Providing the needed Clarity to undefined terms: “Third Party” and “Recipient” under the Nigeria Data Protection Act 2023

By Olumide Babalola

One of the core objectives of data protection law is the assignment of roles to ensure accountability, facilitate enforcement, and properly apportion liability in the event of a data breach. Beyond liabilities, however, the law also confers rights and benefits on the actors it recognises. For this reason, it is essential that each role within the data protection ecosystem is clearly defined.

Surprisingly, under the Nigeria Data Protection Act (NDPA) 2023, two key actors, i.e., “third parties” and “recipients”, are left undefined. This omission is repeated in the General Application and Implementation Directive (GAID) 2025, despite the fact that the NDPA references ‘third party’ twice and the recipient eight times. The absence of clarity on these roles raises significant concerns. First, it weakens accountability, makes it difficult for actors to assert their rights, and leaves data subjects unable to identify who can be held responsible in cases of data misuse.

In filling this definitional gap, it is legitimate to look to other jurisdictions that have influenced Nigerian data protection law. The NDPA, like its predecessor – the NDPR, draws inspiration from the European framework, particularly the GDPR. This is consistent with Nigerian jurisprudence, as noted by the Court of Appeal when it traced the source of Nigerian privacy law to the European Convention on Human Rights (see Casebook on Privacy and Data Protection Law in Nigeria (2025) by Babalola & Nnawuchi, p. 22).

Against this backdrop, examining how European law defines and distinguishes third parties and recipients is useful for interpretive guidance in Nigeria.

Who is a “Third Party”?

The concept of a third party was first codified in the EU Data Protection Directive 95/46/EC, which defined it as: “…any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data.”

This definition is adopted verbatim by the General Data Protection Regulation (GDPR), Article 4(10). Its inclusion was not incidental, as the European policymakers recognised that the role of a third party could easily be confused with that of a recipient and therefore required precise clarification. The origins of this thinking can be traced to the 1992 Amended Proposal for a Council Directive, which stressed that third parties should be understood as anyone outside the controller–processor relationship. Specifically, it clarifies that “third parties do not include the data subject, the controller, or any person authorised to process the data under the controller’s direct authority or on his behalf, as is the case with the processor.” (See page 11 of the proposal.”

Hence, from the adopted definition, a third party is any natural or legal person, public authority, agency or body excluding the data subject (the person the data is about), the controller (who decides “why” and “how” personal data is processed), the processor (who processes data on behalf of the controller), and persons who, under the direct authority of the controller or processor, are authorised to process personal data (e.g., an employee). Everyone else outside this bracket is a third party. Put simply, a third party is any other person or entity outside this circle. This means that external organisations, service providers acting independently, or unrelated entities that receive personal data fall into this category.

Who is a “Recipient”?

The identity of a recipient is arguably less ambiguous, though the NDPA still fails to provide a definition. Under the GDPR (Article 4(9)), a recipient is defined as “a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not.”

This definition is intentionally broad. It establishes that recipients include third parties but are not limited to them. In fact, any entity to whom personal data is disclosed is a recipient, regardless of whether they act as a controller, processor, or third party. Interestingly, the repealed Nigeria Data Protection Regulation (NDPR) did provide a definition, albeit in narrower terms, describing a recipient as “a natural or legal person, public authority who accepts data”. While this earlier formulation lacked nuance and needed refinement, its complete omission from the NDPA is puzzling.

In practice, however, a workable Nigerian definition could be derived by adapting the GDPR model: a recipient should include any natural or legal person to whom data is disclosed, excluding public bodies that receive data pursuant to law, since such transfers occur under statutory mandate rather than at the discretion of a controller. Such bodies would more appropriately be treated as third parties.

Conclusion

The omission of clear definitions for ‘third party’ and ‘recipient’ under the NDPA and GAID 2025 creates gaps that undermine both compliance and enforcement. Without clarity, controllers and processors may avoid responsibility, while data subjects are deprived of the ability to identify and hold accountable the full range of actors involved in data sharing.

Given the NDPA’s roots in European data protection law, Nigerian regulators and courts should look to the GDPR framework for persuasive guidance. Aligning with international best practice would provide certainty for organisations, strengthen the accountability regime, and ultimately safeguard the rights of data subjects.

Unless the Nigeria Data Protection Commission (NDPC) or the courts issue authoritative interpretations, it is reasonable to treat third parties as those outside the controller–processor–employee relationship and recipients as all persons or bodies to whom data is disclosed, whether or not they are third parties. Only through such clarity can the NDPA achieve its intended balance of rights, obligations, and accountability within Nigeria’s growing data protection landscape.

Source: BarristerNG