How Praxis complies with the Nigeria Data Protection Regulation and protects the personal data of Nigerian citizens.
The Nigeria Data Protection Regulation (NDPR) was issued in 2019 by the National Information Technology Development Agency (NITDA) and subsequently strengthened by the Nigeria Data Protection Act (NDPA) 2023.
As a platform processing employee data for Nigerian organizations, Praxis is committed to full compliance with these regulations. This page outlines how we meet our obligations as both a data controller and data processor.
As a data processor: When your organization uses Praxis to manage employee data, we act as a data processor on your behalf. Your organization remains the data controller, determining the purposes and means of processing.
As a data controller: For data we collect directly (account registration, website analytics, waitlist sign-ups), we act as the data controller and are directly responsible for compliance.
Data Processing Agreement: Organizations using Praxis enter into a Data Processing Agreement (DPA) that clearly defines roles, responsibilities, and safeguards in accordance with NDPR requirements.
We process personal data under the following legal bases as defined by the NDPR:
Consent: Where individuals have given clear, informed consent for specific processing activities. Consent can be withdrawn at any time.
Contractual necessity: Processing necessary for the performance of a contract, such as providing the Praxis platform services to your organization.
Legal obligation: Processing required to comply with Nigerian employment law, tax regulations, pension contributions, and other statutory requirements.
Legitimate interest: Processing necessary for legitimate business purposes, provided this does not override the fundamental rights of the data subject.
Under the NDPR, individuals whose data is processed through Praxis have the following rights:
Right to be informed: Clear, transparent information about how personal data is collected and used.
Right of access: Individuals can request a copy of their personal data held within Praxis. Organization administrators can facilitate these requests through the platform.
Right to rectification: Individuals can request correction of inaccurate or incomplete personal data.
Right to erasure: Individuals can request deletion of their personal data, subject to legal retention requirements (e.g., tax records, pension documentation).
Right to data portability: Individuals can request their data in a structured, commonly used, machine-readable format.
Right to object: Individuals can object to certain processing activities, particularly direct marketing.
Right to restrict processing: Individuals can request that processing of their data be restricted in certain circumstances.
To exercise these rights, data subjects should contact their organization administrator. For data we control directly, contact dpo@praxis.hr.
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals. This includes:
Large-scale processing of employee data across organizations.
Payroll processing involving sensitive financial information.
AI-powered features that analyze organizational patterns.
DPIAs are reviewed and updated when there are significant changes to processing activities or the introduction of new features.
Where personal data is transferred outside Nigeria, we ensure adequate protection through:
Adequacy assessment: Evaluating whether the receiving country provides adequate data protection.
Standard contractual clauses: Binding agreements with data recipients that ensure equivalent protection.
Data Processing Agreements: Specific terms governing data handling by sub-processors outside Nigeria.
Our primary data processing infrastructure serves the African market, minimizing the need for international transfers.
In accordance with the NDPR, we will:
Notify NITDA of any personal data breach within 72 hours of becoming aware of it.
Notify affected data controllers (your organization) without undue delay so they can fulfill their own notification obligations.
Notify affected individuals where the breach is likely to result in high risk to their rights and freedoms.
Maintain a register of all data breaches, including their effects and remedial actions taken.
Praxis has designated a Data Protection Officer (DPO) responsible for:
Monitoring compliance with the NDPR and internal data protection policies.
Advising on Data Protection Impact Assessments.
Acting as the point of contact for NITDA and data subjects.
Conducting regular audits of data processing activities.
Contact the DPO: dpo@praxis.hr
In compliance with the NDPR, we:
Conduct an annual data protection audit by a licensed Data Protection Compliance Organization (DPCO).
File the annual audit report with NITDA.
Maintain records of all processing activities as required by the regulation.
Review and update data protection policies and procedures annually.
As an HR platform, Praxis processes various categories of employee data on behalf of organizations:
Basic personal data: Name, contact details, date of birth, identification numbers.
Employment data: Job title, department, salary, performance records, leave balances.
Financial data: Bank account details for payroll, tax identification numbers, pension details.
Sensitive data: Where applicable, health information for leave management is processed with additional safeguards and explicit consent.
All employee data processing is governed by the organization's data processing policies, with Praxis providing the technical infrastructure and security controls to protect this data.
For NDPR-related inquiries:
Data Protection Officer: dpo@praxis.hr
General legal inquiries: legal@praxis.hr
Address: Praxis (Tegence Ltd), Lagos, Nigeria