Section 48 Nigeria Data Protection Act 2023

Section 48 of the Nigeria Data Protection Act 2023 is about Enforcement orders. It is under Part X (Enforcement) of the Act.

(1) Notwithstanding any criminal sanctions under this Act, if the Commission, after completing an investigation under section 46 of this Act, is satisfied that a data controller or data processor has violated any provision of
this Act or subsidiary legislation made under this Act, it —
(a) may make any appropriate enforcement order or impose a sanction on the data controller or data processor ; and
(b) shall inform the data controller or data processor, and if applicable, any data subject who lodged a complaint leading to the investigation, in writing of its decision.

(2) An enforcement order made or sanction imposed under subsection
(1) shall include —
(a) requiring the data controller or data processor to remedy the violation ;
(b) ordering the data controller or data processor to pay compensation to a data subject, who has suffered injury, loss, or harm as a result of a violation ;

(c) ordering the data controller or data processor to account for the profits realised from the violation ; or
(d) ordering the data controller or data processor to pay a penalty or remedial fee.

(3) A penalty or remedial fee under subsection (2)(d) may be an amount up to the —
(a) higher maximum amount, in the case of a data controller or data processor of major importance ; or
(b) standard maximum amount, in the case of a data controller or data processor not of major importance.

(4) The “higher maximum amount” shall be the greater of —
(a) N10,000,000, and
(b) 2% of its annual gross revenue in the preceding financial year.

(5) The “standard maximum amount” shall be the greater of —
(a) N2,000,000, and
(b) 2% of its annual gross revenue in the preceding financial year.

(6) The Commission shall, in determining the sanctions, take into consideration the —
(a) nature, gravity, and duration of the infringement ;
(b) purpose of the processing ;
(c) number of data subjects involved ;

(d) level of damage and damage mitigation measures implemented ;
(e) intent or negligence ;
(f ) degree of cooperation with the Commission ; and
(g) types of personal data involved.