Nigeria’s data protection regime is governed by the Nigeria Data Protection Act 2023 (“NDPA”) and the General Application and
Implementation Directive 2025 (“GAID”).
At the centre of this framework are the rights of data subjects. The NDPA draws constitutional authority from Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended), which guarantees every citizen the right to privacy.
Every data subject is entitled to know, before or at the point of colection, that their personal data is being processed. A data controler must furnish a Privacy Notice disclosing its identity and that of its Data Protection Officer, the specific purposes and lawful basis of processing, applicable retention periods, the identities of third party recipients, the use of automated decision-making, and the remedies available where rights are violated. A notice that is incomplete, ambiguous, or rendered inaccessible through technical legal language does not satisfy this obligation. The right to be informed is foundational: no other right is meaningfuly exercisable without it.
