Data Subject Rights in Nigeria: Know Your NDPA 2023 Digital Rights

Data Subject Rights in Nigeria

🗓️ Last updated: June 4, 2025

Introduction: Why Your Data Rights Matter

You download a loan app. Suddenly, it’s asking for your contacts, camera, and even your call history. Next thing? Random SMS offers from brands you’ve never heard of. It’s not paranoia; it’s your personal data, passed around without your say.

The good news? Under Nigeria’s Data Protection Act (NDPA) 2023, you’ve got power. Legal rights. Control. This isn’t something only lawyers or tech bros should care about. Whether you’re selling thrift on WhatsApp or running a SaaS startup, your digital footprint matters, and you have every right to protect it.

📘 Learn more: Want the full breakdown of Nigeria’s data protection law? Explore the Nigeria Data Protection Act 2023

I. Quick Snapshot of Your Data Subject Rights in Nigeria

The NDPA gives you eight rights. Think of them as your digital control panel. Here’s what each one means in plain Nigerian English:

Your RightWhat It Really Means
AccessAsk any company, “What data do you have on me?”
RectificationFix the wrong details they have on file.
ErasureTell them to delete your data permanently.
ObjectSay no to marketing or profiling.
Restrict ProcessingPause how they use your data – like putting it on hold.
Data PortabilityMove your data from one company to another.
Be InformedKnow what they’re collecting and why – upfront.
Withdraw ConsentChange your mind anytime. Even after you said yes.

Every one of these rights is enforceable. Whether you’re dealing with your telco, bank, online store, or a slick new fintech app, they can’t act like your data is theirs to trade.

The Six Fundamental Data Subject Rights: An In-Depth Exploration
Explore essential data subject rights in this infographic, highlighting access, correction, deletion, portability, and processing restrictions.

🔍 See what the UN says about digital privacy. UN Digital Privacy Guidelines

II. Each Right Explained (With Real-Life Examples)

🔍 Access

What it means: You have the right to ask any company, “What do you know about me?”

Why it matters: It’s your data. You deserve to see it.

Scenario: Tolu uses a buy-now, pay-later (BNPL) app. She wants to know if they’re tracking her spending habits. She emails their Data Protection Officer (DPO), including her registered phone number and email, and asks for a copy of everything they’ve.

✏️ Rectification

What it means: You can correct wrong info they’ve got on you.

Why it matters: Wrong data can mess up your credit, applications, or even legal standing.

Scenario: Musa applies for a job. HR pulls data from a background checker, and his name is misspelled. He sends a correction email with the proper ID.

🗑️ Erasure

What it means: Also called the “right to be forgotten.” You can request that a company delete your data.

Why it matters: Sometimes you want to close the chapter, and your data shouldn’t live on after you do.

Scenario: Ada deletes her online shopping account. She also asks the site to wipe all records of her purchases and card info.

🚫 Object

What it means: You can tell a company to stop using your data for certain things.

Why it matters: Like when a telco keeps texting you “Dear customer…” after you said no.

Scenario: Kunle gets nonstop marketing SMS from a telecom provider. He writes in to say, “Stop using my number for ads.” That’s a legal request now.

⏸️ Restrict Processing

What it means: Pause how your data is being used while you sort things out.

Why it matters: Sometimes you need time, like when disputing a transaction.

Scenario: Zainab sees an unusual login to her bank app. She tells them to freeze any non-essential data use while she investigates.

🔄 Data Portability

What it means: Get your data in a format that lets you move to a different provider.

Why it matters: Makes switching easy, just like porting your phone number.

Scenario: Efe’s moving from one insurance app to another. He requests that his data be exported and transferred in a machine-readable format, such as CSV, as required under the NDPA.

📢 Be Informed

What it means: Companies must inform you of what they’re collecting and why before collecting it.

Why it matters: No more shady sign-up forms that skip the details.

Scenario: Amaka downloads a budgeting app. She checks their privacy notice and sees they’re tracking SMS alerts. Red flag? Maybe. Always check the privacy policy before signing up.

📖 Learn how to spot a good privacy policy. Mozilla’s Privacy Tips

❌ Withdraw Consent

What it means: Gave permission before? You can take it back anytime.

Why it matters: Consent isn’t forever. You’re in control.

Scenario: Chidi agreed to data sharing for “product improvements.” Months later, he changes his mind. Sends a revocation email. That’s valid.

III. What Happens After You Make a Request

So, you’ve filed a request to view your data, make a change, or request its deletion. What now?

Here’s how it typically plays out:

⏳ Step-by-step timeline

  1. Send your request — be clear, state your right, and attach a valid ID.
  2. The company acknowledges — they must confirm they got your request.
  3. They act — they’ve got 30 days to respond. By law.

No stalling. No ghosting. No, “We’ll get back to you.” That 30-day clock starts the day they get your request.

🚫 If they delay or refuse:

Some reasons might be legit — like if your request is excessive, repetitive, or vague. But they must still respond, explain why, and prove it’s justified.

And if they charge a fee? It must be reasonable and not used to block your rights. (You’re not paying them to obey the law.)

Bottom line? If they remain silent after 30 days or their excuse sounds suspicious, escalate the matter. Next stop: the NDPC.

IV. What If They Don’t Respond? Escalate to the NDPC

If a company ignores your request or gives you a half-baked response, you don’t have to take it lying down. That’s where the Nigeria Data Protection Commission (NDPC) steps in.

📝 What to Gather First

Before you file a complaint, gather your evidence:

  • A copy of your original request
  • Proof that you sent it (screenshot, delivery receipt, email trail)
  • Any response you got (or didn’t get)

This helps you build your case. The NDPC will not operate based on feelings or assumptions; they need documentation.

🧭 How to Escalate

  1. Visit the NDPC complaints portal (or their current complaint page)
  2. Fill out the complaint form or email them directly
  3. Attach your evidence and explain what happened

That’s it. You don’t need a lawyer. You don’t need fancy legal English. Just state the facts clearly.

⌛ What Happens Next?

The NDPC will review your complaint. They might:

  • Contact the company for clarification
  • Investigate the matter
  • Demand compliance or issue penalties

It might take some time, but this is your legal right, and companies that violate data rights are finally being held accountable in Nigeria.

So don’t shrug it off. If they ignore you or play games with your request, report them to the relevant authorities. That’s how change starts.

📨 Need help filing a complaint? Here’s how to escalate a data violation in Nigeria

V. Common Mistakes That Can Derail Your Request

Although your rights are legally protected, how you exercise them is crucial. A sloppy or unclear request can slow things down or even get ignored. Here’s how to stay sharp:

🚫 Mistake 1: No Valid ID Attached

It may sound simple, but many people overlook this crucial aspect. Without verifying your identity, companies won’t act. Always attach a clear photo of a government-issued ID, such as your NIN slip, voter card, or passport.

🧭 Mistake 2: Sending to the Wrong Email

Your request won’t go far if it’s sent to support@ or hello@. Look for the company’s Data Protection Officer (DPO) email, which is often listed in the privacy policy. If they don’t have one, send it to their legal or compliance team.

💬 Mistake 3: Vague or Confusing Requests

Be direct. Say exactly what you want and which right you’re invoking. Example:

“I am exercising my right to erasure under the NDPA. Please delete all personal data associated with my account.”

Not:

“I’m not happy with how you’re using my information. Please fix it.”

📌 Mistake 4: No Mention of the Service or Account

If you’ve used multiple services from a provider (say, loan + wallet + savings app), be specific about which one your request relates to. Include your registered email address or phone number to make it easier to trace.

🗂️ Mistake 5: No Proof of Submission

If you send a request, keep a copy for your records. Save the email, take a screenshot of the delivery, and log the date. If you ever need to escalate, this will serve as your evidence.

Making a solid request puts you in a strong position. Sloppy requests get delayed or, worse, silence. Don’t give them a reason to ignore you.

VI. Heads Up, Business Owners: Data Rights Go Both Ways

Think data rights only concern consumers? Think again. If your business collects any kind of personal data – names, emails, phone numbers, photos, purchase history, you’re responsible for protecting those rights.

📢 Running a business? Read our guide on Data Protection Compliance in Nigeria

Here’s what Nigerian businesses and startups need to know:

📌 You Must Respond to Data Requests

When a user asks to see, fix, delete, or move their data, you’re on the clock. Respond within 30 days with no excuses. Ignoring or delaying can lead to complaints and fines.

💼 See global best practices for handling data requests. ICO UK’s DSAR Handling Guide

🧰 You Need a Process

Don’t wait until a request hits your inbox. Have a clear plan for:

  • Verifying identities
  • Routing requests to the right person (usually your DPO)
  • Logging and tracking requests

💼 You Should Appoint a DPO

Under the NDPA, every data controller (i.e., most companies) is required to designate a Data Protection Officer (DPO). This person is responsible for all matters related to data compliance and user rights. If you don’t have one, that’s a red flag already.

💸 Non-Compliance Isn’t Cheap

The NDPC can fine violators up to ₦10 million or 2% of annual gross revenue, whichever is higher. That’s enough to hurt.

In short: get your house in order. Treat data rights with the same seriousness you’d treat a tax audit or legal dispute. It’s no longer optional.

VII. Data Rights in Action: Real Stories, Real Impact

What does exercising your data rights actually look like in the wild? Here are anonymized Nigerian scenarios based on real NDPC cases and industry reports:

📲 Fintech Mishandles User Data

A user discovered that a digital loan app accessed their entire contact list and began sending messages to friends and family. The user requested an erasure and objected to further processing. The company refused. Complaint filed. The NDPC ordered an apology and deletion, and the company now faces regulatory scrutiny.

📡 Telco Ignores Opt-Out

A telecom subscriber continued to receive unsolicited promotional messages despite opting out multiple times. After filing a formal objection and receiving no reply, the user escalated the matter to the NDPC. The commission ruled in their favor and issued a warning to the provider.

🛒 E-commerce Privacy Violation

A customer noticed that their purchase history and phone number were visible on a merchant dashboard shared with third-party sellers. The user exercised their right to access and restrict. After an internal review, the company restricted access, issued an apology, and updated its policy.

What This Shows

These aren’t hypotheticals; this is the law in motion. Nigerians are beginning to take back control. And regulators are paying attention.

🔎 Want more examples? See our Nigeria Data Breach Case Studies

VIII. Visual Summary: Know Your Flow, Own Your Rights

Here’s how your data rights journey plays out and how to act if things go wrong.

Practical Steps to Exercise Your Rights
A concise infographic outlining the essential steps for exercising data subject rights and managing personal data effectively.

🔄 Step-by-Step: Exercising Your Rights

  1. Decide your rights: Access, delete, object, etc.
  2. Draft your request: Be clear, mention your rights, and include your ID.
  3. Send it to the DPO: Look for the privacy contact.
  4. Wait 30 days: That’s the legal response time.
  5. No response? Escalate: Gather evidence and submit it to the NDPC.

🛡️ Escalation Path

  • Keep records: Request + response + follow-up
  • File a complaint to NDPC via email or portal
  • Expect investigation and feedback

Use this like a checklist. Bookmark it. Share it. Forward it to the friend ranting about that one fintech that never replies.

IX. Final Takeaway: This Is Your Data. Own It.

You don’t need to be a lawyer. You don’t need special tools. If a company holds your data, you have rights, and now you know how to use them.

Whether you’re opting out of spammy SMS messages or demanding full access to your data footprint, the NDPA gives you legal firepower.

Don’t sit quietly. Don’t shrug off shady data practices. Ask questions. File requests. Demand transparency. And when they stall? Escalate.

Take control of your digital footprint today.

👉 Read more in our NDPA Series

👉 Need help with a data rights request? Contact PlanetWeb

Your privacy is worth protecting, and now you know how to do so.

X. Frequently Asked Questions

1. What are data subject rights in Nigeria under the NDPA 2023?
Data subject rights are legal powers granted to individuals under Nigeria’s Data Protection Act (NDPA) 2023. These include rights like access, correction, deletion, objection, and more — all aimed at helping you control how your personal data is used.
2. How do I send a valid data rights request?
Be clear, specific, and formal. Mention which right you’re invoking (e.g. “Right to Access”), include your full name and registered contact details, and attach a government-issued ID like your NIN slip or voter card.
3. What kind of ID should I include in my request?
You should attach a valid, clear form of identification to verify yourself. This can be your National Identification Number (NIN), voter card, driver’s license, or international passport.
4. Can a company refuse my request under the NDPA?
Yes, but only in specific cases. They may deny or delay requests that are excessive, repetitive, vague, or if they can’t confirm your identity. However, they must explain their reasons clearly — and you can still escalate to the NDPC.
5. How do I escalate to the NDPC if I’m ignored?
Visit the NDPC complaints portal, fill out the complaint form or email them with your original request, proof of submission, and any response received. The NDPC will investigate and take appropriate action.
6. Is NIN enough to verify identity in a data request?
In most cases, yes. A clear scan of your NIN slip or the number itself is usually sufficient, but companies may request additional verification depending on their policy. Always check their privacy notice for instructions.
7. Do small businesses also have to comply with the NDPA?
Yes. The NDPA applies to any organization — big or small — that processes personal data. This includes startups, online vendors, NGOs, and even individual service providers like tutors or freelancers if they collect user data.
8. What if I need help writing my data request?
You’re not alone. If you’re unsure what to say or how to format your request, reach out to PlanetWeb. We help Nigerians exercise their rights clearly and confidently.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top