Data Subject Rights in Nigeria: What They Mean and What Businesses Must Do
Most Nigerian businesses treat data subject rights in Nigeria as a consumer protection issue, something that sits on the legal team’s radar and rarely comes up in practice. That framing creates real risk.
Data subject rights are enforceable legal rights under the Nigeria Data Protection Act 2023 (NDPA), administered by the Nigeria Data Protection Commission (NDPC). They are also an operational compliance obligation. Every business that collects personal data, from customers, employees, or website visitors, will eventually receive a request to access, correct, delete, or restrict that data. The penalties for getting it wrong, or for not responding at all, are real.
This article covers all eight rights under the NDPA, explains where each right has limits, and walks through what businesses must do operationally to stay compliant. We also address the tension between data subject rights and other Nigerian regulatory requirements that businesses in financial services and healthcare regularly face.
This article is part of PlanetWeb’s NDPA compliance series. See our NDPA Compliance Guide for Nigerian Businesses and our breakdown of the Key Features of the NDPA 2023 for broader context.
What Data Subject Rights Are and Who Holds Them
Under the NDPA 2023, a data subject is any living individual whose personal data is being processed. Your customers are data subjects. So are job applicants, newsletter subscribers, and anyone whose contact details sit in your CRM.
The point that most Nigerian business owners are surprised to learn: your employees are data subjects, too. Every staff member has the same rights under the NDPA over their HR records, payroll data, performance reviews, attendance logs, and workplace monitoring data as any external customer does. Organisations that have built a clear customer-facing data request process but ignored their internal HR obligations are only half-compliant.
These rights apply regardless of how or when the data was collected. A customer who consented to marketing five years ago can exercise their rights over that data today. A former employee may still have valid rights over records the organisation continues to hold.
The Nigeria Data Protection Commission is the enforcement authority for these rights.
The Eight Rights Under the NDPA: What They Mean and Where They Have Limits
Right of Access
Any individual can request a copy of the personal data a business holds about them, along with information about how it is being used. This is called a Data Subject Access Request, or DSAR.
Say Tolu applies for a loan at a Nigerian fintech, gets declined, and suspects the decision was based on incorrect information. He submits an access request. The fintech must respond within 30 days with a copy of his data, the purposes for which it is being processed, and who it has been shared with.
A valid access request does not need to cite the NDPA. If someone emails asking what personal data you hold about them, the 30-day clock starts that day.
One limit: requests that are manifestly unfounded or excessive can be refused or charged a reasonable fee. The burden of proving that a request is excessive rests with the business.
Right to Rectification
If a business holds inaccurate or incomplete data about an individual, that person can request a correction. This comes up frequently in credit records, employee files, and customer account profiles.
Say Musa discovers his employer’s HR system has his date of birth recorded incorrectly, affecting his pension contributions. He has the right to request a correction. There are no significant limits on this right, but the business must be satisfied that the correction is accurate before making it.
Right to Erasure
Individuals can ask a business to delete their personal data when it is no longer needed for its original purpose, when consent has been withdrawn, or when it was processed unlawfully.
Ada, a former customer of a logistics company who has not used the service in three years, wants her account and data deleted. The company has no continuing legal basis to hold it. Her request is valid.
The critical limit: erasure can be refused when retaining the data is necessary to comply with a legal obligation. CBN guidelines require financial institutions to retain certain records for defined periods. NRS regulations impose tax record retention requirements. A business that deletes records in response to an erasure request and thereby breaches CBN or NRS requirements has traded one compliance problem for another.
Erasure can also be refused to establish or defend a legal claim, such as an ongoing employment dispute.
Right to Restrict Processing
Restriction is not deletion. The individual is asking that their data not be actively used while a dispute or investigation is pending, typically one about the accuracy of the data itself.
If Emeka is contesting the accuracy of his credit record with a financial institution, he can ask that processing of that data be restricted while the dispute is investigated. The data stays in the system but cannot be used to inform decisions during that period.
Operationally, this means businesses need a mechanism to flag records as restricted, not just a note in someone’s inbox.
Right to Data Portability
This right allows individuals to receive their personal data in a structured, machine-readable format and transfer it to another service provider.
It has specific conditions. It applies only to data processed by automated means and only where the legal basis is consent or contract, not legitimate interests or a legal obligation. For Nigerian fintechs and SaaS platforms, this right has direct technical implications: if your system cannot export user data in a portable format, that is a gap to address.
Right to Object
This right has two distinct contexts, and the distinction matters.
Objecting to processing based on legitimate interests can be overridden if the business can demonstrate compelling grounds that outweigh the individual’s interests. But objecting to direct marketing is absolute. If someone tells you they do not want their data used for marketing, you stop. You cannot argue legitimate interests. You cannot ask them to justify the request.
Businesses that apply the “we can override it” logic to direct marketing opt-outs are making a compliance error.
Right to Be Informed
Individuals have the right to know, at the point their data is collected, who is collecting it, why, on what legal basis, how long it will be retained, and with whom it may be shared. This is what your privacy notice, consent language, and cookie banner are supposed to communicate.
If your purposes for processing change at any point, individuals must be informed of that change. The right to be informed is an ongoing obligation, not a one-time policy exercise.
Right in Relation to Automated Decision-Making and Profiling
This is the most underexplained right in most Nigerian compliance discussions, and its relevance is growing as local fintechs and HR platforms increasingly use algorithmic tools.
The right applies when a decision with significant effects on an individual is made solely by automated means, without meaningful human involvement. The key phrase is “solely automated.” If a meaningful human review occurs before the decision is finalised, the right may not apply. Credit scoring systems, AI-based hiring filters, fraud detection algorithms, and behavioural profiling tools all fall within the scope where no such review takes place.
An individual subject to an automated decision has the right to request human review and an explanation of how the decision was reached. If your business uses automated scoring or profiling that significantly affects customers or employees, you need a defined process for handling these requests.
For a comparison of how the NDPA approaches automated decision-making relative to the GDPR, see our NDPA vs GDPR analysis.
Rights That Are Absolute vs. Rights That Require Assessment
Not all data subject rights carry the same weight. Treating every request as automatically valid is as risky as treating every request as optional. The right to object to direct marketing is absolute and cannot be refused. Others depend on whether specific conditions are met. Erasure, restriction, and portability all require the business to assess the conditions before deciding how to respond.
This distinction matters in both directions. Businesses sometimes refuse valid requests by treating all rights as conditional when some are not. And individuals sometimes expect compliance with requests that the law does not require, for example, an erasure request during active litigation. Getting this wrong on either side creates problems.
The Tension Between Data Subject Rights and Regulatory Retention Requirements
For businesses in financial services, healthcare, and other regulated sectors, data subject rights do not operate in isolation. Other Nigerian laws impose mandatory retention obligations that can directly conflict with an erasure or restriction request.
CBN guidelines require financial institutions to retain KYC documents and transaction records for defined periods. FIRS regulations govern tax record retention. NDPC sector guidelines for healthcare set their own retention schedules. These requirements exist for audit trail, anti-money-laundering, and dispute-resolution purposes.
When a customer submits an erasure request, and you are legally required to retain the relevant data, the right approach is to refuse the erasure on the basis of legal obligation, communicate this in writing to the requester, specify what data is being retained and why, and confirm when it will be deleted once the retention period expires.
Invoking a legal obligation as a basis for refusing erasure is legitimate. But the business must actually be under that obligation and must not retain more than what is legally required.
How Businesses Must Handle Requests Operationally
The 30-day window. The clock starts on receipt of the request, not when it is read or assigned internally. A request that arrives in a general inbox on Monday starts the clock on Monday. In complex cases, the window can be extended by up to two additional months, but the requester must be notified of the extension within the original 30-day period.
Identity verification. Businesses can verify that a request comes from the person whose data it concerns. Asking a customer to confirm their account email or answer a security question is proportionate. Requiring notarised identity documents for a simple rectification request is not. The ICO’s guidance on handling DSARs provides a useful reference for what proportionate verification looks like, even though it is based on UK law.
Refusing a request properly. A justified refusal that is handled poorly is still a compliance failure. Any refusal must be in writing, cite the specific legal basis, inform the individual of their right to escalate to the NDPC, and be issued within the 30-day window. Not responding at all is not a refusal: it is a breach.
Record-keeping. The NDPC can request evidence during an audit that requests were handled properly. Maintain a log of all incoming requests: date received, request type, action taken, response issued, and response date.
Routing requests correctly. If a request sits unactioned in a general support inbox for two weeks before anyone realises what it is, those two weeks still count against the 30-day window. Your internal process needs to ensure requests are identified and routed to someone with authority to act on them from the moment they arrive.
The NDPC Complaint Process: What to Expect
If an individual believes their rights have been violated, they can file a complaint with the Nigeria Data Protection Commission. Complaints can also arise from proactive NDPC audits or media reports of data handling failures.
Beyond financial penalties, the NDPC can impose mandatory deletion orders, require policy changes, issue public statements of non-compliance, and, for entities in regulated sectors, notify the relevant sector regulator. The Commission’s posture has shifted from awareness-building to structured enforcement.
When a business receives notice of an NDPC complaint, ignoring it or responding minimally is the worst possible approach. A prompt, documented, good-faith response that shows the original request was taken seriously, even if it was refused on legitimate grounds, is far more likely to produce a manageable outcome than silence.
What Employees Need to Know (And What Employers Must Prepare For)
The NDPA applies to employee data with the same force as it applies to customer data. An employee can submit a data subject access request for their own HR file, and the employer must respond within 30 days. Inaccurate entries in a performance review can be challenged and corrected. A former employee retains the right to ask the organisation what data it continues to hold about them.
Employers cannot delete employment records needed for tax and payroll compliance or to defend against a potential employment claim. But they cannot retain records indefinitely simply because it is convenient.
The practical gap for most Nigerian employers is that they have built a process for handling customer data requests, but have no equivalent for employee data. A separate but consistent internal process, with clear ownership and a documented workflow, is not optional under the NDPA.
Conclusion and Next Steps
Data subject rights under the NDPA are not complicated once you understand the structure of each right, where the limits sit, and what the operational requirements look like. The businesses that struggle are usually not those that deliberately ignored these obligations. They are businesses that had no process in place when requests started arriving.
Building that process requires clear internal ownership, a basic request log, staff who can identify and route requests correctly, and a documented response framework that covers both customer and employee data.
For a full picture of your NDPA obligations beyond data subject rights, read our NDPA Compliance Guide for Nigerian Businesses and our Data Protection Compliance Strategies guide.
If your business needs help building a data subject request handling process or conducting a data protection readiness review, get in touch with PlanetWeb.
