(2) Anyone who is entrusted with Personal Data of a Data Subject or who is in
possession of the Personal Data of a Data Subject owes a duty of care to the
said Data Subject;
(3) Anyone who is entrusted with Personal Data of a Data Subject or who is in
possession of the Personal Data of a Data Subject shall be accountable for his
acts and omissions in respect of data processing, and in accordance with the
principles contained in this Regulation.
2.2
LAWFUL PROCESSING
Without prejudice to the principles set out in this Regulation, processing shall be lawful if
at least one of the following applies:
a) the Data Subject has given consent to the processing of his or her Personal
Data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the Data
Subject is party or in order to take steps at the request of the Data Subject
prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the
Controller is subject;
d) processing is necessary in order to protect the vital interests of the Data
Subject or of another natural person, and
e) processing is necessary for the performance of a task carried out in the
public interest or in exercise of official public mandate vested in the
controller;
2.3
PROCURING CONSENT
(1)
No data shall be obtained except the specific purpose of collection is
made known to the Data Subject;
(2)
Data Controller is under obligation to ensure that consent of a Data
Subject has been obtained without fraud, coercion or undue influence;
accordingly:
a) where processing is based on consent, the Controller shall be able to
demonstrate that the Data Subject has consented to processing of his or
her Personal Data and the legal capacity to give consent;
8
NIGERIA DATA PROTECTION REGULATION