Practical Steps: How to Give Consent and Control Your Personal Data under Nigeria Data Protection Act 2023

The Nigeria Data Protection Act of 2023 has recently been signed into law, providing a legal framework for the protection of personal information and establishing the Nigeria Data Protection Commission to regulate the processing of personal data. The Act aims to safeguard the fundamental rights and freedoms of data subjects, ensuring that their personal data is processed in a fair, lawful, and transparent manner. This article provides practical guidance for data subjects on how to give consent and exercise control over their personal data in accordance with the provisions of the Act.

Application of the Act

The Act applies to the processing of personal data, whether by automated means or not. It is applicable when the data controller or data processor is domiciled in, resident in, or operating in Nigeria. Furthermore, the Act applies if the processing of personal data occurs within Nigeria, and even if the data controller or data processor is not based in Nigeria but processes personal data of data subjects located within Nigeria.

Giving Consent

Consent plays a crucial role in the processing of personal data under the Act. Data subjects have the right to control their personal data and must give their consent freely and intentionally. It is important to note that silence or inactivity cannot be considered as consent. To give valid consent, data subjects should follow these practical steps:

1. Understand the Purpose: Data subjects should ensure they have a clear understanding of the purpose for which their personal data is being collected and processed. The data controller must provide information about the purposes of processing, categories of personal data, recipients of the data, retention periods, rights of the data subject, complaint lodgment procedures, and the existence of automated decision-making.
   
2. Read Privacy Notices: Data subjects should carefully read privacy notices provided by data controllers. These notices contain important information about the processing of personal data and the rights of data subjects. They should pay attention to the lawful basis for processing and any specific consent requirements.
   
3. Freely Given Consent: Data subjects should ensure that their consent is given freely without any undue pressure or coercion. Consent should not be a condition for accessing a service unless it is necessary for the performance of a contract.
   
4. Explicit Consent for Sensitive Data: In the case of sensitive personal data, explicit and unwithdrawn consent is required. Sensitive data includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.
   
5. Withdrawal of Consent: Data subjects have the right to withdraw their consent at any time. Data controllers must make it as easy to withdraw consent as it is to give it. If data subjects wish to withdraw their consent, they should follow the withdrawal procedures specified by the data controller.
   

Exercising Control Over Personal Data

In addition to giving consent, data subjects have various rights under the Act to exercise control over their personal data. These rights empower individuals to manage their personal information and ensure that it is processed in accordance with the law. The key rights of data subjects include:

1. Right to Confirmation and Information: Data subjects have the right to obtain confirmation from a data controller regarding the storage and processing of their personal data. They are entitled to information about the purposes of processing, categories of personal data, recipients of the data, storage period, and the right to request rectification, erasure, or restriction of processing.
   
2. Right to Access and Data Portability: Data subjects have the right to obtain a copy of their personal data in a commonly used electronic format. They can also request the transfer of their personal data to another data controller, where technically feasible.
   
3. Right to Rectification and Erasure: Data subjects have the right to request the rectification of inaccurate or incomplete personal data held by data controllers. If the data has been disclosed to third parties, the data controller should inform them about the rectification unless it is impossible or requires disproportionate effort. Data subjects also have the right to request the erasure of their personal data in certain circumstances, such as when the data is no longer necessary for the purposes it was collected or processed, when consent is withdrawn, or when the data processing is unlawful.
   
4. Right to Restriction of Processing: Data subjects have the right to request the restriction of processing their personal data under certain conditions. This means that the data can still be stored but not actively processed. This right may be exercised, for example, when the accuracy of the data is contested, or when the data processing is unlawful, but the data subject does not want it to be erased.
   
5. Right to Object to Processing: Data subjects have the right to object to the processing of their personal data, including profiling, based on legitimate interests pursued by the data controller or a third party. The data controller must stop processing the data unless they can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
   
6. Right to Automated Decision-Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects them. However, this right does not apply if the decision is necessary for entering into or performing a contract, authorized by law, or based on the data subject’s explicit consent.
   
7. Right to Lodge a Complaint: If data subjects believe that their rights under the Data Protection Act have been violated, they have the right to lodge a complaint with the Nigeria Data Protection Commission or any other relevant supervisory authority.
   

Conclusion

By following these practical steps, data subjects can give valid consent and exercise control over their personal data in accordance with the Nigeria Data Protection Act 2023. It is important for individuals to be aware of their rights and to take an active role in managing their personal information. Data controllers have a responsibility to provide clear and transparent information to data subjects and to respect their rights and choices regarding the processing of personal data.

Consent Control Data Nigeria Consent Control Data Nigeria Consent Control Data Nigeria