← Back to Insights

Nigeria

Cross-Border Data Transfers from Nigeria: How to Comply With the NDPA

M.K. Onyekwere··7 min read

Every time your application sends customer data to AWS, every time an AI API processes a Nigerian user's query on servers in the US, every time you share employee records with a parent company abroad — that's a cross-border data transfer.

Most Nigerian businesses do this daily without realising it has compliance implications. Under the NDPA 2023, transferring personal data outside Nigeria requires specific safeguards and documentation.

Here's what you need to know and do.

What counts as a cross-border transfer

Any movement of personal data from Nigeria to another country. This includes:

Cloud hosting. Your application runs on AWS (servers in Ireland, US, or elsewhere), Google Cloud, or Microsoft Azure. Customer data stored on those servers has been transferred out of Nigeria.

AI and SaaS APIs. When you send customer queries to OpenAI, Anthropic, Google AI, or any AI provider, that data leaves Nigeria. Same for CRM platforms (HubSpot, Salesforce), email services (SendGrid, Mailchimp), and analytics tools (Google Analytics, Mixpanel).

Payment processing. Paystack and Flutterwave process some data locally, but international payment flows may route through servers outside Nigeria.

Group companies. Sharing employee or customer data with a parent company, subsidiary, or affiliate in another country.

Outsourced services. Customer support handled by a team in another country. Accounting processed by an international firm. HR managed by a global platform.

Email. If you use Gmail (Google Workspace) or Outlook (Microsoft 365), emails containing personal data are stored on servers outside Nigeria.

If you're a Nigerian business using modern technology, you're almost certainly transferring data internationally. The question isn't whether you do — it's whether you've documented and legitimised those transfers.

What the NDPA requires

The NDPA restricts cross-border transfers of personal data to ensure Nigerian residents' data is protected even when it leaves the country. To transfer data lawfully, you need one of:

1. Adequacy determination

NDPC can determine that a country provides adequate data protection. If the receiving country has an adequacy determination, you can transfer freely.

In practice, NDPC's adequacy assessment framework is still developing. Few (if any) countries have formal NDPC adequacy decisions as of March 2026.

2. Appropriate safeguards

Where there's no adequacy determination — which is currently most countries — you need appropriate safeguards:

  • Contractual clauses — agreements between the transferring and receiving parties that bind the recipient to data protection standards equivalent to the NDPA
  • Binding corporate rules — for intra-group transfers within multinational companies
  • Codes of conduct or certification mechanisms — approved by NDPC

The most practical option for most businesses is contractual clauses — essentially a Data Processing Agreement that includes transfer-specific protections.

3. Derogations

In limited circumstances, transfers are permitted without adequacy or safeguards:

  • Explicit consent from the data subject (they understand the risks of the transfer)
  • Transfer necessary for contract performance
  • Transfer necessary for legal claims
  • Transfer necessary to protect vital interests

Consent-based derogations should be a last resort, not your primary transfer mechanism. Relying on consent for routine transfers (like sending data to your cloud provider) is impractical — you'd need to obtain and manage consent for every data flow.

Practical steps for common scenarios

Cloud hosting (AWS, Google Cloud, Azure)

The transfer: Your application data, including personal data of Nigerian users, is stored on servers in Ireland, US, Frankfurt, or wherever your cloud region is.

What you need:

  1. Data Processing Agreement with your cloud provider — AWS, Google, and Microsoft all offer DPAs as part of their terms of service. Review and sign these.
  2. Transfer documentation — record in your processing records that data is transferred to [country] for hosting purposes, under contractual safeguards.
  3. Privacy notice disclosure — your privacy notice must tell users that their data is transferred internationally and identify the safeguards in place.
  4. Consider data residency — AWS has an Africa (Cape Town) region. While not Nigeria, keeping data on the continent may reduce transfer risk and improve latency.

AI APIs (OpenAI, Anthropic, Google AI)

The transfer: Customer queries, documents, or other personal data sent to AI provider servers (typically US-based).

What you need:

  1. DPA with the AI provider — most major AI providers offer DPAs. Review the terms carefully.
  2. Data minimisation — only send the minimum personal data necessary. Strip identifiers where possible before sending to the API.
  3. Retention controls — ensure the AI provider doesn't retain your data for training. Most offer zero-retention API options.
  4. DPIA — the combination of AI processing and international transfer makes a Data Protection Impact Assessment essentially mandatory.
  5. Transfer documentation — map the data flow and document safeguards.

International group companies

The transfer: Sharing employee data, customer records, or business information with a parent company or subsidiary in another country.

What you need:

  1. Binding corporate rules or intra-group DPA — a formal agreement between group companies covering data protection obligations.
  2. Defined purposes — document exactly what data is shared, why, and with whom in the group.
  3. Access controls — not everyone in the foreign subsidiary needs access to Nigerian employee data.
  4. Employee privacy notice — Nigerian employees must be informed about international transfers of their data.

SaaS platforms

The transfer: Customer or employee data in HubSpot, Salesforce, Slack, Google Workspace, etc.

What you need:

  1. DPA review — most SaaS providers include data protection terms. Review them.
  2. Identify all SaaS with personal data — you probably use more than you think. Audit your SaaS stack.
  3. Document each transfer — platform name, what data, which country, what safeguards.

Building your transfer framework

Here's the practical process:

Step 1: Map your data flows

List every service, platform, and partner that receives personal data from your Nigerian operations. For each one, document:

  • What personal data is transferred
  • Which country it goes to
  • Why the transfer is necessary
  • What safeguards are in place (DPA, contractual terms)

This mapping exercise typically takes 2-3 days for an SME. Don't skip it — it's the foundation of your transfer compliance.

Step 2: Review and sign DPAs

For every data processor receiving Nigerian personal data, ensure you have a Data Processing Agreement in place. Check:

  • Does the DPA cover cross-border transfer obligations?
  • Does it bind the processor to data protection standards?
  • Does it address sub-processors (who the processor shares data with)?
  • Does it include data breach notification obligations?

Step 3: Update your privacy notices

Your privacy notice must inform data subjects about international transfers. Include:

  • Which countries their data may be transferred to
  • The safeguards in place for each transfer
  • How they can get more information about the safeguards

Step 4: Document in your DPIA

If you're conducting a DPIA (and you should be for AI systems), include cross-border transfers as a specific risk factor. Assess:

  • What additional risks does the international transfer create?
  • What mitigations are in place?
  • Is the transfer proportionate to the processing purpose?

Step 5: Include in your CAR

When your DPCO files your Compliance Audit Return, cross-border transfers should be documented. NDPC wants to know where Nigerian personal data goes.

What most Nigerian businesses get wrong

Not knowing they transfer data. "We don't send data abroad" — but you use Gmail, AWS, and HubSpot. You absolutely do.

No DPAs with SaaS providers. The free tier doesn't come with a DPA by default. You need to actively request or sign one.

Privacy notices don't mention transfers. Even if you have DPAs in place, your customers need to know about the transfers.

No transfer documentation. The transfers happen but nobody's written down where, why, and under what safeguards.

Relying on consent alone. Consent for every routine data transfer is impractical and fragile. Use contractual safeguards as your primary mechanism.

Need help with cross-border data transfer compliance? We map your data flows, review your DPAs, and build the documentation framework NDPC expects. Get a fixed-price quote.

Need help with this?

We build compliant AI systems and handle the documentation. Tell us what you need.

Get in Touch

Related Articles

Nigeria

Data Protection Officer Nigeria: Do You Need One and What Do They Do?

Who needs a Data Protection Officer in Nigeria, what the role involves under the NDPA, and how outsourced DPO-as-a-Service works for Nigerian businesses building AI systems.

Nigeria

Data Subject Rights Under the NDPA: A Practical Guide for Nigerian Businesses

How to handle data subject rights requests under the Nigeria Data Protection Act 2023. Access, rectification, deletion, objection — with practical implementation steps and response templates.

Nigeria

Employee Data Protection in Nigeria: What the NDPA Requires

How Nigerian employers must handle employee personal data under the NDPA 2023. Recruitment, payroll, monitoring, health records, and cross-border transfers for multinational employers.

Cross-Border TransfersNDPANigeriaData ProtectionCloud