@tantainnovative/ndpr-toolkit/dist/chunk-YFBDJ4FH.js

Nigeria Data Protection Toolkit — enterprise-grade compliance components for the Nigeria Data Protection Act (NDPA) 2023

'use strict';var n={AT:{country:"Austria",isoCode:"AT",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},BE:{country:"Belgium",isoCode:"BE",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},BG:{country:"Bulgaria",isoCode:"BG",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},HR:{country:"Croatia",isoCode:"HR",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},CY:{country:"Cyprus",isoCode:"CY",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},CZ:{country:"Czech Republic",isoCode:"CZ",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},DK:{country:"Denmark",isoCode:"DK",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},EE:{country:"Estonia",isoCode:"EE",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},FI:{country:"Finland",isoCode:"FI",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},FR:{country:"France",isoCode:"FR",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},DE:{country:"Germany",isoCode:"DE",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR with additional national provisions (BDSG).",lastUpdated:"2024-01-01"},GR:{country:"Greece",isoCode:"GR",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},HU:{country:"Hungary",isoCode:"HU",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},IE:{country:"Ireland",isoCode:"IE",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR. Hosts many multinational data processors.",lastUpdated:"2024-01-01"},IT:{country:"Italy",isoCode:"IT",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},LV:{country:"Latvia",isoCode:"LV",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},LT:{country:"Lithuania",isoCode:"LT",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},LU:{country:"Luxembourg",isoCode:"LU",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},MT:{country:"Malta",isoCode:"MT",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},NL:{country:"Netherlands",isoCode:"NL",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},PL:{country:"Poland",isoCode:"PL",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},PT:{country:"Portugal",isoCode:"PT",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},RO:{country:"Romania",isoCode:"RO",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},SK:{country:"Slovakia",isoCode:"SK",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},SI:{country:"Slovenia",isoCode:"SI",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},ES:{country:"Spain",isoCode:"ES",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},SE:{country:"Sweden",isoCode:"SE",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EU member state; protected by GDPR.",lastUpdated:"2024-01-01"},IS:{country:"Iceland",isoCode:"IS",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EEA member; GDPR applies through EEA Agreement.",lastUpdated:"2024-01-01"},LI:{country:"Liechtenstein",isoCode:"LI",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EEA member; GDPR applies through EEA Agreement.",lastUpdated:"2024-01-01"},NO:{country:"Norway",isoCode:"NO",adequacyStatus:"adequate",recognizedBy:"EU",notes:"EEA member; GDPR applies through EEA Agreement.",lastUpdated:"2024-01-01"},GB:{country:"United Kingdom",isoCode:"GB",adequacyStatus:"adequate",recognizedBy:"self-assessment",notes:"Protected by UK GDPR and the Data Protection Act 2018. EU adequacy decision granted post-Brexit.",lastUpdated:"2024-01-01"},US:{country:"United States",isoCode:"US",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"No comprehensive federal data protection law. Adequacy depends on transfer mechanism used (e.g. EU-US Data Privacy Framework, standard contractual clauses). Sector-specific laws exist (HIPAA, CCPA, etc.).",lastUpdated:"2024-01-01"},CA:{country:"Canada",isoCode:"CA",adequacyStatus:"adequate",recognizedBy:"self-assessment",notes:"Protected by PIPEDA (Personal Information Protection and Electronic Documents Act) and provincial privacy laws. Recognized as adequate by the EU.",lastUpdated:"2024-01-01"},ZA:{country:"South Africa",isoCode:"ZA",adequacyStatus:"adequate",recognizedBy:"self-assessment",notes:"Protected by POPIA (Protection of Personal Information Act, 2013). Comprehensive data protection framework with an independent Information Regulator.",lastUpdated:"2024-01-01"},GH:{country:"Ghana",isoCode:"GH",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Data Protection Act 2012 (Act 843) establishes a data protection framework. Enforcement capacity is still developing.",lastUpdated:"2024-01-01"},KE:{country:"Kenya",isoCode:"KE",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Data Protection Act 2019 provides a modern framework. The Office of the Data Protection Commissioner is operational but still maturing.",lastUpdated:"2024-01-01"},RW:{country:"Rwanda",isoCode:"RW",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Law No. 058/2021 on the Protection of Personal Data and Privacy. Framework is relatively new.",lastUpdated:"2024-01-01"},EG:{country:"Egypt",isoCode:"EG",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Personal Data Protection Law No. 151 of 2020. Implementation and enforcement are still in early stages.",lastUpdated:"2024-01-01"},TZ:{country:"Tanzania",isoCode:"TZ",adequacyStatus:"not_adequate",recognizedBy:"self-assessment",notes:"No comprehensive data protection legislation in force.",lastUpdated:"2024-01-01"},UG:{country:"Uganda",isoCode:"UG",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Data Protection and Privacy Act 2019 provides a framework, but enforcement capacity is limited.",lastUpdated:"2024-01-01"},SN:{country:"Senegal",isoCode:"SN",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Law No. 2008-12 on the Protection of Personal Data. One of the earlier African data protection laws.",lastUpdated:"2024-01-01"},MA:{country:"Morocco",isoCode:"MA",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Law No. 09-08 on the Protection of Individuals with Regard to the Processing of Personal Data (2009). Recognized as adequate by the EU.",lastUpdated:"2024-01-01"},MU:{country:"Mauritius",isoCode:"MU",adequacyStatus:"adequate",recognizedBy:"self-assessment",notes:"Data Protection Act 2017 provides a comprehensive framework modelled on international standards.",lastUpdated:"2024-01-01"},CN:{country:"China",isoCode:"CN",adequacyStatus:"not_adequate",recognizedBy:"self-assessment",notes:"Personal Information Protection Law (PIPL) enacted in 2021 but government access provisions and limited independent oversight raise concerns. Transfers require security assessments or standard contracts.",lastUpdated:"2024-01-01"},IN:{country:"India",isoCode:"IN",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Digital Personal Data Protection Act 2023 enacted. Implementation rules and enforcement mechanisms are still being finalized.",lastUpdated:"2024-01-01"},SG:{country:"Singapore",isoCode:"SG",adequacyStatus:"adequate",recognizedBy:"self-assessment",notes:"Personal Data Protection Act 2012 (PDPA) provides a robust framework. Strong enforcement by the PDPC.",lastUpdated:"2024-01-01"},JP:{country:"Japan",isoCode:"JP",adequacyStatus:"adequate",recognizedBy:"EU",notes:"Act on the Protection of Personal Information (APPI). Recognized as adequate by the EU under mutual adequacy arrangement.",lastUpdated:"2024-01-01"},KR:{country:"South Korea",isoCode:"KR",adequacyStatus:"adequate",recognizedBy:"EU",notes:"Personal Information Protection Act (PIPA). Recognized as adequate by the EU.",lastUpdated:"2024-01-01"},AE:{country:"United Arab Emirates",isoCode:"AE",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Federal Decree-Law No. 45 of 2021 on Personal Data Protection. DIFC and ADGM free zones have their own data protection regulations with stronger frameworks.",lastUpdated:"2024-01-01"},SA:{country:"Saudi Arabia",isoCode:"SA",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Personal Data Protection Law (Royal Decree M/19, 2021). Framework is new and enforcement is still developing.",lastUpdated:"2024-01-01"},IL:{country:"Israel",isoCode:"IL",adequacyStatus:"adequate",recognizedBy:"EU",notes:"Protection of Privacy Law 5741-1981 and regulations. Recognized as adequate by the EU.",lastUpdated:"2024-01-01"},BR:{country:"Brazil",isoCode:"BR",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Lei Geral de Protecao de Dados (LGPD, 2020) provides a comprehensive framework. The ANPD is actively enforcing.",lastUpdated:"2024-01-01"},AR:{country:"Argentina",isoCode:"AR",adequacyStatus:"adequate",recognizedBy:"EU",notes:"Personal Data Protection Act No. 25,326. Recognized as adequate by the EU.",lastUpdated:"2024-01-01"},AU:{country:"Australia",isoCode:"AU",adequacyStatus:"partially_adequate",recognizedBy:"self-assessment",notes:"Privacy Act 1988 provides protection but does not fully align with GDPR-level standards. Reform efforts are ongoing.",lastUpdated:"2024-01-01"},NZ:{country:"New Zealand",isoCode:"NZ",adequacyStatus:"adequate",recognizedBy:"EU",notes:"Privacy Act 2020 provides a comprehensive framework. Recognized as adequate by the EU.",lastUpdated:"2024-01-01"},CH:{country:"Switzerland",isoCode:"CH",adequacyStatus:"adequate",recognizedBy:"EU",notes:"Federal Act on Data Protection (FADP, revised 2023). Recognized as adequate by the EU.",lastUpdated:"2024-01-01"},RU:{country:"Russia",isoCode:"RU",adequacyStatus:"not_adequate",recognizedBy:"self-assessment",notes:"Federal Law on Personal Data (No. 152-FZ). Data localization requirements and government access concerns.",lastUpdated:"2024-01-01"}};function y(e){let t=e.trim().toUpperCase();if(n[t])return n[t];let a=e.trim().toLowerCase();for(let s of Object.values(n))if(s.country.toLowerCase()===a)return s}function q(){return Object.values(n).filter(e=>e.adequacyStatus==="adequate")}function g(e){let t=y(e);return t?t.adequacyStatus!=="adequate":true}function u(e){return e==="standard_clauses"||e==="binding_corporate_rules"||e==="ndpc_authorization"}function f(e){return {adequacy_decision:"Adequacy Decision (NDPA Section 42) \u2014 Transfer to a country, region, or specified sector that the NDPC has determined provides an adequate level of data protection.",standard_clauses:"Standard Contractual Clauses (NDPA Section 41(1)(a)) \u2014 Transfer based on contractual clauses that afford adequate protection. The NDPC may approve such clauses under Section 42(4)\u2013(5).",binding_corporate_rules:"Binding Corporate Rules (NDPA Section 41(1)(a)) \u2014 Transfer within a group of undertakings based on binding corporate rules that afford adequate protection. The NDPC may approve BCRs under Section 42(5).",ndpc_authorization:"NDPC-Approved Instrument (NDPA Section 42(5)) \u2014 Transfer authorized by an NDPC-approved code of conduct, certification mechanism, or similar instrument that meets the protection standards of the Act.",explicit_consent:"Explicit Consent (NDPA Section 43(1)(a)) \u2014 Transfer based on the consent of the data subject after being informed of the possible risks due to the absence of adequate protections.",contract_performance:"Contract Performance (NDPA Section 43(1)(b)) \u2014 Transfer necessary for the performance of a contract to which the data subject is a party, or for pre-contractual steps at the data subject's request.",public_interest:"Public Interest (NDPA Section 43(1)(d)) \u2014 Transfer necessary for important reasons of public interest.",legal_claims:"Legal Claims (NDPA Section 43(1)(e)) \u2014 Transfer necessary for the establishment, exercise, or defense of legal claims.",vital_interests:"Vital Interests (NDPA Section 43(1)(f)) \u2014 Transfer necessary to protect the vital interests of a data subject or of other persons where the data subject is physically or legally incapable of giving consent."}[e]}function U(e){var s,r;let t=[],a=[];return e.id||t.push("Transfer ID is required."),(!e.destinationCountry||e.destinationCountry.trim()==="")&&t.push("Destination country is required."),(!e.recipientOrganization||e.recipientOrganization.trim()==="")&&t.push("Recipient organization is required."),(!((s=e.recipientContact)!=null&&s.name)||e.recipientContact.name.trim()==="")&&t.push("Recipient contact name is required."),(!((r=e.recipientContact)!=null&&r.email)||e.recipientContact.email.trim()==="")&&t.push("Recipient contact email is required."),(!e.purpose||e.purpose.trim()==="")&&t.push("Purpose of the transfer is required."),e.transferMechanism||t.push("Transfer mechanism is required."),(!e.dataCategories||e.dataCategories.length===0)&&t.push("At least one data category must be specified."),(!e.riskAssessment||e.riskAssessment.trim()==="")&&t.push("Risk assessment summary is required."),(!e.safeguards||e.safeguards.length===0)&&t.push("At least one safeguard must be documented for the transfer."),u(e.transferMechanism)&&(e.ndpcApproval?(e.ndpcApproval.required||a.push("NDPC approval is marked as not required, but the selected transfer mechanism requires NDPC approval."),e.ndpcApproval.required&&!e.ndpcApproval.applied&&t.push("NDPC approval is required but an application has not been submitted."),e.ndpcApproval.applied&&!e.ndpcApproval.approved&&e.status==="active"&&t.push('Transfer is marked as active but NDPC approval has not been granted. Status should be "pending_approval".')):t.push(`NDPC approval documentation is required for transfers using ${l(e.transferMechanism)}.`)),e.tiaCompleted||a.push("A Transfer Impact Assessment (TIA) has not been completed for this transfer."),e.adequacyStatus==="inadequate"&&e.transferMechanism==="adequacy_decision"&&t.push("Cannot rely on adequacy decision (Section 42) when the destination country is marked as inadequate."),e.endDate&&e.startDate>e.endDate&&t.push("Start date must be before end date."),e.includesSensitiveData&&e.riskLevel!=="high"&&a.push("Transfer includes sensitive personal data but the risk level is not set to high. Consider reviewing the risk assessment."),e.reviewDate||a.push("No review date has been set for this transfer. Periodic reviews are recommended."),{isValid:t.length===0,errors:t,warnings:a}}function b(e){var d,c;let t=[],a=[],s=0,p={adequate:0,pending_review:2,unknown:3,inadequate:4}[e.adequacyStatus];s+=p,e.adequacyStatus==="inadequate"?(t.push("Destination country does not have an adequate level of data protection."),a.push("Implement supplementary technical and organizational measures.")):e.adequacyStatus==="unknown"?(t.push("Data protection adequacy of the destination country has not been assessed."),a.push("Conduct an adequacy assessment of the destination country.")):e.adequacyStatus==="pending_review"&&(t.push("Destination country adequacy is currently under review."),a.push("Monitor the adequacy review outcome and plan for contingencies."));let i={adequacy_decision:0,standard_clauses:1,binding_corporate_rules:1,ndpc_authorization:1,contract_performance:2,explicit_consent:2,legal_claims:2,public_interest:2,vital_interests:3}[e.transferMechanism];s+=i,i>=2&&(t.push(`Transfer relies on a derogation mechanism (${l(e.transferMechanism)}), which provides fewer structural safeguards.`),a.push("Consider whether a stronger transfer mechanism (adequacy decision, standard clauses, or BCRs) could be used instead.")),e.includesSensitiveData&&(s+=3,t.push("Transfer includes sensitive personal data, increasing the potential impact of unauthorized access."),a.push("Ensure encryption in transit and at rest, and apply strict access controls.")),e.estimatedDataSubjects&&e.estimatedDataSubjects>1e4?(s+=2,t.push("Large number of data subjects involved increases the scope of potential harm."),a.push("Consider data minimization strategies and ensure robust incident response procedures.")):e.estimatedDataSubjects&&e.estimatedDataSubjects>1e3&&(s+=1,t.push("Moderate number of data subjects involved.")),e.tiaCompleted||(s+=2,t.push("Transfer Impact Assessment has not been completed."),a.push("Complete a Transfer Impact Assessment before proceeding with the transfer.")),u(e.transferMechanism)&&((d=e.ndpcApproval)!=null&&d.approved||(s+=2,t.push("NDPC approval is required but has not been granted."),a.push("Obtain NDPC approval before activating the transfer."))),(((c=e.safeguards)==null?void 0:c.length)||0)<3&&(s+=1,t.push("Limited number of safeguards documented."),a.push("Document additional technical, organizational, and contractual safeguards.")),e.frequency==="continuous"&&(s+=1,t.push("Continuous data transfer increases exposure window."),a.push("Implement real-time monitoring and anomaly detection for the transfer."));let o;return s<=4?o="low":s<=9?o="medium":o="high",{riskLevel:o,riskScore:s,factors:t,recommendations:a}}function l(e){return {adequacy_decision:"Adequacy Decision",standard_clauses:"Standard Contractual Clauses",binding_corporate_rules:"Binding Corporate Rules",ndpc_authorization:"NDPC Authorization",explicit_consent:"Explicit Consent",contract_performance:"Contract Performance",public_interest:"Public Interest",legal_claims:"Legal Claims",vital_interests:"Vital Interests"}[e]}exports.a=n;exports.b=y;exports.c=q;exports.d=g;exports.e=u;exports.f=f;exports.g=U;exports.h=b;