Section 43, NDPA

Other bases for transfer of personal data outside Nigeria

(1) In the absence of adequacy of protection under section 42 of this Act, a data controller or data processor shall only transfer personal data from Nigeria to another country if the—

(a) data subject has provided and not withdrawn consent to such transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of adequate protections;

(b) transfer is necessary for the performance of a contract to which a data subject is a party or in order to take steps at the request of a data subject, prior to entering into a contract:

(c) transfer is for the sole benefit of a data subject and —

(i) it is not reasonably practicable to obtain the consent of the data subject to that transfer, and

(ii) if it were reasonably practicable to obtain such consent, the data subject would likely give it;

(d) transfer is necessary for important reasons of public interest:

(e) transfer is necessary for the establishment, exercise, or defense of legal claims; or

(f) transfer is necessary to protect the vital interests of a data subject or of other persons, where a data subject is physically or legally incapable of giving consent.

(2) Without prejudice to any provision of this Act, no specific international, multi-national cross border data transfer codes, rules or certification mechanisms shall be adopted as Federal Republic of Nigeria standard for the protection of data subject or data sovereignty without approval of the National Assembly.

---

This is Section 43 of the Nigeria Data Protection Act 2023. To explore the rest of the legislation, please use the links below:

• See the Full Act (Index)
• Next, Read Section 44: Registration of data controllers and processors of major importance
• Back to Section 42: Adequacy of protection