NDPA Compliance Tool Logo

NDPA Compliance Tool

Nigeria Data Protection Assessment

Back to Assessment

Privacy Policy

The NDPA Compliance Tool is a technology platform (“Platform”, “Tool”) that provides self-assessment resources and tools designed to help organisations understand their potential obligations under the Nigeria Data Protection Act (the “NDPA”) and the General Application and Implementation Directive (the “GAID”). Our business involves providing NDPA/GAID self-assessment tools, compliance checklists, expert assistance, and related guidance features (Our “Services”). We are registered with the Nigeria Data Protection Commission (the “NDPC”) and regulated by them. If you have any questions about this Privacy Policy or how and why We process Personal Data, please contact Us at: privacy@dataprotectionaudit.ng

Our Privacy Policy has been prepared to meet the requirements of the extant NDPA. We are committed to protecting the confidentiality and privacy of all personally identifiable information (“Personal Data”) entrusted to Us through this website (“Website”). Our Privacy Policy, together with Our Terms of Use, explains the type of Personal Data we collect, when, how and why We collect Personal Data, lawful basis for processing the Personal Data, how We use the Personal Data, the conditions under which We may disclose Personal Data to others and the efforts We take to keep Personal Data secure, and your rights as regards Personal Data collected and processed. By using the Tool, you acknowledge that you have read and agree to Our Privacy Policy and Terms of Use, which are incorporated herein by reference.

The terms ‘You’ and ‘Your’ mean You as an individual or organisation accessing this Website and using the Tool. Where We make decisions on how Personal Data is used in connection with Our Services, We are acting as a Data Controller and will be responsible for the obligations of a Data Controller under the NDPA in connection with the processing of Personal Data. For example, We use this Privacy Policy and other notices to provide You with information about Our use of Personal Data, as required by the NDPA. Where We only use Personal Data requested by other Data Controllers, We would be acting as Data Processors, and those other Data Controllers are similarly responsible for the obligations of a Data Controller under the NDPA in connection with the processing of those categories of Personal Data. If You are using Our Services through those other Data Controllers, You should contact them if You have questions or concerns about the processing of Your Personal Data or compliance with the NDPA and other applicable laws.

We may update and modify this Privacy Policy from time to time, so please do return to the Website and review this Privacy Policy regularly. Unless otherwise stated, any updates to this Privacy Policy take effect when We post them on the Website. Your continued use of the Website for Our Services following an update to the Privacy Policy means that You are aware of the updated Privacy Policy and have no objections to any such updates. Please read the following carefully to understand Our views and practices regarding the processing of Your Personal Data.

What Personal Data Do We Collect?

We may hold and use various types of Personal Data collected at the start of, and during Your relationship with Us. We will limit the collection and processing of these Personal Data to what is necessary to achieve the purposes identified in this notice. The information You provide to Us must be correct, accurate, complete, and not misleading.

The Personal Data We collect includes:

1.1. Information You provide: Individual name, Company name, email address, and phone number.

1.2. Assessment Data

When You use the Tool, You provide responses to assessment questions. This information is processed entirely within Your web browser and is not transmitted to or stored on Our servers. Your assessment data remains on Your device and is cleared when You close the browser or refresh the page.

1.3. Automatically Collected Information, which includes:

  • Device type and browser information
  • IP address (anonymised where possible)
  • Pages visited and time spent on the site
  • Referring website
  • General geographic location (country/region level)
  • cookies/similar tracking technologies.

This information is collected through cookies and similar technologies for analytics purposes. See Our Cookie Policy for more details. In some circumstances, We may also collect and process special categories of Personal Data. This is to help ensure that Our Services are accessible and so that we can offer appropriate levels of support where required.

How We Use Your Personal Data

We use the Personal information You provide to process Your request for Our expert assistance with audit and/or remediation services.

We use the automatically collected information to:

  • Understand how users interact with the Tool
  • Improve the Tool's functionality and user experience
  • Monitor and analyse usage trends
  • Ensure the security and proper functioning of the Website

We may also use Your Personal Data to, resolve support inquiries, investigate technical issues, contact You, ensure Platform security, detect fraud, prevent abuse, and comply with legal obligations under the NDPA and other applicable laws.

How We Collect Your Personal Data

We may collect Personal Data about You in the following ways:

Directly from You: When You voluntarily provide information via forms on the Platform (e.g., name, email, or organisation details for support or insights) or communicate with Us via email or support channels for expert assistance.

Automatically during use: By observing how You access and use the Platform (e.g., pages visited, device information, IP address (anonymized), cookies for usage analytics, and error logs).

Lawful Basis for Processing Your Personal Data

We collect and use Your Personal Data where it is necessary for Us to carry out Our lawful business activities. Our grounds for processing Your Personal Data are as follows:

Consent
For analytics cookies, where You have provided consent. You may withdraw consent anytime.

Legal obligation
We may process Your Personal Data where it is a legal or statutory obligation on Us. This may include processing to:

  • Comply with the NDPA and GAID requirements for transparency, security, and data protection
  • Respond to regulatory requests from the NDPC or law enforcement
  • Maintain records as required by applicable law

Legitimate interest
We may process Your information when We have a business or commercial reason to do so. If We do, it must not unfairly go against what is right and best for You. If We rely on Our legitimate interest, We will tell You what that is. This may include processing to:

  • Understand user interactions to improve the Tool functionality, user experience, and usage trends (using anonymized data)
  • Monitor Platform performance, security, and proper functioning
  • Detect fraud, abuse, or technical issues
  • Conduct aggregated analytics for NDPA/GAID compliance insights (anonymized only)
  • Assess how You use Our Website

Who Do We Share Your Personal Data with

We do not sell Your personal information. As a free public tool, We minimize sharing and only disclose Personal Data where essential. We may share anonymized, aggregated data (which cannot identify You) with:

  • Analytics providers (e.g., Google Analytics) to help Us understand Our Website usage and improve the Tool.
  • Hosting providers who supply infrastructure services for the Platform operation.
  • With regulators (e.g., NDPC) or law enforcement if required by law.
  • With IT/security providers for debugging, maintenance, and fraud prevention.

If We or Our assets are potentially to be acquired by a third party, or if We consider restructuring, anonymized Personal Data held by Us about You will be one of the transferred assets and may be shared during the potential transaction or restructuring process or as part of a mergers & acquisitions transaction.

Any third-party service providers are bound by strict contracts, required to protect Your information in line with NDPA standards and use it only for the specific purposes We authorize (e.g., analytics, hosting, security). We may also process Your Personal Data using data analytics and artificial intelligence tools provided by external third parties to manage risks, improve Our Service, and produce statistical analysis to be shared internally and with other companies within Our corporate group.

International Transfer of Personal Data

To provide the Services, We or Our service providers may transfer Your Personal Data to countries outside Nigeria, including jurisdictions that have been recognized by the NDPA as providing adequate data protection, as well as countries whose data protection laws may offer a lower level of protection than is available in Nigeria. Any such transfers will only be done where necessary for the performance of a contract between You and Us, or based on your consent. Additionally, in such cases, We will ensure that appropriate safeguards are in place to protect Your Personal Data in accordance with the NDPA. The specific safeguards We implement will depend on the nature of the transfer and the recipient, and may include the use of standard contractual clauses. If You would like further information about these safeguards, please contact Us via: privacy@dataprotectionaudit.ng.

Your Data Subject Rights

As a Data Subject, You have a number of rights:

  • The right to access the Personal Data We hold about You;
  • The right to rectify inaccurate Personal Data or complete it if it is incomplete;
  • The right to have Your Personal Data deleted;
  • The right to request restriction of Your Personal Data;
  • The right to obtain and make use of Your Personal Data for Your own purposes across different Services (“portability”);
  • The right to object to the processing of Your Personal Data in certain circumstances;
  • The right to object to decisions that are based solely on automated decision-making, including profiling;
  • The right to withdraw consent at any time; and
  • Right to lodge complaints with the NDPC.

Please note that Your data protection rights are subject to certain restrictions and conditions, and We may be required to retain a range of Your Personal Data for legal and regulatory reasons. If You think that any of the Personal Data We hold about You is wrong or incomplete, You have the right to challenge it. If You are located in the European Economic Area, United Kingdom, or other jurisdictions with data protection laws, You may have additional rights under GDPR, UK GDPR, or similar regulations. Contact Us to exercise these rights.

Sensitive Personal Data

We will not typically ask You for any ‘special categories’ of Personal Data. This is also referred to as ‘Sensitive Personal Data’ and includes information revealing an individual's political opinions, racial or ethnic origin, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning an individual's sex life or sexual orientation. If We process such Sensitive Personal Data, We will do so: (a) with Your explicit consent, (b) to comply with Our legal obligations to support You if You are, or become, a vulnerable customer, and (c) to establish, take, or defend any legal action.

How Long We Keep Your Personal Data

We will retain Your Personal Data for as long as We are required to under relevant legislation and regulation, and where no specific rules apply, for no longer than it is necessary for the lawful purposes for which it was originally collected or for related compatible purposes. The retention period of Your Personal Data may need to be extended where We require this to bring or defend legal claims. We may also retain Personal Data for longer periods for statistical purposes, and if so We will anonymise such Personal Data.

How Do We Protect Your Personal Data

We are committed to managing Your Personal Data in line with the NDPA and best practices. We employ all reasonable efforts to keep Your Personal Data secure by taking appropriate technical and organisational measures against any unauthorised or unlawful processing of Personal Data and against its accidental loss, destruction or damage. We protect Your Personal Data using physical, technical, and organisational measures to reduce the risks of loss, misuse, unauthorised access, disclosure, and alteration. We also use industry-recommended security protocols to safeguard Your Personal Data. Other security safeguards include, but are not limited to, data encryption, firewalls, and physical access controls to Our buildings and files. Our privacy assessment indicates that Your use of Our Services is unlikely to compromise data protection.

11. Access to Your Personal Data via a Data Subject Access Request (DSAR)

You have the right to request access to the Personal Data We hold about You. To make a DSAR, please email: privacy@dataprotectionaudit.ng. We may need to verify Your identity before processing Your request. We will respond within one (1) month of receipt of Your request and verification of Your identity. Requests are free of charge unless they are manifestly unfounded or excessive, in which case We may charge a reasonable fee or refuse to comply. If You are not satisfied with Our response, You can contact the NDPC.

Cookies

We may use cookie technology on Our Website to collect some of the Personal Data detailed in this policy. Cookies are small text files stored on Your device or internet browser when You visit the Platform. We use cookies mainly to improve the performance of Our Website and Our Services, remember Your preferences and settings, analyze Platform usage and performance, and provide targeted content and features. The Cookie Policy made available on Our Website explains in more detail what types of cookies We use, why We use them, and how to identify and disable them.

Third-Party Links or Content

Our Website may contain links to other sites that are not operated by Us. These links are provided for Your convenience and reference only. We do not operate these sites and have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites. We strongly advise You to review the privacy policy of every site You visit. To deliver Our expert services, We may employ third-parties to facilitate Our Service (e.g., secure cloud storage, encrypted communication tools). Any third-party service providers are bound by strict contracts, required to protect Your information in line with NDPA standards and use it only for the specific purposes We authorize.

Children's Privacy

We do not knowingly collect Personal Data from children under the age of 18. Our Website, the Tool and Services are not addressed to minors. If You are a parent or guardian and You learn that Your children have provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from a child under the age of 18 without verifiable parental consent, We will take steps to remove that information from Our servers.

Complaints

If You have any complaints about Our use of Your Personal Data, please send an email with the details of Your complaint to privacy@dataprotectionaudit.ng. We will investigate and respond to any complaints We receive. You also have the right to lodge a complaint with the NDPC. For further information on Your rights and how to complain to the NDPC, please refer to the NDPC Website at https://ndpc.gov.ng/.