Temu has responded to allegations of violations of data breaches in Nigeria.

The eCommerce firm confirmed receipt of the NDPC inquiry but said it is actively engaging with the Commission.

On Monday, the NDPC said it has launched an investigation into an alleged data violation by the Chinese firm.

National Commissioner/CEO, Dr Vincent Olatunji, ordered the immediate investigation, stressing that data processing activities of the firm may violate the NDP Act.

But in a statement made available to The Guardian through its agency, yesterday, the embattled firm said: “At Temu, protecting user privacy and data security is a top priority. We are committed to complying with applicable laws and regulations in our data practices. We will continue to engage in open and constructive dialogue with the NDPC to address any questions or concerns.”

In its Monday notice, the Commission said that the investigation of Temu was triggered by concerns around online surveillance through personal data processing, accountability, data minimisation requirements, transparency, duty of care and cross-border data transfer.

Temu processes personal information of approximately 12.7 million data subjects in Nigeria, with 70 million daily active users globally.

A statement signed by NDPC Head, Legal, Enforcement and Regulations, Babatunde Bamigboye, noted that the National Commissioner warned that processors, who engage in processing activities on behalf of data controllers without verifying their compliance with the NDP Act, may be liable under the act.

Before Monday’s reaction, there had been rising cases of data breaches by organisation and this has attracted the attention of the country’s data regulator.
In August 2025, NDPC launched a sector-wide investigation into 1,369 organisations suspected of flouting provisions of the act.

According to the Commission, the probe targets companies in sensitive industries such as banking, insurance, pensions, gaming and insurance brokerage.

These included 795 financial institutions that were given 21 days to submit evidence of compliance with the NDPA or face sanctions.

The list of the companies published by the Commission at the time also included 392 insurance broker firms, 35 insurance companies, 10 pension companies and 136 gaming companies.