Section 37 of the 1999 Constitution of the Federal Republic of Nigeria provides for the right to privacy. Twenty years later, in 2019, the National Information Technology Development Agency (NITDA) released the Nigeria Data Protection Regulation (NDPR), both to safeguard the rights of Nigerian citizens and to keep Nigerian businesses competitive globally. As of April 25, 2019, all public and private organisations that process personal data must publicise their NDPR compliant data protection policies. As of July 25, 2019, organisations must conduct an initial audit or their privacy and data protection practices.
In terms of the NDPR, data subjects have the right to:
- object to the processing of their personal data for marketing purposes;
- access their personal data (and have personal data transferred to another data controller);
- obtain information about the processing of their personal data;
- have their personal data deleted (where certain criteria are met);
- have their personal data corrected;
- restrict the processing of their personal data (where certain criteria are met);
- withdraw consent to the processing of their personal data; and
- lodge a complaint with the NITDA or another relevant regulator.