Now that we understand the concept of Personal Data, the next step is to examine the players involved in data processing. Key players include the data subject, the data controller, and the data processor. Other players include the recipients and third parties.
Key Players
In our first article titled, “What is Personal Data?” a data subject was defined as the natural person to whom the personal data relates, i.e., the individual who can be identified from a set of personal data.
A data controller is the person or organisation that determines the purposes and means of data processing. For example, a clothing store receives an order for a dress. The buyer’s address, for example, is the personal data, and the store is the controller who will determine how the buyer’s address will be used solely for delivery and the buyer’s email is used solely to confirm their order. If two or more parties make these decisions together, they are known as joint controllers.
A data processor processes personal data on behalf of a data controller. The data processor does not make any decision regarding the purposes and means of personal data. They only act on the instructions of the data controller. Unlike the data subject, the data controller and processor can be a natural (an individual) or legal person.
This distinction is important because it helps determine each party’s legal obligations. In practice, a Data Processing Agreement (DPA) outlines these responsibilities between the controller and the processor.
Other Key Players
A third party is a natural or legal person other than the data subject, controller, processor, or someone under the controller’s or processor’s direct authority who is authorised to process the data.
A recipient is a natural or legal person who receives personal data.
A sub-processor is a third party engaged by a data processor to perform specific data activities on their behalf. Practically speaking, all sub-processors are third parties, but not all third parties are sub-processors.
Data Controllers and Processors of Major Importance
The Nigeria Data Protection Act 2023 (“NDPA”) introduced an additional category referred to as Data Controllers and Processors of Major Importance. These are individuals or organisations whose data processing activities are especially significant to the country’s economy, public interest, or national security. This designation imposes additional regulatory obligations and an organisation may fall into this category if:
- It processes the personal data of more than 200 individuals within 6 months;
- It offers commercial ICT services on a digital device that stores personal data and belongs to someone else; or
- It operates in key sectors such as aviation, healthcare, finance, education, communications, hospitality, tourism, or e-commerce.
These controllers and processors are further classified as follows:
- Ultra-High Level (UHL)
- Extra-High Level (EHL)
- Ordinary-High Level (OHL)
The Nigeria Data Protection Act-General Application and Implementation Directive (“NDPA-GAID”) provides additional details on these classifications.
Responsibilities of Data Controllers and Processors
Traditionally, data controllers were expected to meet most compliance obligations. However, in recent years, the responsibilities of data processors have increased significantly. Under the NDPA and the NDPA-GAID, both controllers and processors have nearly identical duties.
As outlined in Article 7 of the NDPA-GAID, these obligations include:
- Registering with the Nigerian Data Protection Commission (NDPC);
- Conducting a data protection compliance audit within 15 months of starting business, and thereafter annually;
- Filing Compliance Audit Returns (CAR) by 31 March each year;
- Maintaining proper documentation of all data processing activities
- Preparing a data protection report within six months of commencing business;
- Organising privacy training and awareness programmes for staff;
- Appointing a Data Protection Officer (DPO) where applicable; and
- Publishing clear and accessible privacy policies and notices on websites, apps, and other platforms.
Now that you have learnt the difference between a data controller and a processor, you are one step closer to full compliance. Remember, the role you play defines your legal responsibilities, and getting it right from the start helps avoid confusion and regulatory breaches.
If you are still unsure about your role in your organisation’s data ecosystem, let us know by responding to this email. We are happy to help clarify. Stay tuned for Article 3 and feel free to share this article with colleagues who work with data.
Short Test
Identify the correct role (Data Controller, Data Processor, or Neither) in the following examples:
- FinTechCo decides to collect and analyse customer spending habits to offer personalised savings advice.
- SecureCloud Ltd hosts customer data and processes it according to FinTechCo’s instructions.
- Nedu, a freelance developer, creates a website but does not handle or access user data.
Bonus Question:
Which Nigerian legal document defines the categories of Data Controllers and Processors of Major Importance
Please share your answers and comments below. We would love to hear from you!
UP NEXT
In our next article, we will explore the principles of data processing which every organisation must have in mind for compliant data processing.