The Nigeria Data Protection Commission (NDPC) has barred Data Controllers and Data Processors of Major Importance (DCPMIs) from engaging the services of data processors not registered with the Commission.
Similarly, Dr. Vincent Olatunji, the National Commissioner/CEO of NDPC has approved the extension of deadline for the registration of DCPMIs.
The new deadline for registration without penalty is the 31st of October, 2024.
A statement signed by Babatunde Bamigboye, head, Legal, Enforcement & Regulations at NDPC, reads:
“In order to ensure accountability and in line with sections 24(3), 29(1)(a) and 44 of the Nigeria Data Protection Act, 2024 (NDP Act), DCPMIs shall only engage agents and contractors who are duly registered with the Commission (as at 15th October, 2024) for the processing of personal data.
‘For ease of reference, section 29(1)(a) of the NDP Act provides:
“Where a data controller engages the services of a data processor, or a data processor engages the services of another data processor, the data controller or data processor engaging another shall ensure that the engaged data processor —
“(a) complies with the principles and obligations set out in this Act as applicable to the data controller;
“Furthermore, Section 65 of the NDP Act defines a data processor ‘as an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor.'”
The Commission enjoins data controllers and data processors of major importance to immediately ensure that those who process personal data on their behalf fulfill the obligation to register as required by law.
“Engaging an agent or contractor who does not comply with the principles and obligations (set out in the NDP Act) that are applicable to the data controller is a contravention of the NDP Act”, the statement concludes.