Cross Border Data Transfer

Cross-Border Data Transfer Procedure

Purpose of this document

This document sets out our organization’s responsibilities and policy for the protection of personal data under the Nigerian Data Protection Act (NDPA).

Review frequency

This document will be reviewed annually and upon significant change to our organizational structure or changes to relevant legislation.

1. SCOPE, PURPOSE AND USERS

This Cross Border Data Transfer Procedure (hereinafter referred to as “Procedure”) is established in order to create a common approach throughout SKOUTIA (hereinafter referred to as the “Company”) regarding all instances of transfers of personal data to a third country (hereinafter referred to “Cross Border Data Transfer” or “CBDT”).

All Customers, Contractors, Job Applicants, Employees, Beneficiaries (from CSR) and Third Parties working for or acting on behalf of the Company must to be aware of, and follow this procedure when considering transferring data outside Nigeria.

2. DEFINITIONS

  • Cross Border Data Transfer (CBDT) – Transfer of personal data by controllers established or operating in Nigeria to recipients established outside Nigeria who act either as controllers or as processors.
  • Data Exporter – The controller who transfers the personal data.
  •  Data Importer – The processor established in a Third country who agrees to receive, from the data exporter, personal data intended for processing on the data exporter’s behalf after the transfer, in accordance with exporter instructions and the terms of applicable laws, and who is not subject to a third country’s system ensuring adequate protection of individuals with regard to the processing of personal data and on the free movement of such data.
  • DPA – Data Protection Authority.
  • DTA – Data Transfer Agreement.
  • Third Country – Any country other than the Federal Republic of Nigeria.

3. APPLICABILITY

The rules set up in this Procedure apply to cross-border transfers, which fall under the applicability of the NDPA. In this section, the applicability and the extraterritorial reach of the NDPA is explained.

This document is applicable to the Company’s entities under its direct or indirect control, excluding joint ventures.

It is important to highlight the extraterritorial applicability of the NDPA. The NDPA and consequently this Procedure applies to the processing of personal data in the context of the activities of the Company (acting either as a controller or a processor) in Nigeria.

NDPA also applies to the processing of personal data of data subjects who are in Nigeria by a controller or processor not established in Nigeria, where the processing activities are related to:

  • The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in Nigeria; or
  • The monitoring of their behavior as far as their behavior takes place within Nigeria.

The Policy applies to all departments, deals with transfers of personal data to a third country.

In the event that any of the rules laid out in this document are in conflict with local laws and regulations, the latter shall prevail.

4. CROSS BORDER DATA TRANSFERS

The NDPA allows personal data transfers to a third country only if a set of conditions are fulfilled.  The NDPA allows for personal data transfers to countries whose legal regime is deemed by the NDPB to provide for an “adequate” level of personal data protection.

Where data is being transferred abroad as stipulated in Article 2.11 of the NDPA, the following information is required-

  1. The List of Countries where Nigerian citizens’ personally identifiable information are transferred in the regular course of business.
  2. The Data Protection laws and contact of National Data Protection Office/Administration of such countries listed in i) above.
  3. The privacy policy of the Data Controller, compliant with the provisions of the NDPA.
  4. Overview of encryption method and data security standard
  5. Any other detail that assures the privacy of personal data is adequately protected in the target country.

NDPB shall coordinate transfer requests with the office of the Attorney-General of the Federation. A ‘white-list’ of jurisdictions shall be compiled and published on official media of communication. Where transfer to a jurisdiction outside the White list is being sought, the Data Controller shall ensure there is a verifiable documentation of consent to one or more of the exceptions stated in Article 2.12 of the NDPA.

5. ACCOUNTABILITY

Any individual who breaches this Procedure may be subject to internal disciplinary action (up to and including termination of their employment) and may also face civil or criminal liability if their action violates the law.

Please direct all queries and concerns to dpo@skoutia.com

© 2025 Skoutia Arabic
English Arabic French Spanish Portuguese Deutsch Turkish Dutch Italiano Russian Romaian Portuguese (Brazil) Greek
الشروط الخصوصية Parent Consent Parent Consent withdrawal Cross Border Data Transfer User Account Deletion اتصل بنا الدليل