Tag

Trend

CBN LIFTS RESTRICTION ON THE OPERATION OF BANK ACCOUNTS BY VIRTUAL ASSETS SERVICE OPERATORS (VASPs) IN NIGERIA.

On Friday 22nd December 2023, the Central Bank of Nigeria (“CBN”) lifted its hitherto ban restricting banks and financial institutions from dealing in or facilitating cryptocurrency related transactions through its recently published “Guideline on Operations of Bank Accounts for Virtual Assets Service Providers (VASPs)” which now authorizes Banks and other Financial Institutions to provide  banking services to virtual asset service providers (VASPs) in compliance with relevant anti-money laundering laws issued by competent authorities. VASPs, Digital Assets Custodians, Digital Assets Offering Platforms, Digital Asset Exchanges, Digital Asset Exchange Operators, and any other entity that may be categorized by the CBN who are licensed by the Securities and Exchange Commission, can now legally operate a designated account with banks and financial institutions subject to the conditions stipulated in the Guideline.

The CBN’s earlier directive of February 5th, 2021, had excluded cryptocurrency transactions from the scope of transactions permitted to be facilitated or processed by financial institutions operating within Nigeria’s mainstream banking system. The 2-year ban which was the Apex Bank’s response to global concerns around money laundering and terrorism finance risks underlying the very opaque and unregulated cryptocurrency market has set the country back significantly from harnessing the benefits of the early adoption of digital currencies as a viable financial asset class.

The Guideline signals a positive change for Nigeria’s hitherto comatose digital assets ecosystem as financial institutions can now outside of their primary activity; facilitate the opening and operation of accounts for VASPs whilst being mandated to establish adequate risk management systems for combating money laundering, financing of terrorism and countering proliferation financing and to ensure adequate activity monitoring/tracking and customer protection. It is worthy of note that this guideline still prohibits banks and other financial institutions from holding, trading and/or transacting in virtual currencies on their own account.

The Guideline prescribes strict requirements for the onboarding of VASPs and operation of bank accounts by VASP account holders – including protocols for customer onboarding/due diligence in a bid to entrench transparency and effective reporting.  Also, it sets operational and transactional limit for all VASP accounts whilst… Click here to download article

 

About DealHQ

We are an Africa Focused deal advisory/boutique commercial law firm focused on supporting businesses and positioning them to operate efficiently within their market sphere. We are known for our quality service delivery which is focused on attention to detail, creativity, timely execution and client satisfaction.

Our service offering includes: corporate commercial, real estate & construction, finance, capital markets & derivatives, mergers and acquisitions, private equity, infrastructure, technovation and data privacy, agriculture & commodities, business formations & start up support amongst others.

The content of this Article is not intended to replace professional legal advice. It merely provides general information to the public on the subject matter.

Email: info@dealhqpartners.com; clientservices@dealhqpartners.com

Telephone: +234 1 4536427 or +234 9087107575

 

WHAT YOU NEED TO KNOW ABOUT THE RECENTLY PUBLISHED NDPC GUIDANCE NOTICE ON THE FILING OF DATA PROTECTION COMPLIANCE AUDIT RETURNS.

Introduction

In compliance with the Nigeria Data Protection Act (“NDPA”), the Nigeria Data Protection Commission (“NDPC/Commission”) on 15th of November 2023 published its Guidance Notice (Notice) on the Filing of Data Protection Compliance Audit Returns (CAR) which is set to take effect from 1st January 2024. This notice sets out procedure to be adhered to by Data Processors and controllers when filing their mandatory annual Compliance Audit Report with the Commission emphasizing the Commission’s commitment to tighten the oversight role in the protection and enforcement of Data Subject rights on the one hand and to engender data usage trust within Nigeria’s burgeoning digital ecosystem.

The Guidance Notice highlights the requirements for inclusion in the Commission’s National Data Protection Adequacy Programme (NaDPAP) Whitelist to be published by the Commission on Data Controllers and Data Processors who demonstrate commitment to safeguarding Data Subjects Rights and prioritize compliance with NDPR.

  1. NDPR Remains the Primary Regulation Governing Annual CAR Filings in Nigeria

The Guidance Notice lays to rest any doubt about the continued applicability of the NDPR following the enactment of the Nigeria Data Protection Act by recognizing it as the primary regulation governing the filing of the mandatory Compliance Audit Report. Data Controllers and Data Processors who have processed personal data of more than 2000 data subjects within the preceding 12 months are by law, mandated to file their Data Protection Compliance Audit Report with the Commission, in accordance with Articles 4.1 (5 & 7) of the NDPR.

It is noteworthy to mention that this is consistent with Section 64(2)(f) of the NDPA, which states that the provisions of NDPR remains in full force and effect except to the extent that any of its provisions is overridden by or conflicts with any provision of the Act.

  1. Vital Role of Data Protection Compliance Organizations

The Notice emphasizes the crucial role of Data Protection Compliance Organizations (DPCOs) in the implementation of Nigeria’s Data Protection framework by supporting Data Controllers and Data Processors to developing self-guided compliance strategies that demonstrate transparent and accountable reporting in line with the NDPR. Specifically, the Guidance Notice identifies the underlisted as the key responsibilities of DPCOs:

i.   Facilitating the filing of CAR with the Commission:

DPCOs support Data Controllers and Processors with the conduct of Audits and submission of Reports with the Commission in line with the NDPR. The Notice emphasizes the need to ensure that DPCO’s services are priced in a manner that guarantees minimal financial burden on Data Controllers and Processors.

ii. Engaging in Non-Fee-Paying CAR Work:

DPCOs are encouraged to occasionally provide audit support service to start-ups, not for profit organizations and businesses who are unable to pay for the mandatory audit service as part of their Corporate Social Responsibility (CSR) to foster inclusive compliance.

iii. Knowledge Transfer for DPOs during Audit Exercise:

DPCOs are required to use the Audit exercise as an opportunity to provide practical training for DPOs and other personnel in the Client Organizations they serve. Evidence of such practical training embedded in the audit exercise will entitle the participating DPOs to Continuous Professional Development (CPD) Credit, which will be an essential audit parameter under the soon to be published NDPA General Application and Implementation Directive (GAID).

  1. Getting Listed on the NaDPAP Whitelist

The Notice outlines the compliance metrics for inclusion in the National Data Protection Adequacy Programme (“NaDPAP”) which include verifiable compliance with Data Protection Principles and Lawful Basis such as Privacy Policies and Notices, Consent forms; regular filing of CAR, sensitization of data subjects on data subjects’ rights, appointment of DPO, engagement of a DPCO, training and capacity building for Staff amongst others.

Successful filing of the CAR entitles Data Controllers/Processors to be listed in the National Data Protection Adequacy Programme (NaDPAP) Whitelist.  It is worthy to note that failure of a data controller or processor to file CAR as legally required is a ground for disqualification from being listed on the NADPAP Whitelist irrespective of whether such Data Controller or Processor has proven data privacy compliance policies and framework that comply with the prescribed requirement of the NDPA and NDPR.

Whilst being listed in the NaDPAP Whitelist establishes a presumption of compliance and a demonstration of the data controller/processors commitment to safeguarding data-subjects rights; it does not confer immunity or protection against Data Subject claims or liabilities.

  1. Mandatory Induction Training for DPOs

All designated DPOs are required to participate in the free induction training that will be organized by the Commission in January 2024. The training is expected to re-enforce the rights of data subjects and compliance obligations outlined in the NDPA and the GAID.

  1. Minimum Information Requirement for inclusion in a Compliance Audit Report

The notice highlights the key focus areas for any CAR to be filed with the Commission. Each Report accompanying the NDPC audit questionnaire shall at the minimum cover the underlisted:

i.  Evidence of the Data Controller/Processor’s awareness of the provisions of the NDPR, as contained in the  internal data privacy framework of the organization.

ii. Evidence of Capacity Building and Continuous Training of Staff, Contractors, Licensees on their obligations as data administrators under the NDPA.

iii. Implementation of Privacy Policy and Notices within the organization, that align with NDPR requirements.

iv. Clear and detailed compliance directives communicated to all individuals involved in data processing, emphasizing adherence to the NDPR.

v.  Appointment and availability of Data Protection Officers overseeing and ensuring compliance with the NDPR.

vi. An inventory of the categories of personal data being processed and maintained by the Data Controller or Data Processor, specifying the principles and lawful basis for processing each category.

vii. Technical Measures implemented to ensure Confidentiality, Integrity, and Availability of Personal Data guided by the principles of Privacy by Design and by Default.

vii. The institutionalization of a robust mechanism for addressing grievances related to data protection.

viii. A comprehensive list of all agents or contractors engaged in data processing, along with details of their training programs and overall compliance with the NDPA.

  1. Default and Non-Compliance with filing CAR

Non – Compliance with CAR filing on or before the deadline which is set for March 2024 attracts a default fee of an additional 50% of the filing fee. Additionally, non-compliance with the Notice may amount to a violation of the NDPA, which attracts penalty as prescribed under the NDPA.

Conclusion

It is imperative for Data Controllers and Data Processors to prioritize timely and efficient filing of the yearly mandatory Data Privacy Compliance Audit Report in accordance with the NDPA and this not only signifies adherence to regulatory standards but also underscores a collective responsibility to fortify data privacy measures, ensuring a safe and secure digital ecosystem for all stakeholders.

 

This Article is written by DealHQ’s Technovation and Data Governance Practice Team.

DealHQ is a licensed Data Protection Compliance Organization (DPCO). We understand the importance of safeguarding sensitive data and complying with local and foreign data protection laws applicable to your business to protect your organization’s reputation and mitigate potential cybersecurity or data violation risks which can have significant financial, legal, and systemic implications for your Business. Our service niche includes (1) Data Protection/Governance Advisory (2) Data Protection Compliance Support (3) Data Protection Audit Services and (4) Outsourcing of Data Protection Officers.

*The content of this Article is not intended to replace professional legal advice. It merely provides general information to the public on the subject matter.*

To know more about our Data Privacy Services? Please contact our team:

Email: info@dealhqpartners.com; clientservices@dealhqpartners.com

Telephone: +234 1 4536427 or +234 9087107575

Overview of the Guidelines for Contactless Payments in Nigeria

Nigeria has experienced significant growth and development in its financial sector, driven in large part by the integration of technology.
Technology has revolutionized the Catering to individuals seeking both quality and affordability, easewatches.me, established in 2023, has positioned itself as an ideal destination for those looking to purchase replica watches without compromising on style or craftsmanship. way banks operate in Nigeria, enhancing their efficiency, expanding their reach, and transforming the customer experience. The growth of fintech companies has further entrenched the relevance of technology and its potential to redefine the Nigerian financial services ecosystem.
The financial services sector has been at the forefront of leveraging technology to address challenges, enhance services, and stimulate economic growth. With banks and fintech companies in Nigeria embracing innovative solutions such as mobile banking, online platforms, and electronic payment systems to offer convenient and accessible financial services to a wider population, it is clear that there is a recognition of the potential inherent in technology to reshape financial services.
A case in point which highlights the efforts being put into building a more innovative financial ecosystem is the introduction of contactless payments. The COVID pandemic and the resultant lockdown triggered significant changes in the payment industry. Specifically, it amplified the need for contactless payments and ushered in a wave of unprecedented innovation and product development in the payment industry globally.
Given the record traction in the Nigerian payment market, the Central Bank of Nigeria (CBN), recognizing the… Click here to download article...

Forniamo il miglior orologio replica con movimento svizzero per donne e uomini. Gli orologi svizzeri replica di alta qualità più popolari in vendita.

About DealHQ

We are an Africa Focused deal advisory/boutique commercial law firm focused on supporting businesses and positioning them to operate efficiently within their market sphere. We are known for our quality service delivery which is focused on attention to detail, creativity, timely execution and client satisfaction.

Our service offering includes: corporate commercial, real estate & construction, finance, capital markets & derivatives, mergers and acquisitions, private equity, infrastructure, technovation and data privacy, agriculture & commodities, business formations & start up support amongst others.

The content of this Article is not intended to replace professional legal advice. It merely provides general information to the public on the subject matter.

You may contact our team on:Bewerten Sie beste uhren wie schon 57 Kunden vor Ihnen! Ihre Erfahrung kann anderen helfen, informierte Entscheidungen zu treffen.

Email: info@dealhqpartners.com; clientservices@dealhqpartners.com

Telephone: +234 1 4536427 or +234 9087107575

replicauhrens.io bietet Ihnen Imitationsuhren bester Qualität zu den besten Preisen.

WHAT YOU NEED TO KNOW ABOUT THE NIGERIA DATA PROTECTION ACT, 2023

INTRODUCTION

As technology and digital innovation continues to advance, the volume of data generated and exchanged by users of the internet, mobile/web applications and other digital devices has raised the security of personal data to the status of “matter of national concern” in Nigeria.

On the 14th of June 2023, the President of the Federal Republic of Nigeria, signed into Law, the Nigerian Data Protection Act (the Act) thereby establishing by statute, the Nigerian Data Protection Commission; which is entrusted with the power to make and enforce regulations for the protection and security of the personal data of Data Subjects in Nigeria.

  1. SCOPE OF THE LAW

The Act provides the legal framework for the establishment of the Nigeria Data Protection Commission, the regulation of the processing of personal data of Data Subjects, and for other related matters. The objective of the Act is to safeguard the constitutional right of Data Subjects in Nigeria as relates to the processing activities undertaken by Data Processors or Data Controllers.  A Data Controller is a person, organization, or a statutory body who determines the purposes for, and the way Personal Data is processed or is to be processed. Consequently, a Data Processor is one who processes the data in the manner prescribed by a Data Controller).

  1. WHO DOES THE ACT APPLY TO?[1]

The Act applies to and is binding on Data Controllers or Data Processors who are either:

  1. Resident or operating in Nigeria;
  2. Processing data within Nigeria; or
  3. Processing data of Data Subjects in Nigeria.
  1. EXEMPTION

Data Controllers or Processors who fall into any of the underlisted categories are exempted from the application of the Act:

  1. One or more individuals who process personal data solely for personal or household purposes;
  2. Data Controllers or Processors who deal with/process personal data which have been prescribed for exemption by the Commission.
  1. ESTABLISHMENT OF THE NIGERIA DATA PROTECTION COMMISSON

The Act establishes the Nigeria Data Protection Commission as an independent body responsible for prescribing regulations, codes, guidelines, and procedures in furtherance of its functions geared towards the enhancement of personal data protection.

The overall policy direction of the affairs of the Commission shall be controlled by a governing council which shall consist of seven people headed by a Chairman who shall be a retired judge of a superior court of record. All seven members of the governing council shall be appointed by the President on the recommendation of the Minister.[2]

  1. LAWFUL BASIS FOR PROCESSING PERSONAL DATA

Personal Data of a Data Subject can only be processed when a lawful basis for such has been established. The Act like other Data Privacy statutes (such as the GDPR) recognizes that Lawful Basis shall be deemed established in the following scenarios:

  1. Consent: Data Subject’s consent has been procured and the consent has not been withdrawn;
  2. Contract: Processing the personal data is necessary or the performance of a contract for which the Data Subject is a Party;
  3. Legal Obligation: Processing the data is necessary for compliance with a legal obligation to which the Data Controller or Processor is subject;
  4. Public Interest: Processing the personal data is necessary for public interest purposes or in exercise of official authority vested in a controller;
  5. Vital Interest: to protect a life;
  6. Legitimate Interest: Where the processing of personal data of a data subject is necessary in the legitimate interest of the processor or another third party.

Relatedly, even after Lawful Basis is established, every Data Processor is expected to adhere to these general principles:

  1. Personal Data must be processed in a fair and transparent manner;
  2. Personal Data must be collected for a specified and legitimate purpose; and must not be further processed in a manner or for a purpose incompatible with that which has been specified;
  3. Personal Data collected must be limited to that which is adequate and relevant for the purpose for which it is collected;
  4. Personal Data must be retained only for only as long as is necessary to achieve the Lawful Basis for which it was collected;
  5. Personal Data must be processed in a manner that guarantees the security of personal data against loss, unlawful processing, destruction loss or damage.
  6. Personal Data is processed for the purpose of a legitimate interest by a data controller or third party to which the data is disclosed.
  1. KEY PROVISIONS TO NOTE

Amongst other things, the following mandatory provisions are to be noted by and complied with by all Data Controllers and Processors:

a. MANDATORY APPOINTMENT OF A DPO

All Data Controllers and Processors of major importance[3] are now mandated to appoint a designated Data Protection Officers (DPO) with expert knowledge of data protection laws and practices and who may either be an employee of the organization or engaged under a valid service contract[4].

b. DATA PROTECTION IMPACT ASSESSMENT

Every Data Processor or Controller who envisages that any of its processing activity is likely to violate or result in high risk to the rights and freedom of  Data Subjects by virtue of its nature, scope, context and purpose; is mandated to conduct a data protection impact assessment. It is expected that the Commission will issue guidelines to establish the categories of processing which will now require the conduct of data protection impact assessment.[5]

c. REPORTING DATA BREACHES

Every Data Controller is required to notify the Commission within 72 hours of becoming aware of any personal data breach which is likely to result in a risk to the right and freedom of a Data Subject.[6]

d. CROSS BORDER DATA TRANSFER

Cross-Border Transfer of personal data to third parties no longer requires the supervision/consent of the Attorney General of the Federation. Notwithstanding Personal Data of Data Subjects cannot be transferred to a cross border recipient; unless the transferor has satisfied itself that the foreign third-party recipient:

  1. Has a lawful basis for processing such data;
  2. Has in place a mechanism to ensure adequate level of protection of such data to the extent and level prescribed by the Act. [7]

e. REGISTRATION OF DATA PROCESSORS AND CONTROLLERS

The Act mandates the registration of Data Controllers and Data Processors of major importance with the Commission within six months from the commencement of the Act or of becoming a Data Controller or Data Processor of major importance.  The Act also prescribes the process of registration and grants the Commission the power to prescribe the registration fee and to grant exemptions from registration at their reasonable discretion. Furthermore, Registered Processors and Controllers must notify the Commission of any change in the registration details provided.

The Commission is expected to keep a register of Data Controllers and Processors on its website and to update same regularly. When a Data Controller or Data Processor ceases to be one of major importance, it must notify the Commission who shall remove its name from the register[8].

f. GENERAL RIGHTS OF DATA SUBJECTS

The Act guarantees Data Subjects the inherent right to:

  1. Obtain from a Data Controller; confirmation as to whether its personal data is being stored or processed and where so; further information on the purpose, nature/category of data being processed, recipients of such data including international/cross border recipients, period for which data will be kept;
  2. Right to demand rectification, erasure or restriction in processing (pending resolution, objection or enforcement of a legal claim) without delay;
  3. Right to decline to give or to withdraw consent;
  4. Right to demand discontinuation of processing (except on grounds of public interest);
  5. Right to lodge a complaint with the Commission;
  6. Right not to be subject to a decision based solely on automated processing of personal data.

g. RIGHT OF AGGRIEVED DATA SUBJECTS TO FILE COMPLAINTS WITH THE COMMISSION

The Act has provided a procedure for Data Subjects whose rights have been violated or is likely to be violated by any Data Controller or Processor; to file a complaint with the Commission[9]. The Commission is mandated to investigate and where it is established that the right of a Data Subject is likely to be violated, the Commission will  issue an appropriate compliance order  against such Data Controller including:-  (1) a warning (2) a directive to comply or (3)  a cease and desist order.

Where however an actual violation is established; the Commission may issue an enforcement order issuing sanctions against such Data Processor or Controller. Such order may include (1) a directive to remedy (2) a directive to pay compensation (3) order to account for profits made from a violation (4) order to pay penalty which in the case of a Data Controller of major importance will be the higher of NGN10Million or 2% of gross revenue for the preceding financial year.  Where the offender is not a Data Controller of major importance, the penalty will be the higher of NGN2Million OR 2% of gross revenue for the preceding financial year. Where Data processor or controller is dissatisfied with the order imposed by the commission, it is at liberty to apply to court for judicial review, within thirty days of the issuance such order[10].

Where an order is defiled, the defaulting Processor or Controller commits an offence and becomes criminally liable upon conviction by a competent court [11]. The court may also order the Processor or Controller upon conviction to forfeit any economic benefit or financial proceeds in accordance with the Proceeds of Crime (Recovery and Management) Act or any other similar law.[12]

h. JOINT AND VICARIOUS LIABILITY

Directors, Managers, Partners, Secretaries or other similar officer of any convicted Data Processor or Controller shall be deemed jointly and vicariously liable with the organization for any breach or violation or offense under the Act; unless such officer can prove that the offence was committed without his/her knowledge, consent or connivance; and that he/she exercised all such diligence to prevent the commission of the offence. Data Controllers and Data Processors also remain vicariously liable for the acts or omissions of their agents, clerks, servants or employees.[13]

  1. LIMITATIONS IN RESPECT OF LEGAL PROCEEDINGS AGAINST THE COMMISSION

Whilst the Commission remains a legal entity which can sue or be sued, Actions against the Commission are required to be instituted within three months of the time in which such cause of action arose and subject to the service of a one month written notice of intention to sue having been served on the Commission. The Act further directs that no execution or attachment process can be issued against the property of the Commission in respect of an action or suit filed against it[14].

  1. TRANSITIONAL PROVISION

The Act  recognizes and has given legitimacy to  all  actions (orders, rules,  decisions, directions, licenses and authorizations) of NITDA, OR the Bureau  done prior to the coming into force of the Act as if they are acts of the Commission itself and they shall remain binding  until they are waived, cancelled or repealed by the Commission. This includes specifically, the Nigerian Data Protection Regulation (NDPR) 2019.[15] The Nigeria Data Protection Commission effectively succeeds the erstwhile Nigeria Data Protection Bureau (NDPB) and puts to an end the argument that the NDPB is not statutorily created.

IMPLICATION FOR BUSINESSES IN NIGERIA

It is clear given the priority and attention given to  the assent of the by the newly elected President of Nigeria and the Federal Executive Council; that data privacy is recognized as a critical focus area for the Federal Government. It can therefore be fairly deduced that enforcement of the Act will be top of mind for the Government and the Commission.

The Act has further mandated registration for all data processors and controllers within the next six months. Consequently, Businesses operating in Nigeria except where exempt will be required to immediately reposition their protocol of operation to ensure consistent compliance with the Act. Finally, Data Processors and Controllers must keep as top of mind the potential risk of sanctions and criminal liability where they have directly or vicariously violated the rights Data Subjects as guaranteed under the Act.

This Article is written by DealHQ’s Technovation and Data Governance Practice Team, DealHQ is a licensed Data Protection Compliance Organization (DPCO). We understand the importance of safeguarding sensitive data and complying with local and foreign data protection laws applicable to your business to protect your organization’s reputation and mitigate potential cybersecurity or data violation risks which can have significant financial, legal and systemic implications for your Business. Our service niche includes (1) Data Protection/Governance Advisory (2) Data Protection Compliance Support (3) Data Protection Audit Services and (4) Outsourcing of Data Protection Officers.

About DealHQ

We are an Africa Focused deal advisory/boutique commercial law firm focused on supporting businesses and positioning them to operate efficiently within their market sphere. We are known for our quality service delivery which is focused on attention to detail, creativity, timely execution and client satisfaction.

Our service offering includes: corporate commercial, real estate & construction, finance, capital markets & derivatives, mergers and acquisitions, private equity, infrastructure, technovation and data privacy, agriculture & commodities, business formations & start up support amongst others.

The content of this Article is not intended to replace professional legal advice. It merely provides general information to the public on the subject matter.

Do you need to know more about our Data Privacy Services? You may contact our team on:

Email: info@dealhqpartners.com; clientservices@dealhqpartners.com

Telephone: +234 1 4536427 or +234 9087107575

Click here to download article…

[1] Part I Nigerian Data Protection Act, 2023.

[2] Part II and III of the Act.

[3] A Data Controller or Processor domiciled, resident in or operating in Nigeria who processes or intends to process personal data of such number of Data Subject within Nigeria as the Commission may prescribe as being of major importance.

[4] Section 33 of the Act.

[5] Section 29 of the Act.

[6] Section 41 of the Act.

[7] Part IX of the Act.

[8] Part X of the Act.

[9] Sections 47, 48 and 49 of the Act.

[10] Section 51 of the Act.

[11] Section 50 of the Act.

[12] Section 53 of the Act

[13] Section 54 of the Act

[14] Part XII of the Act.

[15] Section 64 the Act.