Section 48, NDPA
Enforcement orders
(1) Notwithstanding any criminal sanctions under this Act, if the Commission, after completing an investigation under section 46 of this Act, is satisfied that a data controller or data processor has violated any provision of this Act or subsidiary legislation made under this Act, it —
(a) may make any appropriate enforcement order or impose a sanction on the data controller or data processor; and
(b) shall inform the data controller or data processor, and if applicable, any data subject who lodged a complaint leading to the investigation, in writing of its decision.
(2) An enforcement order made or sanction imposed under subsection (1) shall include —
(a) requiring the data controller or data processor to remedy the violation;
(b) ordering the data controller or data processor to pay compensation to a data subject, who has suffered injury, loss, or harm as a result of a violation;
(c) ordering the data controller or data processor to account for the profits realised from the violation; or
(d) ordering the data controller or data processor to pay a penalty or remedial fee.
(3) A penalty or remedial fee under subsection (2)(d) may be an amount up to the —
(a) higher maximum amount, in the case of a data controller or data processor of major importance; or
(b) standard maximum amount, in the case of a data controller or data processor not of major importance.
(4) The “higher maximum amount” shall be the greater of —
(a) $10,000,000, and
(b) 2% of its annual gross revenue in the preceding financial year.
(5) The “standard maximum amount” shall be the greater of —
(a) N2,000,000, and
(b) 2% ofits annual gross revenue in the preceding financial year.
(6) The Commission shail, in determining the sanctions, take into consideration the –
(a) nature, gravity, and duration of the infringement;
(b) purpose of the processing;
(c) number of data subjects involved;
(d) level of damage and damage mitigation measures implemented:
(e) intent or negligence,
(f) degree of cooperation with the Commission; and
(g) types of personal data involved,
This is Section 48 of the Nigeria Data Protection Act 2023. To explore the rest of the legislation, please use the links below:
- See the Full Act (Index)
- Next, Read Section 49: Offences and penalties
- Back to Section 47: Compliance orders