Regulatory › NDPA & Data Protection
Nigeria Data Protection Act 2023 — MVNO Obligations
The NDPA 2023 establishes data protection obligations for organisations processing the personal data of Nigerian data subjects. MVNOs process subscriber personal data and are directly subject to its requirements.
Core Framework
What the NDPA Covers
Six core principles govern all personal data processing under the NDPA 2023.
Lawfulness, fairness, transparency
Personal data must be processed lawfully, fairly, and in a transparent manner. A lawful basis (consent, contract, legitimate interest, etc.) must exist for each processing activity.
Purpose limitation
Personal data collected for specified, explicit, and legitimate purposes may not be further processed in a manner incompatible with those purposes.
Data minimisation
Only personal data adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed should be collected and held.
Accuracy
Personal data must be accurate and, where necessary, kept up to date. Steps must be taken to ensure inaccurate data is corrected or deleted without delay.
Storage limitation
Personal data must not be kept in a form that permits identification of data subjects for longer than necessary for the processing purpose.
Integrity and confidentiality
Personal data must be processed with appropriate security measures to protect against unauthorised processing, accidental loss, destruction, or damage.
Subject Rights
Data Subject Rights Under the NDPA
| Right | Description | Operational meaning for MVNOs |
|---|---|---|
| Right of access | Data subjects may request confirmation of and access to their personal data | Subscriber data export on request within statutory timeframe |
| Right to rectification | Inaccurate personal data must be corrected | Subscriber profile correction process required |
| Right to erasure | Data subjects may request deletion where no overriding legitimate ground exists | Subscriber data deletion on termination (subject to regulatory retention) |
| Right to portability | Structured, machine-readable data export on request | Subscriber data export in standard format |
| Right to object | Data subjects may object to processing based on legitimate interest | Objection handling process required |
| Right to restriction | Processing may be restricted pending resolution of a dispute | Subscriber record restriction capability required |
| Right to withdraw consent | Where consent is the lawful basis, it may be withdrawn at any time | Consent withdrawal mechanism in subscriber journey |
Platform-Layer Compliance
How MCX Delivers NDPA Compliance
- All subscriber personal data stored within Nigeria on Tier-III certified colocation infrastructure.
- Data processing agreement executed between MCX and each MVNO at platform onboarding, establishing controller/processor relationships.
- Breach monitoring at the platform layer with escalation path to MVNO compliance lead.
- Data subject rights tools: subscriber data export, deletion, and restriction capabilities available via the MCX BSS API.
- NDPC registration support for MVNOs as part of the MCX Launch Path regulatory track.
- Data retention configuration aligned with NCC and NDPA minimum/maximum retention obligations.
Frequently asked questions
NDPA compliance questions?
Specific data protection obligations for your MVNO context are best discussed in the scoping call.