How to Register as a Data Controller or Data Processor with the Nigeria Data Protection Commission

Introduction

The Nigeria Data Protection Act (NDPA), 2023 is the principal legislation regulating the processing of personal data in Nigeria. It established the Nigeria Data Protection Commission (NDPC) as the regulatory authority responsible for overseeing data protection compliance in Nigeria including the registration of Data Controllers and Data Processors of major importance. Further to the NDPA, the NDPC issued the General Application and Implementation Directive (GAID), 2025 which explicitly states the categories of Data Controllers and Data Processors that are mandatorily required to register with NDPC.

This article highlights the categories and obligation of Data Controllers and Data Processors to register with NDPC, the requirements for registration and penalty fees for late registration.

Categories of Data Controllers and Data Processors of Major Importance

The NDPA imposes the obligation on every Data Controller and Data Processor of Major Importance to register with NDPC within 6 months of the commencement of the NDPA or within 6 months of becoming a Data Controller or Data Processor of Major Importance. It is important to note that the NDPA defines a Data Controller and Processor of Major Importance to mean “a data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society or security of Nigeria as the Commission may designate”.

Data Controllers and Data Processors of Major Importance have been classified into three categories by the NDPC namely:

1. Ultra-High Level (UHL): These are Data Controllers and Data Processors who are required to abide by global and highest attainable standards of data protection. They are classified as such due to the sensitivity of the personal data in their care, substantial involvement in cross-border data flows, reliance on third-party servers or cloud computing services for the purpose of substantial processing of personal data, processing the personal data of over Five Thousand (5,000) data subjects through the means of technology under its technical control or through a service contract, etc.

The specific categories of UHL Data Controllers and Data Processors are as follows:

• Commercial banks operating at national or regional level;
• Telecommunication companies;
• Insurance companies;
• Multinational companies;
• Electricity distribution companies;
• Oil and Gas companies;
• Public social media App developers and proprietors;
• Public e-mail App developers and proprietors;
• Communication devices manufacturers;
• Payment gateway service providers;
• FinTechs; and
• Organisations that process personal data of over Five Thousand (5,000) data subjects in six (6) months.

2. Extra-High Level (EHL): These are Data Controllers and Data Processors who are required to abide by global best practices of data protection. They are classified as such due to the sensitivity of the personal data in their care, their functions as government establishments, the need for reputable and standardized certifications for people, process and technologies involved in data confidentiality, integrity and availability, etc.

The specific categories of EHL Data Controllers and Data Processors are as follows:

• Ministries, Departments and Agencies (MDAs) of government;
• Micro Finance Banks;
• Higher Institutions;
• Hospitals providing tertiary or secondary medical services;
• Mortgage Banks; and
• Organisations that process personal data of over One Thousand (1,000) data subjects but less than Five Thousand (5,000) within six (6) months.

3. Ordinary-High Level (OHL): These are Data Controllers and Data Processors who are required to abide by global best practices of data protection. They are classified as such due to the sensitivity of the personal data in their care, the inherent vulnerability of the data subjects they typically engage with, high risk to the privacy of data subjects if such personal data are processed by the data controller or data processor in a systematic or automated manner, the need for reputable and standardized certifications for people, process and technologies involved in data confidentiality, integrity and availability, etc.

The specific categories of OHL Data Controllers and Data Processors are as follows:

• Primary and Secondary Schools;
• Corporate Training Service Providers;
• Primary Health Centres;
• Independent Medical Laboratories;
• Hotels and Guest Houses with less than fifty (50) suites;
• Processors who process sensitive personal of more than Two Hundred (200) data subjects for commercial purposes; and
• Organisations that process personal data of over Two Hundred (200) data subjects but less than One Thousand (1000) within six (6) months

Registration Requirements

To register with NDPC as a Data Controllers and Data Processors of Major Importance in any of the categories provided above, the applicant must provide the following information and documents which include the following to NDPC:

1. Certificate of incorporation with the Nigerian Corporate Affairs Commission (CAC)
2. Details of the data controller or processor including contact details
3. Details of Data Protection Officer including full name, contact details and qualifications
4. Details of the data controller or processor’s representatives including full name and contact details
5. Details of technical and organizational security measures
6. Description of data processing activities and basis of data processing
7. Information on cross-border data transfer
8. Payment of the prescribed applicable fee.

Penalty Fee for Late Registration

The NDPA mandates Data Controllers and Data Processors of Major Importance to register within 6 months of the commencement of the Act or within 6 months after becoming a Data Controllers and Data Processors of Major Importance. The NDPC initial registration timeline mandated by NDPA was eventually extended to 30^th September 2024 by NDPC.

Failure to register within the statutory timeline and NDPC-extended timeline, Data Controllers and Data Processors of Major Importance are subject to penalty fees for late registration to be assessed by NDPC. However, entities incorporated within 6 months of applying for registration can apply for waiver of penalty fees.

Conclusion

The Nigeria Data Protection Act, 2023 requires Data Controllers and Data Processors of Major Importance to register NDPC. NDPC has further categorized Data Controllers and Data Processors of Major Importance into Ultra-High Level (UHL), Extra-High Level (EHL) and Ordinary-High Level (OHL) based on their data processing activities and data protection obligations. To register with NDPC, Data Controllers and Data Processors of Major Importance must provide the required information and documents to NDPC and pay the applicable registration fee. Penalty fees apply to late registration with NDPC; however, entities incorporated within 6 months of applying for registration can apply for waiver of penalty fees.