPA 2023, data subjects have the right to request access to their personal data — including a copy of the data held, the purposes of processing, the recipients to whom data has been disclosed, and the retention period. Data controllers must respond to access requests within one month of receipt, extendable by a further two months for complex requests with written notice to the data subject.
Section 35 of the NDPA 2023 grants data subjects the right to rectification of inaccurate personal data. Section 36 grants the right to erasure ('right to be forgotten') in specified circumstances, including where data is no longer necessary for the original purpose, where consent has been withdrawn, or where processing was unlawful. Section 37 grants the right to restriction of processing. Section 38 grants data portability — the right to receive personal data in a structured, commonly used, machine-readable format. Section 39 grants the right to object to processing based on legitimate interests or for direct marketing.
The NDPC handles complaints from data subjects whose requests are not responded to within the prescribed period or are refused without adequate justification, and may investigate and sanction non-compliant data controllers under Section 48 of the NDPA 2023.
The legal framework governing the NDPC Data Subject Rights Request (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a NDPC Data Subject Rights Request (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Contract Law (received English common law) sets the foundational requirements.
When Do You Need a NDPC Data Subject Rights Request (Nigeria)?
An NDPC Data Subject Rights Request in Nigeria is used whenever an individual wishes to formally exercise one or more of the data subject rights granted under the NDPA 2023.
A Data Subject Rights Request is needed when an individual wishes to access a copy of their personal data held by a bank, fintech, telecoms company, employer, hospital, or government agency — for example, to verify what personal information MTN Nigeria, Access Bank, or Konga holds about them.
A Data Subject Rights Request is required when an individual discovers that their personal data held by a data controller is inaccurate (e.g., incorrect date of birth in a bank's KYC records, wrong address on file) and wishes to exercise their right to rectification under Section 35 of the NDPA 2023.
A Data Subject Rights Request is needed when an individual wishes to have their personal data deleted by a data controller — for example, requesting erasure of their account data upon cancelling a subscription service, or requesting deletion of outdated credit information from a credit bureau's records.
A Data Subject Rights Request is required when an individual objects to their personal data being used for direct marketing by a company — for example, requesting to be permanently removed from an email marketing list or SMS campaign.
A Data Subject Rights Request is needed when an individual is changing their service provider and wishes to receive their data in a portable format to transfer to the new provider, exercising the right to data portability under Section 38 of the NDPA 2023.
A Data Subject Rights Request is required when an employment dispute arises and an employee wants access to all personal data their employer holds about them — including performance reviews, disciplinary records, and communications containing personal data.
Parties in Nigeria should prepare a NDPC Data Subject Rights Request (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your NDPC Data Subject Rights Request (Nigeria)
A valid NDPC Data Subject Rights Request must contain the following essential elements under the NDPA 2023 and NDPC guidelines.
Data Subject Identity: Full name, contact email address, phone number, and address of the data subject making the request. For identity verification purposes, the data controller may request reasonable evidence of identity — such as a government-issued ID (NIN, passport, or driver's licence) — before processing the request.
Data Controller Identity: Full name of the data controller (organisation) to whom the request is addressed, and the contact details of the Data Protection Officer (DPO) if known. Data controllers registered with the NDPC must have appointed a DPO.
Right Being Exercised: A clear statement of the specific right(s) the data subject is invoking: right of access (Section 34), rectification (Section 35), erasure (Section 36), restriction (Section 37), portability (Section 38), or objection (Section 39). Multiple rights may be exercised in a single request.
Description of Personal Data Concerned: A description of the specific personal data to which the request relates — for example, 'all personal data held about me in connection with my account number 1234567890', or 'the personal data collected during my medical consultation on 15/03/2024'.
Basis for Request: Where exercising the right to erasure or objection, the data subject should state the grounds for the request — for example, withdrawal of consent, data no longer necessary for the original purpose, or unlawful processing.
Desired Outcome and Format: A statement of what the data subject wants the data controller to do — provide a copy, correct the data, delete the data, restrict processing, or provide the data in a specific electronic format for portability.
Deadline Reference: A reference to the data controller's obligation to respond within one month of receipt under the NDPA 2023, and the data subject's right to lodge a complaint with the NDPC if the request is not addressed within the prescribed period.
Additional compliance elements for a NDPC Data Subject Rights Request (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). NDPC Data Subject Rights Request (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/personal/legal-declarations/ndpc-data-subject-request-nigeria
"NDPC Data Subject Rights Request (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/personal/legal-declarations/ndpc-data-subject-request-nigeria.
@misc{formslegal-ndpc-data-subject-request-nigeria,
author = {{Forms Legal}},
title = {NDPC Data Subject Rights Request (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/personal/legal-declarations/ndpc-data-subject-request-nigeria}},
note = {Free legal document template. Based on Contract Law (received English common law)}
}Frequently Asked Questions
The Nigeria Data Protection Act 2023 (NDPA 2023) grants data subjects the following rights under Sections 34–39: Right of Access (Section 34) — the right to obtain confirmation of whether a data controller processes the data subject's personal data and to receive a copy of that data, along with information about the processing purposes, recipients, and retention period. Right to Rectification (Section 35) — the right to have inaccurate personal data corrected and incomplete data completed. Right to Erasure (Section 36) — the 'right to be forgotten', allowing data subjects to request deletion where data is no longer necessary, consent has been withdrawn, or processing was unlawful. Right to Restriction (Section 37) — the right to restrict processing where accuracy is contested, processing is unlawful, or an objection is pending. Right to Data Portability (Section 38) — the right to receive personal data in a machine-readable format and to have it transferred to another controller. Right to Object (Section 39) — the right to object to processing based on legitimate interests or for direct marketing. Data controllers must respond to rights requests within one month and may not charge a fee for responding to reasonable requests under the NDPC guidelines.
Under the Nigeria Data Protection Act 2023 (NDPA 2023) and NDPC implementing guidelines, a data controller must respond to a data subject rights request within one calendar month of receipt of the request. This one-month period starts from the day the data controller receives the request, regardless of whether the data subject provided identity verification documents at the time of request — though the data controller may pause the clock while waiting for identity verification. For complex or numerous requests, the data controller may extend the response period by a further two months, provided the data subject is notified of the extension and the reasons for it within the first month. Where the data controller decides not to comply with the request — for example, because the erasure request falls within a legal exception — the data controller must inform the data subject within one month of the refusal and the reasons, and must advise the data subject of their right to lodge a complaint with the NDPC or to seek judicial remedy in the Federal High Court.
Under the NDPC guidelines issued under the Nigeria Data Protection Act 2023 (NDPA 2023), data controllers must respond to data subject rights requests free of charge in most circumstances. A data controller may charge a reasonable administrative fee only where requests are manifestly unfounded, excessive, or repetitive — for example, where the same data subject submits the same access request multiple times within a short period without a legitimate reason. In such cases, the data controller must inform the data subject of the fee before processing the request. For the first access request in any 12-month period, no fee may be charged. Where a data subject requests additional copies of already-provided data, the data controller may charge for the cost of administration. The NDPC's guidance cautions against using excessive fee requirements as a mechanism to deter legitimate data subject requests, which would constitute a violation of data subject rights under Section 34 of the NDPA 2023 and could attract administrative sanctions.
If a data controller ignores or fails to respond to a data subject rights request within one month as required by the Nigeria Data Protection Act 2023, the data subject has the following remedies. The data subject may lodge a complaint with the Nigeria Data Protection Commission (NDPC) through the NDPC's complaint portal or by writing to the NDPC at its Abuja headquarters. The NDPC will investigate the complaint and may issue a compliance notice requiring the data controller to respond to the request. Failure to comply with an NDPC compliance notice may result in administrative sanctions of up to 2% of annual gross revenue (or NGN 10 million, whichever is higher) under Section 48 of the NDPA 2023. The data subject may also seek judicial remedy by filing a claim in the Federal High Court, which has jurisdiction over NDPA 2023 enforcement under Section 251 of the 1999 Constitution. The data subject may also seek damages for non-material harm (distress, inconvenience) under Section 43 of the NDPA 2023 if the failure to respond caused identifiable harm. Data controllers who repeatedly fail to respond to data subject requests face escalating NDPC sanctions and potential inclusion on the NDPC's public register of non-compliant organisations.
The right to erasure under Section 36 of the Nigeria Data Protection Act 2023 (NDPA 2023) is not absolute — it applies only in specific circumstances and is subject to exceptions. A data subject may request erasure where: the personal data is no longer necessary for the purposes for which it was collected; the data subject withdraws consent and there is no other legal basis for processing; the data subject objects to processing and there are no overriding legitimate grounds; the processing was unlawful; or erasure is required to comply with a legal obligation. However, data controllers may refuse an erasure request where continued processing is necessary for: compliance with a legal obligation requiring processing under Nigerian law (e.g., AML/CFT record-keeping under the Money Laundering (Prevention and Prohibition) Act 2022, which requires financial institutions to retain customer records for 5 years); the exercise or defence of legal claims; reasons of public interest; or scientific, historical, or statistical research purposes under Section 25 of the NDPA 2023. Financial institutions, telecoms companies, and employers may frequently invoke legal retention obligations to decline erasure requests from former customers or employees.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
NDPC Data Breach Notification (Nigeria)
An NDPC Data Breach Notification for Nigeria, required under Section 40 of the Nigeria Data Protection Act 2023 (NDPA 2023) within 72 hours of discovering a personal data breach. Complies with NDPC notification requirements and covers breach details, affected data subjects, and remediation steps.
Data Processing Agreement (Nigeria)
A Data Processing Agreement (DPA) for Nigeria compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC requirements. Governs the relationship between data controllers and data processors, covering processing instructions, security obligations, sub-processor controls, data breach notification, and data subject rights support.
Data Consent Form (Nigeria)
A Nigeria-compliant data consent form for collecting freely given, specific, informed, and unambiguous consent for processing personal data under the Nigeria Data Protection Act (NDPA) 2023. Covers purpose specification, data subject rights, withdrawal of consent, and sensitive personal data categories.