🗓️ Last updated: June 4, 2025
Introduction: Why Your Data Rights Matter
You download a loan app. Suddenly, it’s asking for your contacts, camera, and even your call history. Next thing? Random SMS offers from brands you’ve never heard of. It’s not paranoia; it’s your personal data, passed around without your say.
The good news? Under Nigeria’s Data Protection Act (NDPA) 2023, you’ve got power. Legal rights. Control. This isn’t something only lawyers or tech bros should care about. Whether you’re selling thrift on WhatsApp or running a SaaS startup, your digital footprint matters, and you have every right to protect it.
📘 Learn more: Want the full breakdown of Nigeria’s data protection law? Explore the Nigeria Data Protection Act 2023
I. Quick Snapshot of Your Data Subject Rights in Nigeria
The NDPA gives you eight rights. Think of them as your digital control panel. Here’s what each one means in plain Nigerian English:
| Your Right | What It Really Means |
|---|---|
| Access | Ask any company, “What data do you have on me?” |
| Rectification | Fix the wrong details they have on file. |
| Erasure | Tell them to delete your data permanently. |
| Object | Say no to marketing or profiling. |
| Restrict Processing | Pause how they use your data – like putting it on hold. |
| Data Portability | Move your data from one company to another. |
| Be Informed | Know what they’re collecting and why – upfront. |
| Withdraw Consent | Change your mind anytime. Even after you said yes. |
Every one of these rights is enforceable. Whether you’re dealing with your telco, bank, online store, or a slick new fintech app, they can’t act like your data is theirs to trade.
🔍 See what the UN says about digital privacy. UN Digital Privacy Guidelines
II. Each Right Explained (With Real-Life Examples)
🔍 Access
What it means: You have the right to ask any company, “What do you know about me?”
Why it matters: It’s your data. You deserve to see it.
Scenario: Tolu uses a buy-now, pay-later (BNPL) app. She wants to know if they’re tracking her spending habits. She emails their Data Protection Officer (DPO), including her registered phone number and email, and asks for a copy of everything they’ve.
✏️ Rectification
What it means: You can correct wrong info they’ve got on you.
Why it matters: Wrong data can mess up your credit, applications, or even legal standing.
Scenario: Musa applies for a job. HR pulls data from a background checker, and his name is misspelled. He sends a correction email with the proper ID.
🗑️ Erasure
What it means: Also called the “right to be forgotten.” You can request that a company delete your data.
Why it matters: Sometimes you want to close the chapter, and your data shouldn’t live on after you do.
Scenario: Ada deletes her online shopping account. She also asks the site to wipe all records of her purchases and card info.
🚫 Object
What it means: You can tell a company to stop using your data for certain things.
Why it matters: Like when a telco keeps texting you “Dear customer…” after you said no.
Scenario: Kunle gets nonstop marketing SMS from a telecom provider. He writes in to say, “Stop using my number for ads.” That’s a legal request now.
⏸️ Restrict Processing
What it means: Pause how your data is being used while you sort things out.
Why it matters: Sometimes you need time, like when disputing a transaction.
Scenario: Zainab sees an unusual login to her bank app. She tells them to freeze any non-essential data use while she investigates.
🔄 Data Portability
What it means: Get your data in a format that lets you move to a different provider.
Why it matters: Makes switching easy, just like porting your phone number.
Scenario: Efe’s moving from one insurance app to another. He requests that his data be exported and transferred in a machine-readable format, such as CSV, as required under the NDPA.
📢 Be Informed
What it means: Companies must inform you of what they’re collecting and why before collecting it.
Why it matters: No more shady sign-up forms that skip the details.
Scenario: Amaka downloads a budgeting app. She checks their privacy notice and sees they’re tracking SMS alerts. Red flag? Maybe. Always check the privacy policy before signing up.
📖 Learn how to spot a good privacy policy. Mozilla’s Privacy Tips
❌ Withdraw Consent
What it means: Gave permission before? You can take it back anytime.
Why it matters: Consent isn’t forever. You’re in control.
Scenario: Chidi agreed to data sharing for “product improvements.” Months later, he changes his mind. Sends a revocation email. That’s valid.
III. What Happens After You Make a Request
So, you’ve filed a request to view your data, make a change, or request its deletion. What now?
Here’s how it typically plays out:
⏳ Step-by-step timeline
- Send your request — be clear, state your right, and attach a valid ID.
- The company acknowledges — they must confirm they got your request.
- They act — they’ve got 30 days to respond. By law.
No stalling. No ghosting. No, “We’ll get back to you.” That 30-day clock starts the day they get your request.
🚫 If they delay or refuse:
Some reasons might be legit — like if your request is excessive, repetitive, or vague. But they must still respond, explain why, and prove it’s justified.
And if they charge a fee? It must be reasonable and not used to block your rights. (You’re not paying them to obey the law.)
Bottom line? If they remain silent after 30 days or their excuse sounds suspicious, escalate the matter. Next stop: the NDPC.
IV. What If They Don’t Respond? Escalate to the NDPC
If a company ignores your request or gives you a half-baked response, you don’t have to take it lying down. That’s where the Nigeria Data Protection Commission (NDPC) steps in.
📝 What to Gather First
Before you file a complaint, gather your evidence:
- A copy of your original request
- Proof that you sent it (screenshot, delivery receipt, email trail)
- Any response you got (or didn’t get)
This helps you build your case. The NDPC will not operate based on feelings or assumptions; they need documentation.
🧭 How to Escalate
- Visit the NDPC complaints portal (or their current complaint page)
- Fill out the complaint form or email them directly
- Attach your evidence and explain what happened
That’s it. You don’t need a lawyer. You don’t need fancy legal English. Just state the facts clearly.
⌛ What Happens Next?
The NDPC will review your complaint. They might:
- Contact the company for clarification
- Investigate the matter
- Demand compliance or issue penalties
It might take some time, but this is your legal right, and companies that violate data rights are finally being held accountable in Nigeria.
So don’t shrug it off. If they ignore you or play games with your request, report them to the relevant authorities. That’s how change starts.
📨 Need help filing a complaint? Here’s how to escalate a data violation in Nigeria
V. Common Mistakes That Can Derail Your Request
Although your rights are legally protected, how you exercise them is crucial. A sloppy or unclear request can slow things down or even get ignored. Here’s how to stay sharp:
🚫 Mistake 1: No Valid ID Attached
It may sound simple, but many people overlook this crucial aspect. Without verifying your identity, companies won’t act. Always attach a clear photo of a government-issued ID, such as your NIN slip, voter card, or passport.
🧭 Mistake 2: Sending to the Wrong Email
Your request won’t go far if it’s sent to support@ or hello@. Look for the company’s Data Protection Officer (DPO) email, which is often listed in the privacy policy. If they don’t have one, send it to their legal or compliance team.
💬 Mistake 3: Vague or Confusing Requests
Be direct. Say exactly what you want and which right you’re invoking. Example:
“I am exercising my right to erasure under the NDPA. Please delete all personal data associated with my account.”
Not:
“I’m not happy with how you’re using my information. Please fix it.”
📌 Mistake 4: No Mention of the Service or Account
If you’ve used multiple services from a provider (say, loan + wallet + savings app), be specific about which one your request relates to. Include your registered email address or phone number to make it easier to trace.
🗂️ Mistake 5: No Proof of Submission
If you send a request, keep a copy for your records. Save the email, take a screenshot of the delivery, and log the date. If you ever need to escalate, this will serve as your evidence.
Making a solid request puts you in a strong position. Sloppy requests get delayed or, worse, silence. Don’t give them a reason to ignore you.
VI. Heads Up, Business Owners: Data Rights Go Both Ways
Think data rights only concern consumers? Think again. If your business collects any kind of personal data – names, emails, phone numbers, photos, purchase history, you’re responsible for protecting those rights.
📢 Running a business? Read our guide on Data Protection Compliance in Nigeria
Here’s what Nigerian businesses and startups need to know:
📌 You Must Respond to Data Requests
When a user asks to see, fix, delete, or move their data, you’re on the clock. Respond within 30 days with no excuses. Ignoring or delaying can lead to complaints and fines.
💼 See global best practices for handling data requests. ICO UK’s DSAR Handling Guide
🧰 You Need a Process
Don’t wait until a request hits your inbox. Have a clear plan for:
- Verifying identities
- Routing requests to the right person (usually your DPO)
- Logging and tracking requests
💼 You Should Appoint a DPO
Under the NDPA, every data controller (i.e., most companies) is required to designate a Data Protection Officer (DPO). This person is responsible for all matters related to data compliance and user rights. If you don’t have one, that’s a red flag already.
💸 Non-Compliance Isn’t Cheap
The NDPC can fine violators up to ₦10 million or 2% of annual gross revenue, whichever is higher. That’s enough to hurt.
In short: get your house in order. Treat data rights with the same seriousness you’d treat a tax audit or legal dispute. It’s no longer optional.
VII. Data Rights in Action: Real Stories, Real Impact
What does exercising your data rights actually look like in the wild? Here are anonymized Nigerian scenarios based on real NDPC cases and industry reports:
📲 Fintech Mishandles User Data
A user discovered that a digital loan app accessed their entire contact list and began sending messages to friends and family. The user requested an erasure and objected to further processing. The company refused. Complaint filed. The NDPC ordered an apology and deletion, and the company now faces regulatory scrutiny.
📡 Telco Ignores Opt-Out
A telecom subscriber continued to receive unsolicited promotional messages despite opting out multiple times. After filing a formal objection and receiving no reply, the user escalated the matter to the NDPC. The commission ruled in their favor and issued a warning to the provider.
🛒 E-commerce Privacy Violation
A customer noticed that their purchase history and phone number were visible on a merchant dashboard shared with third-party sellers. The user exercised their right to access and restrict. After an internal review, the company restricted access, issued an apology, and updated its policy.
What This Shows
These aren’t hypotheticals; this is the law in motion. Nigerians are beginning to take back control. And regulators are paying attention.
🔎 Want more examples? See our Nigeria Data Breach Case Studies
VIII. Visual Summary: Know Your Flow, Own Your Rights
Here’s how your data rights journey plays out and how to act if things go wrong.
🔄 Step-by-Step: Exercising Your Rights
- Decide your rights: Access, delete, object, etc.
- Draft your request: Be clear, mention your rights, and include your ID.
- Send it to the DPO: Look for the privacy contact.
- Wait 30 days: That’s the legal response time.
- No response? Escalate: Gather evidence and submit it to the NDPC.
🛡️ Escalation Path
- Keep records: Request + response + follow-up
- File a complaint to NDPC via email or portal
- Expect investigation and feedback
Use this like a checklist. Bookmark it. Share it. Forward it to the friend ranting about that one fintech that never replies.
IX. Final Takeaway: This Is Your Data. Own It.
You don’t need to be a lawyer. You don’t need special tools. If a company holds your data, you have rights, and now you know how to use them.
Whether you’re opting out of spammy SMS messages or demanding full access to your data footprint, the NDPA gives you legal firepower.
Don’t sit quietly. Don’t shrug off shady data practices. Ask questions. File requests. Demand transparency. And when they stall? Escalate.
Take control of your digital footprint today.
👉 Read more in our NDPA Series
👉 Need help with a data rights request? Contact PlanetWeb
Your privacy is worth protecting, and now you know how to do so.
