Introduction
Amnesty International Nigeria is committed to protecting the privacy of everyone who engages with our work in Nigeria. Respect for personal data is closely linked to the human right to privacy, which we
actively defend in our advocacy. This policy explains, in clear terms, how we collect, use, store, and protect your personal information.
This policy applies to all websites, platforms, and digital services operated by Amnesty International Nigeria that are accessible to individuals in Nigeria, including www.amnesty.org.ng
When we refer to “we”, “us”, or “our”, we mean Centre for the Protection of Human Rights & Social Justice of Amnesty Int’l Nigeria, registered in Nigeria under the Companies and Allied Matters Act, 2020.
In handling personal data relating to individuals in Nigeria, we comply with the Nigeria Data Protection Act 2023 (NDPA) and all applicable regulations, directives, and implementation guidance issued by the
Nigeria Data Protection Commission (NDPC).
We are subject to regulatory oversight by the NDPC and comply with applicable requirements, including where we qualify as a Data Controller of Major Importance. We are responsible for, and accountable for
demonstrating, compliance with applicable data protection laws.
For the purposes of data protection law, Amnesty International Nigeria acts as a data controller. Where we engage third-party service providers, they act as data processors and process personal data strictly
on our documented instructions under binding contractual obligations in accordance with the NDPA 2023.
We process personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, accountability, security and demonstrable compliance. We ensure that personal data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
Data Protection Officer (DPO)
We have appointed a Data Protection Officer who oversees how we handle personal data and ensures compliance with applicable data protection laws and NDPC regulatory requirements. If you have any questions about this policy or wish to exercise your rights, you can contact the Data Protection Officer at: [email protected]
Personal Information Requested
The information we collect depends on how you interact with us. You can browse most parts of our website without providing personal details, although basic technical information such as IP address and
device information may still be collected automatically.
We collect personal information when you engage with us, including signing petitions, subscribing to updates, making donations, participating in campaigns, or applying for roles.
We ensure that personal data is collected transparently and at the point of collection, with clear notice provided.
Sensitive Personal Data
Some personal information is classified as sensitive under the NDPA 2023, including data relating to health, ethnicity, religion, disability, sexual orientation, or criminal history. We only process sensitive
personal data where strictly necessary and where a lawful condition applies, including explicit consent or statutory authorization, and always subject to appropriate safeguards.
How We Use Your Information
We use personal data to support our human rights work, including campaign engagement, communications, donations, membership management, recruitment, and service improvement. Where processing is likely to result in high risk to individuals, we conduct Data Protection Impact Assessments (DPIAs) in accordance with NDPA 2023 and NDPC guidance before processing begins. We also maintain internal governance processes to identify and mitigate privacy risks, by ensuring security of personal data including protection against unauthorized or unlawful processing, access, destruction, damage, or any form of data breach.
Legal Basis for Processing (NDPA 2023)
We process personal data only where a lawful basis applies under the NDPA 2023, including:
- Consent of the data subject (freely given, specific, informed, and unambiguous)
- Performance of a contract or pre-contractual obligations
- Compliance with a legal obligation
- Protection of vital interests
- Performance of a task carried out in the public interest or official authority (where applicable)
- Legitimate interests, provided such interests are necessary, proportionate, and do not override the rights and freedoms of the data subject, based on a documented balancing test
Where processing is based on consent, we maintain records of consent and provide clear mechanismsfor withdrawal at any time, without affecting prior lawful processing.
Cookies and Website Use
We use cookies and similar technologies to ensure website functionality, analyse usage, and improve services. You can manage cookies through your browser settings. More information is available in our
Cookies Policy.
Sharing of Personal Information
We do not sell personal data. We may share data:
- Within the Amnesty International global movement
- With trusted service providers acting as data processors under NDPA-compliant agreements
- With social media platforms for campaign outreach under strict safeguards
- Where required by law or regulatory authorities, including the NDPC
We conduct vendor due diligence and ensure all processors meet NDPA security and confidentiality
requirements.
Cross-Border Transfers of Data
Where personal data is transferred outside Nigeria, we comply with NDPA 2023 and NDPC requirements.
We ensure adequate protection through:
- NDPC-recognised adequacy decisions where applicable
- Standard Contractual Clauses or equivalent approved safeguards
- Binding corporate rules for intra-group transfers (where applicable)
- Explicit consent where legally permitted
We ensure equivalent protection regardless of jurisdiction.
Data Security
We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption (where appropriate), secure systems, and staff training.
We also maintain:
- Records of processing activities
- Internal compliance monitoring
- Data protection governance structures
- Periodic audits
We apply data protection by design and by default in all relevant systems and processes.
Data Breach Notification
We maintain internal incident response procedures to ensure timely identification and containment of breaches. Where a personal data breach occurs that is likely to risk individuals’ rights and freedoms, we will notify the NDPC without undue delay and within statutory timelines. Where required, we will also notify affected individuals promptly.
Children’s Personal Data
We treat children’s data (under 18 years in Nigeria) with enhanced protection. We only process such data based on verifiable parental or guardian consent, unless otherwise permitted
by law.
Data Retention
We retain personal data only for as long as necessary for the purpose collected or as required by law.
Retention periods include:
- Recruitment data[BS1.1]: up to 3 years
- Financial records: statutory period
- Campaign data: retained only while relevant
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.
Your Rights Under Nigerian Law
Under the NDPA 2023, you have rights including:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure (where applicable)
- Right to restrict processing
- Right to object
- Right to data portability
- Right to withdraw consent
- Right to judicial remedy
We respond to requests within NDPA-prescribed timelines.
Internal Complaints Mechanism
We maintain an internal data protection complaints and escalation process to enable prompt investigation and resolution of concerns before escalation to the NDPC.
Recruitment-Specific Information
Recruitment data is used solely for employment purposes.
Recruitment data is also used for taking online actions.
Diversity data is anonymised and used only for equality monitoring.
Unsuccessful applications may be retained for up to 3 years.
Data Protection Governance and Accountability
We maintain a structured governance framework including:
- Internal data protection policies
- Staff training and awareness
- DPIAs
- Vendor due diligence
- Incident response procedures
- Records of processing activities
- Internal audits and compliance monitoring
We are accountable for demonstrating compliance to the NDPC.
Contact Information
Amnesty International Nigeria
34, Colorado Close
Maitama, Abuja
Nigeria
Email: [email protected]
Phone: +234-909 086 6666
Data Protection: [email protected]
Complaints and Regulatory Oversight (Nigeria)
If you have concerns, please contact us first. You also have the right to complain to the:
Nigeria Data Protection Commission (NDPC)
https://ndpc.gov.ng
[email protected]
Last Updated and Version Control
This Privacy Policy was last updated on 29 April 2026 (Version 2.0).
This policy will be updated annually to reflect changes in law, NDPC guidance, or operational practices, including implementation requirements. Where changes are significant, we will provide appropriate
notice.

