An Ibadan-based lawyer, Boluwatife Sanya, has filed a suit against a popular Ibadan based school, Valencia College, for allegedly violating his data privacy rights under the Nigeria Data Protection Act (NDPA) 2023.

The applicant instituted an action before an High Court of Oyo State after receiving an unsolicited SMS from the school, advertising its admission programme.

According to the statement of claims filed in court, the applicant never provided the school with his personal data — particularly his mobile number — and did not consent to any form of marketing communication.

The dispute arose on or about 6th March 2025, when the applicant received a marketing SMS from the school inviting recipients to apply for admission into its upcoming 2025/2026 academic session.

The applicant maintains that he has never interacted with the school, submitted any form of application, or requested any service that could reasonably justify the use of his personal information.

The applicant, through his legal representative, Tolulope Idowu, argued that the SMS constitutes a violation of Section 24 and 25 of the NDPA, which require that personal data must be collected and processed lawfully, fairly and with the data subject’s informed consent.

The suit filed pursuant to the applicant’s rights under Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) Sections 24(1)(a), 25 & 35 of the Nigeria Data Protection Act 2023, seeks among other reliefs; an order of court that the school unlawfully processed personal data without the applicant’s consent, used the data for direct marketing in an illegal and unfair manner, failed to provide transparency on how the data was obtained and honour the applicant’s data subject rights to access and consequently, infringed the applicant’s right to privacy guaranteed under Section 37 of the 1999 Constitution of the Federal Republic of Nigeria.

Sanya is also seeking an order for the deletion of all data belonging to him in the defendant’s database and damages for breach of statutory duty and violation of his constitutional rights.

The Nigeria Data Protection Act, which was signed into law in 2023 and replaced the earlier NDPR framework, introduced a comprehensive legal regime for the processing of personal data. It gives every Nigerian the right to know who is processing their data, access their data from any data controller, withdraw consent at any time, and seek redress when their rights are infringed.

Additionally, while Article 18(1) (a) of the NDPA General Application and Implementation Directive 2025 specifically provides that where personal data is processed for the purpose of direct marketing, the consent of the Data subject is the only basis on which such personal data may be processed, Section 34 of the NDPA 2023 further allows any individual to demand full access to their data and the purposes for which it is being processed.

More importantly, Section 37 of the 1999 Constitution guarantees the privacy of citizens, their homes, correspondence, and communications.

Any unauthorized intrusion into this space can therefore trigger both statutory and constitutional remedies. Legal practitioners have described the case as “an important test for how seriously the courts and institutions treat privacy in Nigeria’s digital age”.