Who Has Obligations? Data Controllers and Data Processors
Data Controller
Any person or organisation that determines the purpose and means of processing personal data. If you decide why personal data is collected and how it is used, you are the controller. Most Nigerian businesses that collect customer or employee data are data controllers.
Data Processor
Any person or organisation that processes personal data on behalf of a data controller. A cloud storage provider hosting a hospital's patient records, or a payroll company processing an employer's staff data — these are processors. They follow the controller's instructions.
Why the Distinction Matters
Controllers bear the primary legal liability under the NDPA. Processors carry secondary but significant liability, particularly for their own processing failures.
Data Controllers of Major Importance (DCMIs)
Not all data controllers are treated equally by the NDPC. An organisation qualifies as a DCMI if it:
- Processes the personal data of more than 200 individuals in a six-month period; or
- Operates in a critical sector — finance, telecommunications, health, education, or aviation; or
- Processes sensitive personal data as part of its core operations.
DCMI Obligations
If your organisation is a DCMI, you must register with the NDPC, submit a Compliance Audit Return (CAR) annually, and appoint a qualified Data Protection Officer (DPO). These are statutory obligations with enforcement consequences.
Mark this unit as read to earn your points and proceed.
Units in this module