Section 41, NDPA
Basis for cross-border transfer of personal data
(1) A data controller or data processor shall not transfer or permit personal data to be
transferred from Nigeria to another country, unless —
(a) the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data in accordance with this Act; or
(b) one of the conditions set out in section 43 of this Act applies.
(2) A data controller or data processor shall record the basis for transfer of personal data to another country under subsection (1) and the adequacy of protection under section 42 of this Act.
(3) The Commission may make regulations requiring data controllers and data processors to notify it of the measures in place under subsection (1) and to explain their adequacy in terms of section 42 of this Act.
(4) The Commission may, by regulations, designate categories of personal data that are subject to additional specified restrictions on transfer to another country based on the nature of such personal data and risks to data subjects.
This is Section 41 of the Nigeria Data Protection Act 2023. To explore the rest of the legislation, please use the links below:
- See the Full Act (Index)
- Next, Read Section 42: Adequacy of protection
- Back to Section 40: Personal data breaches