Skip to main content
Back to Home
Legal

NDPR Compliance

COHCASEL's commitment to data protection under the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act (NDPA) 2023.

Effective: January 1, 2025·Regulated by: Nigeria Data Protection Commission (NDPC)

COHCASEL Compliance Checklist

NDPR 2019 registered and compliant
NDPA 2023 implementation in progress
Appointed Data Protection Officer (DPO)
Annual DPCO audit completed
Data Protection Policy in place
Staff data protection training conducted
Data Processing Agreements with all processors
Privacy Notice displayed at point of collection
Breach response procedure documented

1. Overview & Legal Framework

COHCASEL Limited ("COHCASEL") processes personal data in the course of providing professional home management and domestic staffing services. We recognise that the right to privacy is a fundamental human right and are committed to collecting, processing, and storing personal data in full compliance with applicable Nigerian data protection law.

The primary legal instruments governing our data protection practices are:

Nigeria Data Protection Act 2023 (NDPA)

The principal data protection legislation in Nigeria, establishing the Nigeria Data Protection Commission (NDPC) as the independent supervisory authority.

Nigeria Data Protection Regulation 2019 (NDPR)

Issued by NITDA, this regulation established the foundational data protection framework in Nigeria and remains enforceable alongside the NDPA.

NDPR Implementation Framework 2020

Provides guidance on compliance requirements, including mandatory data audit reporting for organisations processing personal data of more than 2,000 individuals per year.

EU General Data Protection Regulation (GDPR)

Where we process personal data of individuals in the European Economic Area, we additionally comply with the GDPR as the applicable standard.

2. Our Commitment

COHCASEL is committed to the following data protection principles:

  • Lawfulness, fairness, and transparency — we only process data on a lawful basis and in a transparent manner
  • Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not processed further in an incompatible manner
  • Data minimisation — we collect only the minimum data necessary for the stated purpose
  • Accuracy — we take reasonable steps to ensure data is accurate and kept up to date
  • Storage limitation — data is retained only for as long as necessary
  • Integrity and confidentiality — data is protected against unauthorised or unlawful processing, accidental loss, destruction, or damage
  • Accountability — we are responsible for, and can demonstrate compliance with, these principles

3. Lawful Basis for Processing

Under Section 25 of the NDPA 2023 and Article 5(1) of the NDPR, processing of personal data must be based on at least one of the following lawful grounds. COHCASEL relies on:

  • Consent — freely given, specific, informed, and unambiguous. We obtain explicit consent before sending marketing communications or processing sensitive personal data.
  • Contractual necessity — processing is necessary to fulfil our service agreement with the data subject.
  • Legal obligation — processing is required to comply with a legal duty (e.g., AML checks, tax reporting).
  • Legitimate interests — processing is necessary for our legitimate business interests (e.g., fraud prevention, platform security, analytics), where these are not overridden by the data subject's rights.
  • Vital interests — in emergencies where processing is necessary to protect someone's life.

We maintain a Record of Processing Activities (RoPA) documenting the lawful basis for each processing activity, which is reviewed quarterly.

4. Data Subject Rights

Under the NDPA 2023 and NDPR, every data subject whose personal data we process has the following rights, which we are committed to honouring:

Right to be informed

You have the right to be informed about how we collect and use your personal data — provided through this notice and our Privacy Policy.

Right of access

You may request a copy of the personal data we hold about you (Subject Access Request). We will respond within 30 days.

Right to rectification

You may request correction of inaccurate or incomplete personal data at any time.

Right to erasure

You may request deletion of your personal data where there is no lawful reason for continued processing.

Right to restriction of processing

You may ask us to restrict how we use your data in certain circumstances.

Right to data portability

You may receive your data in a structured, commonly used, machine-readable format.

Right to object

You may object to processing based on legitimate interests or for direct marketing at any time.

Right not to be subject to automated decision-making

You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.

To exercise any right, submit a written request to privacy@cohcasel.com. We will verify your identity before processing the request and respond within 30 calendar days. Where requests are complex or numerous, we may extend this by a further two months with notice.

5. Sensitive Personal Data

The NDPA 2023 classifies certain categories of data as requiring heightened protection ("sensitive personal data"). COHCASEL may process the following sensitive categories only with explicit consent or as otherwise permitted by law:

  • Health data — collected for elderly care, childcare, or medical care services (with explicit consent)
  • Biometric data — fingerprints or photos used for identity verification of staff (with explicit consent)
  • Criminal record data — police clearance certificates for background-checking staff applicants (legal obligation / public interest)
  • Financial data — income information collected for specific premium service eligibility assessments

We apply additional technical safeguards to sensitive data, including encryption at rest and strict access controls limiting access to authorised personnel only.

6. Data Minimisation & Purpose Limitation

We only collect data that is directly necessary for the specific purpose for which it is collected. Before introducing any new data collection, our DPO reviews the necessity and proportionality of that collection. We do not use data collected for one purpose to make decisions about data subjects in an unrelated context.

7. Third-Party Processors

Where we engage third-party organisations to process personal data on our behalf (data processors), we ensure:

  • A written Data Processing Agreement (DPA) is in place before any processing begins
  • The processor provides sufficient guarantees of technical and organisational security measures
  • The processor processes data only on our documented instructions
  • The processor assists us in responding to data subject rights requests
  • The processor notifies us of any data breach affecting our data subjects without undue delay
  • Upon termination, the processor deletes or returns all personal data

We maintain a register of all approved data processors and review their compliance annually. Our key processors include cloud infrastructure providers, payment processors, email service providers, and analytics tools — all operating under signed DPAs.

8. Cross-Border Data Transfers

Some of our data processors operate outside Nigeria. The NDPR and NDPA require that where personal data is transferred outside Nigeria, the receiving country must provide an adequate level of data protection.

Where such transfers occur, COHCASEL ensures one or more of the following:

  • The destination country has been assessed as having adequate data protection by the NDPC
  • Standard Contractual Clauses (SCCs) or binding corporate rules are in place
  • The transfer is necessary for the performance of a contract with the data subject
  • The data subject has given explicit consent to the transfer after being informed of the risks

9. Technical & Organisational Measures

Technical Measures

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for all personal data stored at rest
  • Multi-factor authentication (MFA) for all internal systems and admin accounts
  • Role-based access control (RBAC) — staff access only the data necessary for their role
  • Automated security scanning and vulnerability assessments
  • Web Application Firewall (WAF) and DDoS protection
  • Secure software development lifecycle (SSDLC) practices
  • Regular penetration testing by independent third parties

Organisational Measures

  • Mandatory data protection training for all staff upon onboarding and annually thereafter
  • Documented data protection policies reviewed annually
  • Confidentiality obligations in all employment and contractor agreements
  • Clear desk and clear screen policy for offices handling personal data
  • Documented procedures for handling Subject Access Requests, data breaches, and complaints
  • Regular internal data protection audits

10. Data Breach Management

COHCASEL has a documented Data Breach Response Plan. In the event of a personal data breach:

  • The incident is logged and investigated within 24 hours of discovery
  • Where the breach is likely to result in a risk to individuals' rights and freedoms, we notify the NDPC within 72 hours of becoming aware
  • Where the breach is likely to result in a high risk, we notify affected data subjects without undue delay
  • All breaches — regardless of severity — are recorded in our internal breach register
  • Post-incident reviews are conducted to prevent recurrence

11. Data Protection Impact Assessments (DPIA)

We conduct a Data Protection Impact Assessment (DPIA) before implementing any new processing activity that is likely to result in a high risk to individuals — including:

  • Systematic and extensive profiling or automated decision-making
  • Large-scale processing of sensitive personal data
  • Systematic monitoring of publicly accessible areas
  • Introducing new technology that processes personal data

Where a DPIA indicates a high residual risk that cannot be mitigated, we consult the NDPC before proceeding.

12. Data Protection Officer (DPO)

COHCASEL Limited has appointed a qualified Data Protection Officer (DPO) in accordance with the NDPA 2023 and NDPR requirements. The DPO is responsible for:

  • Advising COHCASEL on data protection obligations
  • Monitoring compliance with the NDPA, NDPR, and internal data protection policies
  • Conducting and overseeing internal data protection audits
  • Serving as the primary point of contact for data subjects and the NDPC
  • Providing guidance on DPIAs

The DPO operates independently and reports directly to senior management. The DPO cannot be penalised for performing their duties.

Contact the DPO

privacy@cohcasel.com

13. Audit & Review

In accordance with the NDPR Implementation Framework, COHCASEL engages a licensed Data Protection Compliance Organisation (DPCO) to conduct an annual independent audit of our data processing activities. The resulting Data Protection Audit Report is submitted to the NDPC where required.

Our internal data protection policies, procedures, and this Compliance Statement are reviewed at least annually and updated to reflect changes in law, regulatory guidance, or our processing activities.

14. Complaints & Enforcement

If you believe your data protection rights have been violated, you may:

  • Contact our DPO directly at privacy@cohcasel.com — we will acknowledge within 5 business days and resolve within 30 days
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC)
  • Where the GDPR applies, contact your local data protection supervisory authority in your EU member state

Nigeria Data Protection Commission (NDPC)

https://ndpc.gov.ng

The NDPC is the independent supervisory authority responsible for enforcing data protection law in Nigeria. Complaints may be submitted via their website.

15. Contact

For all data protection enquiries, Subject Access Requests, or complaints:

COHCASEL Limited — Data Protection Officer

Lagos, Nigeria

privacy@cohcasel.com+234 800 COHCASEL
© 2026 COHCASEL Limited. All rights reserved.