Nigeria DPC publishes guidance for data controller and processor registration requirements
The Nigeria Data Protection Commission (NDPC) has released guidelines on the registration obligations for what it deems “data controllers and data processors of major importance,” as stipulated by Nigeria’s Data Protection Act (NDPA). Passed in June 2023, the Act introduced a crucial requirement to register with the NDPC within six months of the Act’s initiation or upon assuming the status of a data controller and data processor of major importance. The new guidelines provide comprehensive instructions on the registration procedures, criteria for significance, timelines, and the implications of non-compliance.
Organisations are deemed data controllers and data processors of major importance and therefore subject to registration if they have a considerable impact on Nigeria’s economy, society, or security. Specific criteria set out in the NDPC’s guidance include processing the personal data of over 200 individuals within a six-month timeframe, engaging in commercial ICT services, or operating within critical sectors such as finance, healthcare, and education. The NDPC categorises these entities into three tiers based on their level of data processing: Ultra High Level (MDP-UHL), Extra High Level (MDP-EHL), and Ordinary High Level (MDP-OHL). Factors influencing these classifications include the type and sensitivity of the data handled, the organisation’s accountability measures, the use of third-party servers or cloud services, and the involvement in cross-border data flows.
The registration fees vary according to the category, with MDP-UHL organisations facing a fee of N250,000, MDP-EHL at N100,000, and MDP-OHL at N10,000. This tiered structure reflects the varying scales of data processing activities and their potential impact on data subjects.
All existing data controllers and data processors of major importance are mandated to complete their registration by 30 June 2024, utilising the NDPC’s Information Management Portal. Organisations that neglect this requirement, either by missing the deadline or failing to register altogether, will face regulatory sanctions as stipulated by the NDPA. These sanctions may include enforcement actions and the imposition of fines.
Organisations in Nigeria are advised to assess whether they qualify as data controllers and data processors of major importance under the NDPA and understand their classification tier to comply with registration requirements. They need to prepare by gathering necessary documentation, implementing stringent data protection measures, and registering via the NDPC’s portal before the 30 June 2024 deadline. A proactive approach is recommended as early and thorough preparation will help organisations avoid potential sanctions.
Garante approves employer privacy code of conduct
Italy’s data protection authority, the Garante, has approved a new code of conduct on job candidate data processing by employment agencies (APL). The code of conduct sets out crucial guidelines to safeguard job applicants and prevent potential discrimination in the job market.
Employment agencies are to process only the data essential for forming an employment relationship. They are required to avoid inquiries into applicants’ political, religious, or union affiliations, as well as pre-selections based on marital status, pregnancy, or disabilities, even with the candidate’s consent.
During the pre-hiring stage, APLs are prohibited from sourcing information from personal social media profiles, with permitted data collection restricted to professional platforms and relevant expertise only. Furthermore, professional references from past employers can only be gathered and shared with the consent of the candidate.
The code also prohibits the processing of information regarding any disciplinary actions or legal proceedings involving the candidate, regardless of their consent. For decisions made through automated processes, APLs are required to conduct thorough impact assessments, transparently communicate the workings of such systems to candidates, ensure mechanisms for human intervention, and allow candidates to voice concerns and challenge decisions.
APLs are advised to closely align their recruitment practices with the new code of conduct endorsed by Italy’s Garante to ensure the ethical and legal processing of candidate data.
Oman issues Executive Regulations to the Personal Data Protection Law
On January 28, 2024, Oman’s Ministry of Transport, Communications & Information Technology issued the Executive Regulations for the Oman Personal Data Protection Law (PDPL), providing detailed guidance on its implementation. These regulations specify requirements for handling personal data breaches, obtaining consent, data transfer protocols, and authorisation for data processing.
The PDPL and its Executive Regulations introduce comprehensive requirements for data handling, emphasising the need for explicit consent from individuals before processing their data, with certain exceptions. Consent is also necessary for sending marketing materials, and individuals must have the option to opt-out. Special considerations are made for processing children’s data, requiring parental consent and ensuring data minimisation for safety.
Companies are required to obtain specific authorisation from the Ministry for processing sensitive data, and they are required to renew this authorisation every five years. Individuals have rights to access, correct, transfer, and request the deletion of their data, with companies obligated to respond to such requests within 45 days.
A detailed privacy policy must be provided to individuals before processing their data, outlining the purposes and methods of data handling. Additionally, companies are obligated to maintain a detailed record of their data processing activities. There is a requirement to report any data breaches to the Ministry within 72 hours and to notify affected individuals if there is a significant risk of harm. Data transfers outside Oman require explicit consent and an assurance of equivalent data protection levels, with controllers responsible for assessing the adequacy of protection by external processors.
The appointment of a Data Protection Officer (DPO) is mandatory for all controllers, and external auditors must be engaged to ensure compliance with PDPL procedures. Companies that are subject to the PDPL have one year from 5 February 2024 to bring their data processing activities in compliance with the Executive Regulations. Organisations are advised to establish clear consent management and data processing procedures in line with the PDPL and its Executive Regulations, focusing on obtaining explicit consent, particularly for sensitive data and marketing communications. Special attention should also be given to protecting children’s data, appointing a qualified Data Protection Officer (DPO), and engaging external auditors to verify compliance.
German Federal Cabinet approves draft amendment to the Federal Data Protection Act
The German Federal Cabinet has approved a new draft law proposed by Federal Interior Minister, aimed at revising the Federal Data Protection Act. This approval represents a key milestone in the implementation process following the publication of the draft bill on August 9, 2023. The law now awaits formal publication and will come into force on the first day of the quarter following its publication.
This legislation is set to formalise the assembly of independent federal and state data protection authorities, enhance the execution of data protection laws in Germany and create legal certainty for consumer-protective scoring. The new scoring regulation was developed together with the Federal Ministry for the Environment and Consumer Protection.
The Federal Ministery of Interior has emphasised the importance of data protection as a dynamic aspect of fundamental rights, noting that the new law will bolster the collaboration among independent data protection authorities, leading to more consistent practices throughout Germany. The law will operate to reduce bureaucratic hurdles for businesses and clarify citizens’ rights. The law also facilitates a single point of regulatory contact for companies and research bodies involved in multi-state projects.
A key feature of the reform is the new scoring regulation, which aims to protect consumers by prohibiting the use of sensitive personal data, such as ethnic background, health information, social media activity, and home addresses, in automated financial credibility assessments.
Key elements of the draft law include:
- Institutionalisation of the Data Protection Conference (DSK) within the Federal Data Protection Act to ensure the uniform application of data protection laws and foster cooperation for their advancement.
- Simplification of regulatory contact for cross-border projects by allowing entities to liaise with a single supervisory authority when processing data for scientific, historical, or statistical purposes.
- Enhanced early-stage national coordination among federal and state supervisory authorities as part of European collaboration efforts, bolstering EU-related cooperation.
- Implementation of Federal Data Protection Act evaluation findings and clarification of legal basis for scoring, in response to a European Court of Justice ruling from December 7, 2023. The ruling restricts decisions based solely on automated processing, such as credit scoring, and the new law utilises GDPR-provided exceptions to establish a legal basis for such assessments, explicitly excluding certain types of personal data from scoring processes.
Companies in Germany are advised to adapt to the new data protection law by updating their data handling and scoring practices to exclude sensitive personal information, especially relating to minors. They should engage more closely with data protection authorities, leveraging streamlined communication channels for guidance. Businesses are now required ensure high standard of transparency and fairness in their data processes, particularly in credit scoring, to align with consumer protection priorities. Investing in staff training on the updated regulations will therefore be crucial for compliance.
As a global BCorp organisation, HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed.
