records and reports in credible news media. Accordingly, the distinction
between legal and natural persons for the purpose of limiting due diligence
is irrelevant.
2.5
PUBLICITY AND CLARITY OF PRIVACY POLICY
Notwithstanding anything contrary in this Regulation or any instrument for the
time being in force, any medium through which Personal Data is being collected
or processed shall display a simple and conspicuous privacy policy that the class
of Data Subject being targeted can understand. The privacy policy shall in
addition to any other relevant information contain the following:
a) what constitutes the Data Subject’s consent;
b) description of collectable personal information;
c) purpose of collection of Personal Data;
d) technical methods used to collect and store personal information, cookies,
JWT, web tokens etc.;
e) access (if any) of third parties to Personal Data and purpose of access;
f) a highlight of the principles stated in Part 2;
g) available remedies in the event of violation of the privacy policy;
h) the time frame for remedy; and
i)
provided that no limitation clause shall avail any Data Controller who acts
in breach of the principles set out in this Regulation.
2.6
DATA SECURITY
Anyone involved in data processing or the control of data shall develop security
measures to protect data; such measures include but not limited to protecting
systems from hackers, setting up firewalls, storing data securely with access to
specific
authorized
individuals,
employing
data
encryption
technologies,
developing organizational policy for handling Personal Data (and other sensitive
or confidential data), protection of emailing systems and continuous capacity
building for staff.
2.7
THIRD PARTY DATA PROCESSING CONTRACT
Data processing by a third party shall be governed by a written contract between
the third party and the Data Controller. Accordingly, any person engaging a third
10
NIGERIA DATA PROTECTION REGULATION