Pelican Crest LPsPelican Crest LPsPelican Crest LPs

RIGHTS OF DATA SUBJECTS

INTRODUCTION

The Nigerian Data Protection Act, 2023 was signed into law by the President of the Federal Republic of Nigeria. The Act has sought to recognise the need to safeguard the privacy and rights of individuals and thereby establishing by statute, the Nigerian Data Protection Commission, which is entrusted with the power to make and enforce regulations for the protection and security of the personal data of Data Subjects in Nigeria.

Who is a Data Subject?

A data subject is an individual/person that can be ascertained or identified whether directly or indirectly through their name, identity number, online identifier such as their email address or through other factors specific to the person’s genetic identity; physical identity, social identity etc. Fundamentally, the individual or a naturally identifiable person who has data in or of any form is a data subject.

The primary objective of the Data Protection Act, 2023 is to safeguard the rights and privacy of data subjects, which as explained above, is every individual Nigerian citizen with any form of specific or general data.

Rights of Data Subjects

Data subject rights are the legal rights created by Data Protection Act, 2023 that individuals possess over their data usage. They guarantee individuals’ control over how their data should be used by data controllers and/or data processors and majority of these rights are found but not limited to Part VI of the Nigeria Data Protection Act, 2023 (NDPA, 2023).

These rights include:

  1. Right to be Informed – Section 27 NDPA, 2023

Section 27 of the NDPA, 2023 stipulates that data controllers must inform the data subject of the following things before collecting their personal data directly. They are:

  1. The identity, residence or place of business of, and means of communication with the data controller and its representatives, where necessary ;

  2. The specific lawful basis of processing and the purposes of the processing for which the personal data are intended;

  3. The recipients or categories of recipients of the personal data, if any ;

  4. The existence of the rights of the data subject;

  5. The retention period for the personal data to be collected;

  6. The right to lodge a complaint with the Commission in accordance with the NDPA, 2023;

  7. The existence of automated decision-making, including profiling, the significance and envisaged consequences of such processing for the data subject, and the right to object to and challenge such processing.

We as data subjects have the right to be timely informed by data controllers on the form and significance of our personal data in the possession of the data controller and the reason for such operations. Data subjects possess the right to be informed especially where the personal data is provided directly to a controller or in the circumstance where the controller has acquired it from another source. This information to the data subject must be provided by the data controller in a brief, comprehensible and easily accessible form.

  • The right to obtain confirmation of the details of your data – Section 34 NDPA, 2023

This right guarantees that data subjects can easily access their personal data collected by data controllers. Furthermore, data subjects can request a statement of their personal data processed by the data controller and such information must be provided simple and readable form. In the exercise of this right, data subjects ensure that data controllers conform to data processing principles and compliance guidelines.

  • The right to rectify your data – Section 34 (1) (a) (v) NDPA, 2023

Every data subject has the right to change, edit or correct their personal data in the custody of the data processor. This right reinforces the standard, quality and accuracy of the data with the data controller. This right also fortifies the data subject’s control over their personal information which they intend to let out into the public domain. It guarantees that data subjects have control over their personal information which is processed by controllers and it also guarantees and helps data controllers ensure that data within their domain is accurate and up to date.

  • The right to erase or delete your data – Section 34 (2) NDPA, 2023

A data subject enjoys the rights to have his data erased or deleted and this is further backed by the NDPA, 2023. This right is also known as the right to be forgotten or the right to be de-indexed. A data subject can demand complete erasure or deletion of their personal information from the database of a data controller. This right is exercisable where:

  1. The personal data is no longer relevant to the purpose of collection;

  2. The consent, which is the basis of processing, has been withdrawn;

  3. The data subject objects to the continued processing of data;

  4. The data controller processes data without legal basis.

The right to deletion helps a data subject remove potentially negative or restrictive information about them from a data controller’s platform especially where such information may or is likely to interfere with the data subject’s right to privacy.

  • The right of data portability – Section 38 NDPA, 2023

Under the NDPA, 2023, a data subject has the right to receive and request a transmission of their personal data from a data controller in a structured, commonly used and machine-readable format to another data controller. The receipt and the transmission of the data must be without undue delay and without any hindrance. Such data can be transferred to another controller of the data subject’s choice provided that the data controller sending the data has the means to effect the transfer of the data. For instance, a hospital must be able to effect the transfer of a patient’s (data subject) medical records to another hospital without delay or any difficulty.

  • The right to object to the processing of your personal data – Section 36 NDPA, 2023

This right further buttresses a data subjects’ control over their personal data. According to the NDPA, 2023, a data subject shall have the right to object to the processing of personal data relating to the data subject and a data controller shall discontinue the processing of such personal data of the data subject unless the data controller demonstrates a public interest or other legitimate grounds, which overrides the fundamental rights and freedoms, and the interests of the data subject.

Furthermore, a data subject also possesses the general right to object to the processing of their data for the purpose of marketing at any time which includes profiling of the data subject; the data controller has the responsibility of providing a free and simple mode to enable the data subject object to the processing of their personal data. Thus, the objection can be expressed in any form, oral or in writing including social media, and conveyed to any organization.

  • The right not to be subjected to an automated decision making – Section 37 NDPA, 2023

A data subject enjoys the right not to be subject to a decision based solely on automated processing of personal data which largely includes profiling especially when this automated decision making creates the chances of producing legal or similar significant effects concerning the data subject. However, according to the NDPA, 2023, there are situations where the above does not apply and they include,

  1. Where the decision is necessary for entering into or the performance of a contract between the data subject and a data controller;

  2. Where the decision is authorised by a written law, which establishes suitable measures to safeguard the fundamental rights and freedoms, and the interests of the data subject;

  3. Where the decision is authorised by the consent of the data subject.

Any data subject who is subjected to an automated decision-making process and where such decision making process can affect the data subjects rights, opportunities and/or entitlements, such data subject is entitled to a full and meaningful explanation of the decision- making process and such explanation must be simple, concise and clear enough.

  • The right to withdraw your consent to processing of your personal data – Section 35 NDPA, 2023

A data subject shall be informed prior to giving his/her consent that they possess the similar right to withdraw consent and that it shall be easy to withdraw such consent. Although the Act does not specify the mode to withdraw consent, it can however be done in different ways such as a termination of a user account or unsubscribing from emails. The concept of personal data processing is part of the broader informational self- determination principle and as such everyone should have free will to decide what others can do with their personal information.

CONCLUSION

Data privacy, protection and processing have become focal points in the day to day lives of the Nigerian citizen. On a global scale, the protection of data and data subjects has witnessed a meteoric rise, with more legislations and guidelines seeking to protect the individual from the harmful and potentially destructive use of personal data. It is on this basis that the Nigerian government, through the enactment of the Nigerian Data Protection Act, 2023, has sought to protect the rights and privacy of its citizens.

References

  1. Olumide Babalola, Privacy and Data Protection Law in Nigeria

  2. The Nigerian Data Protection Act, 2023

  3. General Data Protection Regulation
To learn more on Data Protection law or speak to our Data Protection Expert , contact us at www.pelicancrestlaw.com

Leave A Comment

X