In compliance with the Nigeria Data Protection Act (“NDPA”), the Nigeria Data Protection Commission (“NDPC/Commission”) on 15th of November 2023 published its Guidance Notice (Notice) on the Filing of Data Protection Compliance Audit Returns (CAR) which is set to take effect from 1st January 2024. This notice sets out procedure to be adhered to by Data Processors and controllers when filing their mandatory annual Compliance Audit Report with the Commission emphasizing the Commission’s commitment to tighten the oversight role in the protection and enforcement of Data Subject rights on the one hand and to engender data usage trust within Nigeria’s burgeoning digital ecosystem.

The Guidance Notice highlights the requirements for inclusion in the Commission’s National Data Protection Adequacy Programme (NaDPAP) Whitelist to be published by the Commission on Data Controllers and Data Processors who demonstrate commitment to safeguarding Data Subjects Rights and prioritize compliance with NDPR.

  1. NDPR Remains the Primary Regulation Governing Annual CAR Filings in Nigeria

The Guidance Notice lays to rest any doubt about the continued applicability of the NDPR following the enactment of the Nigeria Data Protection Act by recognizing it as the primary regulation governing the filing of the mandatory Compliance Audit Report. Data Controllers and Data Processors who have processed personal data of more than 2000 data subjects within the preceding 12 months are by law, mandated to file their Data Protection Compliance Audit Report with the Commission, in accordance with Articles 4.1 (5 & 7) of the NDPR.

It is noteworthy to mention that this is consistent with Section 64(2)(f) of the NDPA, which states that the provisions of NDPR remains in full force and effect except to the extent that any of its provisions is overridden by or conflicts with any provision of the Act.

  1. Vital Role of Data Protection Compliance Organizations

The Notice emphasizes the crucial role of Data Protection Compliance Organizations (DPCOs) in the implementation of Nigeria’s Data Protection framework by supporting Data Controllers and Data Processors to developing self-guided compliance strategies that demonstrate transparent and accountable reporting in line with the NDPR. Specifically, the Guidance Notice identifies the underlisted as the key responsibilities of DPCOs:

i.   Facilitating the filing of CAR with the Commission:

DPCOs support Data Controllers and Processors with the conduct of Audits and submission of Reports with the Commission in line with the NDPR. The Notice emphasizes the need to ensure that DPCO’s services are priced in a manner that guarantees minimal financial burden on Data Controllers and Processors.

ii. Engaging in Non-Fee-Paying CAR Work:

DPCOs are encouraged to occasionally provide audit support service to start-ups, not for profit organizations and businesses who are unable to pay for the mandatory audit service as part of their Corporate Social Responsibility (CSR) to foster inclusive compliance.

iii. Knowledge Transfer for DPOs during Audit Exercise:

DPCOs are required to use the Audit exercise as an opportunity to provide practical training for DPOs and other personnel in the Client Organizations they serve. Evidence of such practical training embedded in the audit exercise will entitle the participating DPOs to Continuous Professional Development (CPD) Credit, which will be an essential audit parameter under the soon to be published NDPA General Application and Implementation Directive (GAID).

  1. Getting Listed on the NaDPAP Whitelist

The Notice outlines the compliance metrics for inclusion in the National Data Protection Adequacy Programme (“NaDPAP”) which include verifiable compliance with Data Protection Principles and Lawful Basis such as Privacy Policies and Notices, Consent forms; regular filing of CAR, sensitization of data subjects on data subjects’ rights, appointment of DPO, engagement of a DPCO, training and capacity building for Staff amongst others.

Successful filing of the CAR entitles Data Controllers/Processors to be listed in the National Data Protection Adequacy Programme (NaDPAP) Whitelist.  It is worthy to note that failure of a data controller or processor to file CAR as legally required is a ground for disqualification from being listed on the NADPAP Whitelist irrespective of whether such Data Controller or Processor has proven data privacy compliance policies and framework that comply with the prescribed requirement of the NDPA and NDPR.

Whilst being listed in the NaDPAP Whitelist establishes a presumption of compliance and a demonstration of the data controller/processors commitment to safeguarding data-subjects rights; it does not confer immunity or protection against Data Subject claims or liabilities.

  1. Mandatory Induction Training for DPOs

All designated DPOs are required to participate in the free induction training that will be organized by the Commission in January 2024. The training is expected to re-enforce the rights of data subjects and compliance obligations outlined in the NDPA and the GAID.

  1. Minimum Information Requirement for inclusion in a Compliance Audit Report

The notice highlights the key focus areas for any CAR to be filed with the Commission. Each Report accompanying the NDPC audit questionnaire shall at the minimum cover the underlisted:

i.  Evidence of the Data Controller/Processor’s awareness of the provisions of the NDPR, as contained in the  internal data privacy framework of the organization.

ii. Evidence of Capacity Building and Continuous Training of Staff, Contractors, Licensees on their obligations as data administrators under the NDPA.

iii. Implementation of Privacy Policy and Notices within the organization, that align with NDPR requirements.

iv. Clear and detailed compliance directives communicated to all individuals involved in data processing, emphasizing adherence to the NDPR.

v.  Appointment and availability of Data Protection Officers overseeing and ensuring compliance with the NDPR.

vi. An inventory of the categories of personal data being processed and maintained by the Data Controller or Data Processor, specifying the principles and lawful basis for processing each category.

vii. Technical Measures implemented to ensure Confidentiality, Integrity, and Availability of Personal Data guided by the principles of Privacy by Design and by Default.

vii. The institutionalization of a robust mechanism for addressing grievances related to data protection.

viii. A comprehensive list of all agents or contractors engaged in data processing, along with details of their training programs and overall compliance with the NDPA.

  1. Default and Non-Compliance with filing CAR

Non – Compliance with CAR filing on or before the deadline which is set for March 2024 attracts a default fee of an additional 50% of the filing fee. Additionally, non-compliance with the Notice may amount to a violation of the NDPA, which attracts penalty as prescribed under the NDPA.


It is imperative for Data Controllers and Data Processors to prioritize timely and efficient filing of the yearly mandatory Data Privacy Compliance Audit Report in accordance with the NDPA and this not only signifies adherence to regulatory standards but also underscores a collective responsibility to fortify data privacy measures, ensuring a safe and secure digital ecosystem for all stakeholders.


This Article is written by DealHQ’s Technovation and Data Governance Practice Team.

DealHQ is a licensed Data Protection Compliance Organization (DPCO). We understand the importance of safeguarding sensitive data and complying with local and foreign data protection laws applicable to your business to protect your organization’s reputation and mitigate potential cybersecurity or data violation risks which can have significant financial, legal, and systemic implications for your Business. Our service niche includes (1) Data Protection/Governance Advisory (2) Data Protection Compliance Support (3) Data Protection Audit Services and (4) Outsourcing of Data Protection Officers.

*The content of this Article is not intended to replace professional legal advice. It merely provides general information to the public on the subject matter.*

To know more about our Data Privacy Services? Please contact our team:


Telephone: +234 1 4536427 or +234 9087107575

Episode 3 Season 2- Nigeria’s Energy Transition Plan – One Year On: Cost vs Gains Analysis

The best Swiss Replica Watches: Rolex, Audemars Piguet, Hublot, Panerai, Breitling, Patek Philippe 100% waterproof, Swiss ETA & Clone Movements.

Simply is Check out the best replica watches USA and buy them at affordable prices. These luxury USA replica Rolex watches are highly accurate. a sponsored podcast of DealHQ Partners, where we engage thought leaders on trending issues around law and business in the most simplistic manner.

On this Episode 3; our Ayobami Elias leads Mr. Akin Akinfemiwa, the CEO of Geregu Power, in conversation around Nigeria’s Energy Transition Plan specifically assessing its capacity to meet Nigeria’s immediate and future energy demands, whether the plan is aligned to economic priorities of providers of capital, developers and users of energy and most importantly what just energy transition means to Africa vis-à-vis finding the capital required to implement our Net Zero ambition.On top replica luxury watches on the online website. High quality Rolex, Omega, Breitling, Cartier and so on for sale.

Listen here:

best rolex replica watches and cheapest fake rolex watches in the world, swiss luxury replica watches in the best fake watches site for sale.

Season 2 Episode 1- The Appropriation Act 2023: Key Implication for Nigerian Businesses

Simply is a sponsored podcast of DealHQ Partners, where we engage thought leaders on trending issues around law and business in the most simplistic manner.
Altis Fitness Club – Gyms Fitness Italy buying legal oxandrolone online in 2 jk fitness diamond smith machine professional
On the first episode of Season 2, Our Tosin Ajose leads Mr. Opeyemi Agbaje, the Founder and CEO of RTC Advisory Services Ltd – a leading strategy and business advisory firm, in a conversation on the recently enacted 2023 Appropriation Act. The conversation bothers on the key elements of the expenditure and revenue summary, Nigeria’s ballooning public debt profile, and the potential impact of the 2022 finance bill on Nigerian businesses.

Listen here:


Season 1 Episode 11 – Financial Technology – Bridging Africa’s Financial Exclusion Gender Gap through Social Innovation

Simply is a sponsored podcast of DealHQ Partners, where we engage thought leaders on trending issues around law and business in the most simplistic manner.Best replica watches in the world, buy clone watches at the best price immediately.Best place to buy cheap rolex replica. And the best AAA+ swiss made grade 1 Rolex replica on our website with fast shipping.

On Episode 11, our final episode in Season 1, our Orinari Horsfall is joined by Solape Akinpelu, a Certified Financial Education Instructor and Co-founder of HerVest, Nigerian based fintech company pioneering inclusive finance for African women, in a conversation on gender based financial exclusion in Africa. Specifically, the conversation discusses the effect of highlights the impact of gender based exclusion on Africa’s development and economic prosperity and the role that HerVest and other social innovators in Africa are playing in tackling issues around access to finance for African Women.


Listen here:



The Covid-19 pandemic and the resultant lockdown triggered significant changes in the payment industry. Specifically, it amplified the need for contactless payment and ushered in a wave of unprecedented innovation and product development in the payment industry globally.Embark on a journey of precision timekeeping with our UK sale of hublot replica watches, equipped with the utmost accuracy from elite Swiss movements.Top Swiss Breitling fake Watches UK Online Store For

Given the record traction in the Nigerian payment market; the Central Bank of Nigeria (CBN), recognizing the need for a tailored regulatory framework to support the burgeoning sector growth, in January 2021, issued the Framework for Quick Response (QR) Code Payment; and more recently, in October 2022, released the Exposure Draft of the CBN Guidelines for Contactless Payment in Nigeria.

The Guideline defines contactless payment as: “the consummation of financial transaction without physical contact between payer and the acquiring device(s)”. This means that secure payments can be made with tags, debit/credit cards, smart cards, mobile and other devices that use Near-Field Communication (NFC), Radio Frequency or QR Codes.

In a bid to preserve the integrity, safety and stability of the Nigerian financial system and to facilitate the safe and secure use of Contactless payment, the Guideline amongst other things provides for:
i. the roles and responsibilities of various stakeholders within the contactless payment eco- system;
ii. the minimum standard/specification for all contactless payment terminals, applications, and processing systems;
iii. guidelines for the provision of Value-Added Services; and
iv. the power of the CBN to prescribe and enforce sanctions and penalties for breach of the Guideline.


The Guideline clearly articulates the role and responsibilities of the various stakeholders in the contactless payment eco-system, prescribing standards and specification for all forms of market technology and systems whilst also prescribing processes and principles that will govern their relationship with each other.

A.  Acquirers
An Acquirer is a CBN-licensed institution that facilitates the acceptance of payments from customers to merchants through contactless payment devices such as Point of Sale Terminals (POS), Mobile Applications, and QR Codes amongst others. An Acquirer will typically be the account bank of a merchant who is utilizing the contactless payment system for fee collection from its customers.
The guideline requires all Acquirers to:
i. ensure that all deployed contactless payment devices deployed are certified by CBN and meet prescribed specifications/standards.
ii. operate an agnostic acceptance policy such that all cards, capable of contactless payment, issued in Nigeria shall be accepted irrespective of the issuer.
iii. conduct customer KYC (Know Your Customer) and train Customers compliance with applicable Regulations.
iv. take measures to prevent the use of their networks and devices in violation of Anti-Money Laundering Laws.
v. execute a Contactless Payment Agreement with all Customers prior to granting access to the Acquirer’s contactless payment platform.

In a bid to protect unwary or naive customers from the perpetuation of fraud, the guideline restricts Acquirers from admitting or profiling agent banking terminals operators to its Platform or facilitating contactless transactions on their behalf.

B. Issuers
Like the Acquirers, only CBN-licensed institutions are permitted to act as Issuers for contactless payments. An Issuer is responsible for issuing contactless payment enabled cards, tags, or mobile applications to consumers (consumers being people who procure cards, tags, tokens or contactless payment enabled mobile apps to facilitate payments to merchants or other service providers. Examples of CBN-licenced institutions in Nigeria that already issue contactless payment enabled cards and devices include the First Bank of Nigeria, United Bank for Africa, and Providus bank. These cards have embedded Radio Frequency Identification (RFID) technology which communicates with card readers to enable payment transfers. Issuers are required to ensure, that all tokens and devices issued by them for payment by Customers meet prescribed standards and specifications. Furthermore, Issuers are required to obtain and properly document Customer’s consent prior to enabling Customer’s device for contactless payment. Specifically, the guideline prohibits unsolicited activation of contactless payment service on any payment enabled device owned by any Customer. Relatedly, prior to activating contactless payment service for any Customer, an Issuer is required to verify and identify such Customers by his/her Bank Verification Number (BVN).

C. Payment System and Card System Administrators
Payment/Card System Administrators are operators of card and payment systems (such as Mastercard, Visa, Remita, and Flutterwave). Whilst Issuers are responsible for issuing cards and other enabled devices to Customers, the Payment/Card System Administrators oversees the administration and use of issued cards for payment. Payment System and Card System Administrators are required to comply with the Guideline generally and act in accordance with prescribed processing specifications whilst ensuring that their systems and schemes are interoperable.

D. Switching Companies
Switching Companies are CBN-licensed institutions that oversee the routing of transaction data, interbank payment clearing and settlement, payment authentication and authorisation and risk management. The Nigeria Interbank Settlement System (NIBSS) is the Central Switch for the Nigerian Financial Market. Other than the NIBSS; Interswitch, eTranzact, and Flutterwave are some of the other licensed Switching Companies. The Guideline mandates Switching Companies to ensure that contactless transactions via approved payment instruments issued in Nigeria are successfully switched and to undertake periodic risk assessment to mitigate against money laundering and financing terrorism within the system.

E. Payment Terminal Services Providers
Payment Terminal Service Providers are CBN-licenced institutions that deploy contactless payment enabled Payment Terminals (Point of Sale Terminals) for use within the financial ecosystem. Payment Terminal Services Providers are by the Guideline, required to assure the quality and functionality of all contactless payment enabled terminals issued by them through optimal maintenance, availability of a 24/7 support infrastructure. It is recommended that response time for repair or replacement should not exceed 48 hours from the time of escalation.

F. Payment Terminal Service Aggregator
A Payment Terminal Service Aggregator (“PTSA”) oversees the interconnectivity of all payment terminals deployed with the Nigerian Payment Ecosystem. The Nigeria Interbank Settlement Scheme is the sole PTSA in Nigeria. It ensures that all terminals used in the e-payment ecosystem and all devices deployed in Nigeria are brand-agnostic and would accept all cards issued by any bank or other licensed card schemes without discrimination. NIBSS ensures the standardization of technical and operational specifications of all devices deployed within the Nigerian financial system. The Guideline requires the PTSA to certify that all Point-of-Sale terminals used for contactless payment meet required standard for the payment industry. It is also required to implement a documented risk management process to identify threats before, during and after all payment transactions.

G. Merchants
These include businesses (large institutions or SMEs), that employ contactless payment devices as a means of receiving payment from customers. Merchants are by the Guideline, required to ensure that devices deployed for contactless payments are of the required specification, they are also required to exercise due diligence in effecting all payment transactions as they remain liable for any fraud resulting from negligence or connivance during a contactless payment transaction.

The Guideline further, requires all merchants who accept contactless payments to display the contactless payment symbol visibly in their location. They are also required to undertake second level authentication for transactions of a value which is higher than the stipulated limit per day via the customer’s Personal Identification Number (PIN) OR token code.

H. Customers
A customer is anyone making payment through a Contactless payment method. The Guideline requires Customers to exercise due diligence during contactless payment transactions whilst leaving them in full control to opt-in or out of any contactless payment service.

Prior to the release of the Draft Guideline, the only existing regulation in the contactless payment ecosystem was the Framework for Quick Response (QR) Code Payment in Nigeria, January 2021 (“Framework”). The Exposure Guideline is therefore a solid improvement on the hitherto QR Code Framework as it specifically sets out market requirements for the use and operation of all forms of contactless payment technology.

Apart from the wider scope of the Guideline, the general adoption of contactless payment will have an overall far-reaching effect on the economy as it will create a smarter, faster, more efficient and easy-to-use mode of payment which requires less manpower. It will also promote health and safety and reduce potential disease transmission at points of sale.

It is also necessary to mention that the posture of the Guideline is generally User-Centric, as the CBN mandates that use of contactless payment service must be elective whilst holding all participants within the value chain to regulatory service levels.

Without doubt, the benefit of the Guideline is enormous, yet a big impediment remains the introduction of transaction limit for contactless transactions, the Exposure Draft specifically provides for a NGN5000 (five thousand naira) transaction limit for a single transaction and a cumulative daily transaction limit of NGN30,000 (thirty thousand naira) per User. Transactions that fall outside this limit require an additional layer of authentication. Whilst the intention of the limit is noble and driven by the need to protect Users from significant impact should fraud, theft, impersonation, funds misappropriation occur; the threshold seems too low considering commercial realities in present day Nigeria. To guarantee that the contactless payment system remains a viable alternative for users therefore, it is imperative for the CBN to consider an upward review of the prescribed limit.

Finally, the Guideline envisages growth and innovation in the contactless payment ecosystem and therefore provides a protocol for innovative use cases. Where any stakeholder intends to offer novel or value-added service falling within the contactless payment niche, it is required to procure and obtain the prior approval of the CBN.


Contactless payment is fast becoming a preferred mode of payment across the Globe. UK Finance magazine reports that contactless payments accounted for over a quarter of all payment transactions in the United Kingdom in 2021. It is therefore expected that the introduction and implementation of the Guideline, shall in days to come foster public trust, deepen the contactless payment eco-system and consequently accelerate the speed of its adoption in Nigeria.


Season 1 Episode 10 – Anniversary Special: DealHQ Partners 4 years of enabling Businesses in Africa

Simply is a sponsored podcast of DealHQ Partners, where we engage thought leaders on trending issues around law and business in the most simplistic manner.Check out our Breitling replica watches selection for the very best in unique or custom, handmade pieces from our watches is a reliable website to buy Rolex replica watches online. You can choose the Rolex replica that best suits you on this website.

On Episode 10, we are joined by our Lead Advisor and founding partner – Tosin Ajose who takes us on a journey down memory lane. She shares insights on the Firms values, foundational goals, the challenges of starting up and building a sustainable legal enterprise, and the Firm’s unique winning culture.


Listen here: