It is right to say that a lot of things that people need to do from opening a bank account to subscribing to cable TV would require sharing some form of personal information. The requested personal information usually ranges from name, address, a photo, an email address to bank details, social networking websites, medical information. The shared personal information is processed and stored in one way or the other. Some pertinent questions that would likely come to mind in this regard include whether one has rights in relation to his or her personal information shared for various purposes and whether such personal information is adequately protected under the law
The Nigerian Data Protection Regulations (NDPR) was signed in January 2019 and it applies to all transactions intended for the processing of personal data regardless of the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria. The Regulation applies to persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria. The National Information Technology Development Agency (NITDA, hereinafter referred to as The Agency) is the Regulatory body charged with the protection of Personal Data and other related matters.
The NDPR makes provisions for the following rights
Right to information:
Every person who is required to share his personal data has a right to information. This right starts prior to collection of the personal data and continues after the personal data has been collected.
The type of information to be provided to persons prior to the collection of their personal data are listed in section 3(7) (a-n) of the NDPR and they include;
a) the identity and the contact details of the Controller; b) the contact details of the Data Protection Officer; c) the purpose(s) of the processing for which the Personal Data are intended as well as the legal basis for the processing; d) the legitimate interests pursued by the Controller or by a third party; e) the recipients or categories of recipients of the Personal Data, if any; f) where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organisation and the existence or absence of an adequacy decision by The Agency; g) the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period; h) the existence of the right to request from the Controller access to and rectification or erasure of Personal Data or restriction of processing concerning the Data Subject or to object to processing as well as the right to Data Portability; i) the existence of the right to withdraw consent at any time.
Every person who has shared his personal data also has a right to be informed about how such personal data is to be processed. The information should be in a concise, transparent, intelligible and easily accessible form. It should also be provided free of charge, in writing, or by other means, including, where appropriate, by electronic means. The information may be provided orally, if the person requests that it should be done in that manner.
It also important to mention that where one’s personal data are transferred to a foreign country or to an international organisation, the person has a right to be informed of the appropriate safeguards for data protection in the foreign country. The person has the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the person also has a right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to deletion of data
Persons have the right to request the deletion of their personal data without delay. The personal data should be promptly deleted if one of the following grounds is applicable:
a) The Personal Data are no longer necessary in relation to the purposes for which they were collected or processed; b) The Data Subject withdraws consent on which the processing is based; c) the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing; d) The Personal Data have been unlawfully processed; and e) the Personal Data must be erased for compliance with a legal obligation in Nigeria.
Right to restriction of processing of data
One also has the right to obtain the restriction of processing of his or her personal data under any of the following circumstances: a) The accuracy of the personal data is contested by the person for a period enabling the verification of its accuracy; b) The processing is unlawful, and the person opposes the erasure of the personal data and requests the restriction of their use instead; c) the personal data is no longer required for the purposes of the processing, but they are required by the person for the establishment, exercise or defence of legal claims; and d) the person has objected to processing of his or her data, pending the verification whether the legitimate grounds of the processing of the data override his or her own rights.
Where the processing of a person’s data has been restricted such personal data shall, except for storage, only be processed with his or her consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in Nigeria.
Right to portability
Persons have the right to transmit their personal data from one controller to another controller without hindrance. This right to portability can be exercised where: (a) The processing is based on consent, or (b) On a contract, and (c) The processing is carried out by automated means.
Persons, in exercising their right to portability are entitled to their personal data being transmitted directly from one controller to another, where technically feasible. Provided that this right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
It is worthy to mention that the NDPR states that the exercise of the foregoing rights shall be in conformity with constitutionally guaranteed principles of law for the general protection and enforcement of fundamental rights.
Right to object to processing
Persons also have the right to object to the processing of their personal data intended to be processed for marketing purposes.
The next time you are required to provide some personal data for one purpose or another, remember that you have rights in this regard and can make relevant demands to ensure that your personal data is adequately safeguarded.
