GDPR for Nigerian Companies Exporting to Europe: What Actually Applies

The General Data Protection Regulation¹ came into force in May 2018 and has a territorial scope provision (Article 3) that extends it beyond EU borders in specific circumstances. A Nigerian company that assumes GDPR is a European problem that applies only to companies with EU offices is making a compliance error with potentially significant financial consequences.

This is not a theoretical concern. The European Data Protection Board has guided enforcement against non-EU companies. EU supervisory authorities have issued notices to non-EU entities. The question for a Nigerian company is not whether GDPR might apply — it is specifically when it applies and what obligations arise.

When GDPR Applies to Nigerian Entities

GDPR applies to a Nigerian company if:

1. You offer goods or services to people in the EU or UK (regardless of whether payment is involved)

"Offering" requires intent to serve EU/UK persons — not just accessibility from EU countries. Indicators: website in EU languages, prices in Euros, references to EU-specific promotions, accepting EU payment methods, EU-targeted marketing. A Nigerian SaaS platform that is available from EU IP addresses but is not marketed to EU customers does not trigger Article 3(2)(a). A Nigerian SaaS that advertises in European markets or actively onboards EU customers does.

2. You monitor the behaviour of people located in the EU

Tracking EU visitors through cookies, analytics tools, or behaviour tracking systems, including for the purpose of profiling, triggers GDPR applicability even if you are not selling to them.

3. You process the personal data of EU data subjects on behalf of an EU controller

If a European company is your client and asks you to process their customers' data (building or hosting a system that handles EU personal data), you are a data processor under GDPR. The EU company (the controller) has GDPR obligations; you, as the processor, must meet the processor obligations set out in Article 28 and execute a Data Processing Agreement.

4. You are acquired by or establish a subsidiary with an EU establishment

Once there is an EU legal entity or establishment, GDPR applies fully to processing activities related to that establishment.

What Actually Changes for a Nigerian Company Under GDPR

For a Nigerian company that genuinely falls under GDPR, the practical obligations:

Lawful Basis for Processing

Every use of personal data must have a lawful basis. For most business relationships:

Contract performance: Processing data to fulfil a contract with the customer (billing, service delivery)
Legitimate interests: Processing that is necessary for business purposes and where those interests are not overridden by the individual's privacy interests (fraud prevention, security, analytics)
Consent: Required for marketing communications, non-essential cookies, and processing that cannot be justified under another basis

The change from Nigerian law: NDPR allows consent as a generally applicable lawful basis for most processing. GDPR is more restrictive — consent must be freely given, specific, informed, and unambiguous; it cannot be bundled with service terms; and withdrawal of consent must be as easy as giving it. Nigerian businesses that have relied on buried consent in terms and conditions must restructure this for EU processing.

Privacy Notice Requirements

Privacy notices for EU users must include:

Identity and contact details of the controller (your company)
If applicable, the EU representative's contact details
Contact details of a Data Protection Officer (if required)
Purposes and legal bases for each category of processing
Recipients of personal data
International transfers and safeguards
Retention periods
Data subject rights (access, rectification, erasure, restriction, portability, objection)
Right to withdraw consent (where applicable)
Right to lodge a complaint with a supervisory authority

A vanilla privacy policy that says "we use your data to provide services and improve the product" does not meet GDPR requirements. Neither does the NDPR version alone, though NDPR compliance provides a reasonable basis from which to expand.

Data Subject Rights

Under GDPR, EU individuals (data subjects) have enforceable rights that require a response within specific timeframes:

Right of access (Article 15): Within 30 days, provide all personal data held, plus processing details
Right to rectification (Article 16): Correct inaccurate data promptly
Right to erasure (Article 17): Delete on request where no overriding legitimate basis exists
Right to restriction (Article 18): Pause processing while a dispute is resolved
Right to portability (Article 20): Provide data in machine-readable format where processing is consent- or contract-based
Right to object (Article 21): Object to processing based on legitimate interests

These rights must be operationalised — there must be a process for receiving, verifying, and responding to requests within the required timeframes. Treating them as theoretical paper rights is not sufficient.

International Transfers

Transferring personal data from the EU to Nigeria is a "third country transfer" under GDPR. Nigeria is not on the EU's list of countries with adequate data protection (the adequacy decision). Three main transfer mechanisms exist for non-adequate countries:

**Standard Contractual Clauses (SCCs)**³: Pre-approved contract clauses issued by the European Commission. Your EU client's DPA will include or reference SCCs. The June 2021 updated SCCs are the current standard.

Binding Corporate Rules (BCRs): For intra-group transfers within multinational companies. Not applicable for most Nigerian company contexts.

Consent: For specific transfers where the individual has explicitly consented to the specific transfer to Nigeria. Cannot be used as a systematic transfer mechanism.

For a Nigerian software company receiving EU personal data from EU clients, the practical answer is: execute a DPA with the EU client that incorporates the 2021 SCCs (Controller-to-Processor module, likely). The EU client's legal team will either provide their standard DPA or request yours.

Data Breach Notification

GDPR requires notification of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware, if the breach is likely to result in a risk to individuals' rights and freedoms. High-risk breaches must also be notified to the affected individuals.

This 72-hour clock begins when the company "becomes aware" — which has been interpreted to mean when any person in the organisation (not just senior management) has reason to believe a breach has occurred.

The operational requirement: an incident response procedure that escalates potential breaches to a decision-maker within hours, not days.

EU Representative Requirement

If you have no EU establishment but are subject to GDPR under Article 3(2) (targeting EU customers), you are required to designate an EU representative — a contact point for EU supervisory authorities and data subjects. The representative must be established in an EU member state where your EU customers are located.

Several legal firms and GDPR speciality services offer EU representative services for non-EU companies, typically for €500–€1,500/year. This is not optional for companies genuinely targeting EU markets — fines can be issued to representatives who fail to maintain required company information.

Realistic Enforcement Risk Assessment

GDPR enforcement against non-EU companies: the mechanisms exist (supervisory authorities can request information, issue orders, and refer to EU member state courts for enforcement), but in practice, enforcement against smaller non-EU companies is rare compared to enforcement against EU-established entities. The largest fines have generally targeted large multinationals with EU offices.

The realistic enforcement risk for a Nigerian company depends on:

Volume and sensitivity of EU personal data processed
Whether an EU data breach occurs that triggers notification
Whether an EU data subject files a complaint with their national supervisory authority
Whether a contract dispute with an EU client brings data protection obligations into scope

The risk is not zero and should not be treated as zero, particularly for companies with EU contracts that include compliance warranties. But the prioritisation for a growing Nigerian company is usually: (1) comply with NDPC/NDPR as the primary regulatory obligation, (2) ensure EU client contracts are properly structured with DPAs and SCCs, (3) build the privacy-by-design practices that make GDPR compliance sustainable without a separate operation.

NDPR² and GDPR share significant common ground (both derive principles from the EU data protection tradition). A company with a mature NDPR compliance programme has most of the substance already in place. The additions for GDPR are primarily procedural: tighter documentation, EU representative appointment, SCC-based transfer agreements.

Data Sovereignty for African Businesses — Where your data lives and why it matters
NDPR Readiness Checklist for Nigerian SaaS — Practical implementation checklist for NDPR compliance
Nigerian Tech Regulatory Landscape 2026 — Complete reference guide to Nigerian technology regulation

Sources

EU GDPR, Regulation 2016/679, gdpr-info.eu
NDPR 2019 / NDPA 2023 / NDPC
European Data Protection Board (EDPB), Standard Contractual Clauses
UK GDPR / Data Protection Act 2018