PRIVACY POLICY CHECKLIST FOR NIGERIA MMA
Purpose: To ensure compliance with the Nigeria Data Protection Act, 2023 and Global
Adequacy & Interoperability Framework (GAID), 2025.
1. What is the full name and legal status of your company?
Side note: Helps identify the Data Controller and include accurate business identity in the
policy.
2. Briefly describe your company’s core activities and services.
Side note: Clarifies the data processing context and relevance for lawful basis under
NDPA.
3. Do you operate a website or mobile application? Is it live and currently collecting
data?
Side note: Establishes the digital platforms involved in data collection.
4. Do you use cookies or similar tracking technologies on your website?
Side note: Cookie use triggers consent and disclosure obligations.
5. What categories of personal data do you collect from users?
(e.g. name, email, phone number, address, payment info, age, gender, location, etc.)
Side note: This forms the crux of the privacy notice, to inform users clearly.
6. What is the purpose for collecting and processing each type of data?
Side note: Required to establish lawful basis and transparency.
7. Do you collect or process data of children (under 18)?
Side note: Special conditions apply to processing children’s data under NDPA.
8. How do you collect this information? (Direct input, cookies, third parties, etc.)
Side note: Clarifies methods of collection, especially for transparency.
9. Do you share user data with any third-party vendors or service providers? If yes, list
them.
Side note: Necessary to disclose processors or sub-processors of data.
10. How do you ensure the security of personal data (e.g., encryption, access control, firewalls)?
Side note: Demonstrates compliance with data security standards.
11. How long do you retain personal data?
Side note: NDPA mandates that data should not be kept longer than necessary.
12. Do you transfer or process data outside Nigeria? If yes, to which countries and under
what safeguards?
Side note: Cross-border transfers must meet adequacy or safeguards requirements.
13. Do you have a designated Data Protection Officer (DPO)? If yes, provide full contact
details. If no, provide a general company contact for privacy matters.
Side note: Required for compliance and to guide users on how to exercise their rights.
14. Do users have the ability to access, correct, or delete their data? How can they make
such requests?
Side note: NDPA grants data subjects specific rights which must be operationalized.
