Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations. Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside the country;
- people/entities outside the country being able to access or "see" personal data held in the country; and
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
Under the Nigeria Data Protection Regulation (2.11 and 2.12), personal data can only be transferred internationally in certain circumstances. The circumstances that are most relevant to employers include when:
- the data protection authority has deemed the country/territory/international organization/sectors within a foreign country as having a sufficient level of protection;
- the employee (or other data subject) has explicitly consented to the transfer of their personal data, after being informed of the potential risks;
- the transfer is necessary to perform a contract between the employee and employer, or is necessary for pre-contractual measures at the employee’s request;
- the transfer is necessary to complete a contract between the employer and another natural and legal person, when the contract is in the interest of the employee;
- the transfer is required for important public interest reasons; or, when
- the transfer is necessary to establish, exercise or defend legal claims.
Personal data can also be transferred internationally when protecting the vital interests of an individual who is unable to give consent.
HR Best Practices: When personal employee data is being transferred outside Nigeria, employers are required to inform employees of the safeguards that have been put in place to protect the personal information in the foreign country.