Section 29, NDPA
Obligations of the data controller and data processor
(1) Where a data controller engages the services of a data processor, or a data processor engages the services of another data processor, the data controller or data processor
engaging another shall ensure that the engaged data processor —
(a) complies with the principles and obligations set out in this Act as applicable to the data controller;
(b) assists the data controller or data processor, as the case may be, by the use of appropriate technical and organisational measures, in the fulfilment of the data
controller’s obligations to honour the rights of a data subject under Part VI;
(c) implements appropriate technical and organisational measures to ensure the security, integrity, and confidentiality of personal data as required in Part VII;
(d) provides the data controller or engaging data processor, where applicable, with information reasonably required to comply and demonstrate compliance with this Act; and
(e) notifies the data controller or engaging data processor, where applicable, when
anew data processor is engaged.
(2) The measures under subsection (1) include a written agreement between the data
controllers and the data processor, or between data processors, as the case may be.
This is Section 29 of the Nigeria Data Protection Act 2023. To explore the rest of the legislation, please use the links below:
- See the Full Act (Index)
- Next, Read Section 30: Sensitive personal data
- Back to Section 28: Data privacy impact assessment