Subscribe to our Newsletter to receive the latest updates on our content. By tapping the “Subscribe” button you will be redirected to subscription page. Subscription is free.
What Constitutes Cross-Border Transfer of Personal Data?
A cross-border transfer of personal data occurs when personal data collected in Nigeria is sent to, stored in, or accessed from another country. This includes sending customer KYC data to a foreign vendor, using a cloud server located outside Nigeria, or sharing transaction records with an international payment processor.
24 April 26
Other Insights:
Sections 41 to 43 of the Nigeria Data Protection Act 2023 (“NDPA”) and Schedule 5 of the General Application and Implementation Directive (GAID) 2025 provide permissible grounds for cross-border personal data transfer, which include:
- Where the Nigeria Data Protection Commission (the “NDPC”) has issued an adequacy decision;
- Cross-Border Data Transfer Instruments (CBDTI) approved by the NDPC; or
- Reliance on other lawful bases recognised under the NDPA.
Grounds for Cross-Border Data Transfer: The Adequacy Standard
This is the primary basis for lawful cross‑border data transfers and requires that personal data may be transferred outside Nigeria only where the recipient country, territory, or international organisations ensure an adequate level of protection substantially similar to those under the Nigeria Data Protection Act 2023 (“NDPA”). The Nigeria Data Protection Commission may adjudge a country as affording adequate data protection equivalent to the NDPA’s standard. Where such a determination exists, a fintech may transfer personal data to that country, while ensuring appropriate technical and organisational safeguards are in place. Where no adequacy determination exists for the destination country, the fintech must rely on other lawful transfer mechanisms to be considered in the coming weeks.
Grounds for Cross-Border Data Transfer: Cross-Border Data Transfer Instruments (CBDTI)
Where the Nigeria Data Protection Commission (the “NDPC”) has not made an adequacy determination for the recipient country, a fintech may still transfer personal data outside Nigeria through the use of certain instruments approved by the NDPC, which include:
- Standard Contractual Clauses (SCCs);
- Binding Corporate Rules (BCRs);
- Approved codes of conduct; or
- Certification mechanisms recognised by the NDPC.
Fintechs may need to carefully review and consider all contracts with foreign vendors that process personal data to ensure that NDPC-approved safeguards are embedded.
Grounds for Cross-Border Data Transfer: Other Lawful Bases – Jural and Fiduciary Grounds
The law recognises other lawful bases for cross-border data transfer, including jural and fiduciary obligations. Fintechs may rely on other lawful bases recognised under the Nigeria Data Protection Act 2023 (“NDPA”) for cross‑border data transfers where appropriate, such as consent, contractual necessity (including processing an international remittance), legal obligation, vital interests, public interest or where such transfer is for the sole benefit of the data subject, provided these conditions fully meet the statutory thresholds. The NDPA sets out these bases as valid grounds for processing personal data, and each must be assessed carefully to ensure that the transfer is necessary, proportionate, and consistent with the data subject’s reasonable expectations.
Should you have any questions regarding the information in this legal alert, please do not hesitate to contact Ajibola Asolo.