Examining the Concept of Joint Data Control Under the Nigeria Data Protection Act

Introduction

The rise of digital technologies has transformed the way personal data is collected, shared, and utilised. Increasingly, multiple organisations collaborate to process personal data for related purposes. This collaboration raises a critical question under data protection law: who is responsible for ensuring compliance when two or more entities jointly determine the purposes and means of processing?

Joint data control refers to a situation where two or more parties share responsibility for determining the purposes (the “why”) and the means (the “how”) of
personal data processing.

The Nigeria Data Protection Act, 2023 (NDPA or the “Act”) and the General Application and Implementation Directive (GAID) 2025 issued by the Nigeria Data Protection Commission (NDPC) regulates the processing of personal data. They recognize the possibility of joint data control and ensure accountability amongst data controllers involved in the collaboration.

While the NDPA does not expressly define or provide for joint data controller, it defines a data controller as an individual, private entity, public commission,
agency, or any other body who, alone or jointly with others, determines the purpose and means of processing personal data.