NDPA Compliance.

NDPA overview#

Plain English: Nigeria has its own data protection law. We follow it.

The Nigeria Data Protection Act 2023 came into force on 14 June 2023 and is supervised by the Nigeria Data Protection Commission, the statutory regulator established by the same Act. The NDPA replaces the earlier Nigeria Data Protection Regulation 2019 and substantially aligns Nigerian practice with global standards such as the European Union General Data Protection Regulation.

The Act sets six core principles for processing personal data. Processing must be fair, lawful, and transparent. It must be for a specified, explicit, and legitimate purpose. It must be adequate, relevant, and limited to what is necessary. It must be accurate and kept up to date. It must be kept in a form that allows identification for no longer than necessary. It must be processed in a manner that ensures appropriate security.

MiTax operates under these principles for every personal data processing activity, whether the data subject is a personal taxpayer, a registered business owner, an employee processed through a corporate payroll, or a State Internal Revenue Service partner.

MiTax as Data Controller#

Plain English: Worllet Limited decides why and how your data is processed. That makes us the Controller.

Worllet Limited, trading as MiTax, determines the purposes and means of processing personal data collected through the MiTax service. Under the NDPA, this designates Worllet Limited as the Data Controller.

Where MiTax processes personal data on behalf of a corporate client, for example payroll data submitted by an employer running PAYE through MiTax Pro, MiTax acts as a Data Processor for that subset of data, and the employer remains the Controller. A separate Data Processing Agreement governs that relationship.

Where MiTax processes personal data on behalf of a State Internal Revenue Service through a MiTax State white-label deployment, the State is the Controller for taxpayer data within the State, and MiTax operates as Processor under a written agreement that complies with section 29 of the NDPA.

Lawful basis for processing#

Plain English: we always have a reason from the NDPA list to process your data.

Section 25 of the NDPA lists the lawful bases on which personal data may be processed. MiTax relies on the following bases, depending on the activity.

• Consent. For optional features such as marketing emails, WhatsApp broadcast updates, and analytics cookies that are not strictly necessary, we ask for explicit, granular, freely given consent that can be withdrawn at any time.
• Performance of a contract. For core service delivery, including account creation, tax calculation, filing, and payment processing, we process data because doing so is necessary to perform the contract that you entered into when you accepted our Terms.
• Compliance with a legal obligation. For Know Your Customer verification, anti-money-laundering checks, retention of tax records for seven years, and disclosure to the Nigeria Revenue Service, we process data because Nigerian law compels us to.
• Legitimate interests. For security monitoring, fraud detection, internal audit, and product improvement using aggregated data, we rely on legitimate interests after balancing them against your rights and freedoms.

We document the lawful basis for each processing activity in our internal Record of Processing Activities, which we make available to the Nigeria Data Protection Commission on request.

Data subject rights#

Plain English: the NDPA gives you eight rights. Here they are, with how to use each.

Under Part V of the NDPA you have the following rights as a data subject.

• Right to be informed about what data we collect, why, and with whom we share it. We meet this right through our Privacy Policy and this Compliance Statement.
• Right of access to confirmation that we process your data, a copy of the data, and the information listed in section 34 of the NDPA. Request a Subject Access Report by emailing the Data Protection Officer.
• Right to rectification of inaccurate or incomplete data. Most fields can be edited inside the app. For locked fields such as Tax Identification Number, email the Data Protection Officer.
• Right to erasure where retention is no longer lawful. We delete data unless retention is required by Nigerian tax law or by a court order, in which case we explain the lawful basis for the hold.
• Right to restriction of processing while accuracy or lawful basis is being reviewed.
• Right to data portability in a structured, commonly used, machine-readable format. We provide a one-click export of your filings and financial records as JSON and CSV.
• Right to object to processing based on legitimate interests or to direct marketing. Marketing objection takes effect immediately.
• Right not to be subject to automated decisions that produce legal effects, including profiling. MiTax does not make legal-effect decisions purely by automated means. A human can always review.

To exercise any right, email dpo@mitax.ng. We verify your identity, respond within thirty calendar days, and do not charge for the first request in any twelve month period.

Data Protection Officer#

Plain English: we have a named DPO. Their job is to look after your data rights.

Section 32 of the NDPA requires data controllers of major importance to appoint a Data Protection Officer. MiTax meets the threshold by virtue of the volume of personal data processed and the sensitive financial nature of that data.

Our Data Protection Officer is responsible for monitoring compliance with the NDPA, advising the company on its obligations, training staff, and serving as the contact point for data subjects and the Nigeria Data Protection Commission.

The Data Protection Officer reports directly to the Chief Executive of Worllet Limited and operates independently of product and engineering management on data protection matters. Contact the DPO at dpo@mitax.ng.

Data breaches#

Plain English: if your data is exposed, we tell the regulator within 72 hours and we tell you without undue delay.

Section 40 of the NDPA requires controllers to notify the Nigeria Data Protection Commission of a personal data breach within seventy-two hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of data subjects.

MiTax maintains a documented incident response plan. On detection of a suspected breach, the on-call engineer escalates to the Data Protection Officer and the security lead within one hour. A breach severity assessment is completed within twenty-four hours. Notification to the Commission is issued within seventy-two hours where the threshold is met.

Affected users are notified by email and in-app alert without undue delay, in plain language, with a description of what happened, what data was involved, what we are doing, and what they can do.

We maintain a public incident page at mitax.ng/status where significant incidents are summarised after resolution.

Cross-border transfers#

Plain English: we store data in London and back it up to the EU. Both regions have laws considered adequate.

Section 43 of the NDPA regulates transfers of personal data to countries outside Nigeria. Transfers are permitted to jurisdictions that the Nigeria Data Protection Commission has determined provide an adequate level of protection, or on the basis of approved safeguards such as standard contractual clauses, binding corporate rules, or explicit informed consent.

MiTax stores primary application data in the United Kingdom and replicates encrypted backups within the European Union. The Nigeria Data Protection Commission has indicated that both jurisdictions provide an adequate level of protection under section 43(2)(a) of the NDPA.

Where a sub-processor operates outside an adequate jurisdiction, MiTax executes standard contractual clauses approved by the Commission and conducts a Transfer Impact Assessment before the engagement begins.

NDPC registration status#

Plain English: we are registered with the Nigeria Data Protection Commission as required by the Act.

Worllet Limited is registered with the Nigeria Data Protection Commission as a Data Controller of Major Importance. Our annual compliance audit, conducted by a Data Protection Compliance Organisation licensed by the Commission, is filed with the Commission within the statutory deadline each year.

Our registration certificate and the most recent annual audit summary are available on request from dpo@mitax.ng.

Children's data#

Plain English: MiTax is not for under-sixteens. We do not knowingly process their data.

Section 31 of the NDPA prescribes heightened protections for the processing of children's data. MiTax does not target users under sixteen and the service is not designed for child users. A parent or guardian who discovers a child account should contact dpo@mitax.ng and we will close the account and delete the data unless retention is required by law.

Complaints to NDPC#

Plain English: if we get it wrong and our response does not satisfy you, you can go to the regulator.

You have the right to lodge a complaint with the Nigeria Data Protection Commission if you believe MiTax has infringed your rights under the NDPA. We encourage you to contact our Data Protection Officer first so that we have a chance to resolve the issue, but this is not a precondition to a complaint.

The Commission accepts complaints through its website at ndpc.gov.ng, by email, and by post to its Abuja headquarters. The Commission may investigate, mediate, issue compliance orders, and impose administrative fines of up to two percent of annual gross revenue for serious infringements.

Contact#

Plain English: NDPA questions go to dpo@mitax.ng.

For any question about this Compliance Statement or about MiTax under the Nigeria Data Protection Act, email our Data Protection Officer at dpo@mitax.ng or write to the registered office of Worllet Limited, Lagos, Nigeria.

Read alongside the Privacy Policy and the Terms of Service.