Privacy Notes

Have you have heard of the Nigeria Data Protection Regulations (NDPR), 2019? I would be a bit surprised if you haven’t, but I also understand that the availability of information sometimes does not necessarily translate to access to such information for all. I would share a few details on the NDPR, especially as it relates to some of its provisions. For instance, do you know that the NDPR provides that you have a Right to be Informed by the Data Controller the purpose for which your Personal Data is being collected?

The Right to be Informed

What then is Personal Data? According to the NDPR, “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’). An identifiable natural person in this context is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.

The Data Controller or Data Administrator must prior to collecting Personal Data, provide certain information to the Data Subject. This information should be contained in a Privacy Policy that must be conspicuously included in the medium by which the Personal Data is being collected.

This is a very important responsibility of the Data Controller or Data Administrator who must ensure that the Privacy Policy and its information must be expressed in clear and easily understandable language.

The Privacy Notice must, among other information, state:

• all the rights of the Data Subject, that is, the rights to consent, access, object, be forgotten, rectification, restrict processing and Personal Data portability.
• the purpose and or lawful basis of the processing activity; that is whether as a result of: consent, contractual obligation, legal obligation, legitimate interest, public interest or vital interest;
• the technical methods used to collect and store Personal Data, for example, cookies, JWT, web tokens et.al.;
• the identity and contact details of the Data Controller and its representative(s);
• where there is one, the Data Protection Officer (DPO)’s contact details;
• any further recipients of the Personal Data, that is, if it is to be shared or passed on to anyone else, for example, a Data Administrator;
• how long the Personal Data will be stored for;
• the details of the supervisory authority, for example NITDA, to lodge complaints with if the Data Subject’s rights are infringed;
• the available remedies in the event of violation of the Privacy Policy and the time frame for the remedies;
• where decision-making is automated, for example, by way of profiling, the processing activity must be explained and the likely impact it will have on the Data Subject; and
• where applicable, that the Data Controller intends to transfer the Personal Data to a foreign country or international organization and the existence or otherwise of an Adequacy Decision by NITDA in respect of that foreign country or international organization;

As a Data Subject, you now know what you should expect from your various Data Controllers. As a Data Controller, you now also know you are to prepare a Privacy Notice and appropriately inform your Data Subjects on the purpose for collecting Personal Data and the terms involved. Particularly, among the terms of collecting Personal Data is your Retention Policy. I will shed more light on this and more related issues in the next update. I would also be happy to read your comments, questions and general feedback.

Thank you for your time! See you next week!
Opeyemi Adeleke Esq.