The Nigeria Data Protection Commission (NDPC) has imposed a significant fine of N555.8 million on Fidelity Bank for breaching the Nigeria Data Protection Act. This fine represents 0.1% of Fidelity Bank’s annual gross revenue for 2023. Fidelity Bank is required to settle the fine within 14 days of receiving the official notice.
The fine follows an investigation initiated by a complaint lodged in April 2023, which alleged that Fidelity Bank processed personal data without proper legal consent. The complaint, filed by a data subject, revealed that the bank had collected and processed personal information unlawfully to open an account.
Infringement of data protection laws
The NDPC’s review uncovered that Fidelity Bank’s data processing practices violated the Nigeria Data Protection Act (NDPA). Specifically, the bank was found to process personal data without obtaining informed consent from data subjects. The Commission noted the misuse of data processing tools such as cookies and banking apps. At the time of the investigation, Fidelity Bank’s banking app had been downloaded over one million times.
The NDPC also highlighted issues with third-party data processors associated with the bank. The NDPA mandates that not only must organizations comply with data protection laws, but their vendors and contractors must also adhere to these regulations.
NDPC's decision and enforcement actions
The NDPC issued its initial decision in July 2023, and after several communications and failed remedial actions from Fidelity Bank, a directive to pay the fine was formally issued in December 2023. Despite multiple warnings and opportunities to rectify the situation, Fidelity Bank did not provide a satisfactory remedial plan, leading to the enforcement of the fine.
Dr. Vincent Olatunji, National Commissioner and CEO of the NDPC, emphasized the importance of maintaining trust in Nigeria's data protection framework. He urged data controllers and processors to avoid actions that could undermine confidence in Nigeria’s data protection capabilities.
Context and impact
This penalty is the largest fine imposed by the NDPC since the enactment of the Nigeria Data Protection Act. The Act, signed into law on June 14, 2023, established the NDPC to oversee and regulate personal data processing activities in Nigeria.
- In August 2023, the NDPC announced investigations into several institutions, including banks and universities, for alleged data breaches.
- The Commission had previously flagged institutions like Zenith Bank, Guarantee Trust Bank, Babcock University, and Leadway Insurance for suspected data protection infractions.
- The Nigeria Data Protection Act, 2023, aims to strengthen the regulatory framework governing the processing of personal information in Nigeria.
Add Comment