Data Processing Agreement (New Zealand)

A Data Processing Agreement in New Zealand records the personal-data processing to be provided, the fees, the service standards, and each party's obligations between the provider and the client under the Privacy Act 2020.

The Privacy Act 2020, which replaced the Privacy Act 1993 and came into force on 1 December 2020, is the primary legislation governing the handling of personal information in New Zealand. The Act applies to all agencies that collect, store, use, or disclose personal information about identifiable individuals in the course of their activities in New Zealand. The 13 Information Privacy Principles (IPPs) set out in Schedule 1 of the Privacy Act 2020 establish the baseline obligations for how personal information must be handled.

When an organisation engages a service provider to process personal information on its behalf — for example, a payroll provider, a cloud storage service, a marketing automation platform, or a software developer — the organisation remains responsible for confirming that the service provider handles the personal information in accordance with the Privacy Act 2020. A Data Processing Agreement formalises this arrangement by placing binding contractual obligations on the Processor and confirming that the Controller can demonstrate compliance with the Act.

The Privacy Act 2020 introduced several significant changes compared to its predecessor, including mandatory privacy breach reporting under sections 112 to 121. Under these provisions, an agency must notify both the Privacy Commissioner and affected individuals when a privacy breach has caused, or is likely to cause, serious harm to an affected individual. This obligation applies regardless of whether the breach was caused by the agency itself or by a Processor acting on its behalf, which makes it essential for Controllers to have clear contractual arrangements with their Processors regarding breach detection, reporting, and response.

New Zealand organisations that have international operations or that use overseas service providers must also be aware of IPP 12, which restricts the cross-border disclosure of personal information. Under IPP 12, an agency must not disclose personal information to an overseas recipient unless the agency has taken reasonable steps to confirm that the recipient will handle the information in a way that provides comparable protections to those under New Zealand law. A Data Processing Agreement that addresses cross-border transfers and includes appropriate safeguards helps the Controller satisfy this requirement.

New Zealand’s digital economy is highly integrated with global technology platforms, and many New Zealand organisations use cloud-based services hosted in overseas jurisdictions such as the United States, Australia, and Singapore. A well-drafted Data Processing Agreement is essential for any New Zealand organisation that uses overseas cloud service providers to process personal information about New Zealand individuals, as it provides the contractual framework for demonstrating IPP 12 compliance.

The Privacy Commissioner has published guidance on data processing and the use of cloud services, recommending that organisations enter into written agreements with processors that address the requirements of the Privacy Act 2020. Organisations that fail to have appropriate DPAs in place may face complaints and investigations by the Privacy Commissioner, as well as potential civil liability under the Human Rights Review Tribunal.

A Data Processing Agreement is required whenever a New Zealand organisation engages a third party to process personal information on its behalf. The scope of this obligation is broad and covers a wide range of common business activities.

Cloud computing and SaaS (Software as a Service) engagements are among the most common scenarios requiring a DPA in New Zealand. When an organisation stores customer data, employee records, or financial information in a cloud platform such as Microsoft Azure, Amazon Web Services, Google Cloud, or a New Zealand-hosted equivalent, it is disclosing personal information to the cloud provider for processing. A DPA confirms that the cloud provider is subject to binding obligations under the Privacy Act 2020 and that the Controller can audit and monitor compliance.

Payroll processing is another area where a DPA is essential. Payroll service providers in New Zealand handle highly sensitive personal information, including employees’ IRD numbers, bank account details, salary and wage information, and KiwiSaver contribution rates. A DPA confirms that the payroll provider handles this information only as instructed by the employer, implements appropriate security measures, and notifies the employer promptly in the event of a breach.

Marketing and analytics services frequently involve the processing of personal information about customers and prospects. When a business uses a third-party email marketing platform, a CRM system, a web analytics tool, or a customer data platform (CDP), it is disclosing personal information to those providers for processing. Under IPP 10 of the Privacy Act 2020, personal information must not be used for a purpose other than the one for which it was collected. A DPA confirms that marketing technology providers do not use the Controller’s customer data for their own purposes.

Healthcare organisations in New Zealand face particularly stringent obligations when engaging third parties to process health information, which is a category of sensitive personal information. The Health Information Privacy Code 2020 supplements the Privacy Act 2020 with specific rules for health information. Any health sector organisation engaging IT providers, cloud services, or medical records management companies must have a DPA that addresses the requirements of both the Privacy Act 2020 and the Health Information Privacy Code.

Financial services providers regulated by the Financial Markets Authority (FMA) and the Reserve Bank of New Zealand (RBNZ) are subject to additional data governance requirements. When these organisations engage third-party data processors, the DPA must address not only the Privacy Act 2020 but also any applicable prudential standards and conduct obligations under the Financial Markets Conduct Act 2013.

Educational institutions in New Zealand, including schools, polytechnics, and universities, frequently use third-party learning management systems, student information systems, and cloud-based collaboration tools. A DPA is essential for managing the privacy obligations associated with processing student and staff personal information. The Ministry of Education and the New Zealand Qualifications Authority (NZQA) have specific expectations regarding the privacy practices of educational institutions, and a DPA demonstrates the institution’s commitment to compliance.

New Zealand government agencies procuring digital services from private sector providers must confirm that any processing of personal information by those providers is subject to appropriate contractual arrangements. The Government Chief Privacy Officer (GCPO) and the Privacy Commissioner provide guidance on procurement practices for government agencies, and a DPA is a standard requirement for any government technology procurement involving personal information.

A thorough Data Processing Agreement for use in New Zealand should contain the following key provisions.

The processing instructions clause is the foundation of the DPA. It must precisely define the purposes for which the Processor may process personal information, the categories of personal information to be processed, and the categories of data subjects whose information will be handled. The Processor must be prohibited from processing personal information for any purpose beyond those specified. This clause directly implements IPP 10 (limits on use) and confirms that the Processor acts only as instructed by the Controller.

The security measures clause sets out the technical and organisational measures the Processor must implement to protect personal information against unauthorised access, use, modification, disclosure, or destruction. This clause implements IPP 5 of the Privacy Act 2020 and should be specific rather than generic. It should address encryption standards (for data at rest and in transit), access control mechanisms, multi-factor authentication, physical security of data centres, backup procedures, penetration testing frequency, and staff training.

The cross-border disclosure clause must address the requirements of IPP 12 where personal information will be transferred outside New Zealand. It should identify the specific countries to which personal information may be disclosed, the basis for satisfying IPP 12 in each case (such as comparable overseas law, contractual protections, or individual consent), and the Controller’s right to be notified of any change to the countries involved.

The privacy breach notification clause sets out the Processor’s obligation to notify the Controller promptly upon becoming aware of a suspected or confirmed privacy breach. The Privacy Act 2020 requires organisations to assess whether a breach is notifiable and to report it to the Privacy Commissioner within a reasonable time. The DPA should specify the notification timeframe (typically 24 to 48 hours for suspected breaches), the minimum content of the notification, and the Processor’s obligation to cooperate in the investigation and remediation of the breach.

The sub-processor clause controls the Processor’s right to engage sub-processors. It should require the Controller’s prior written consent before any sub-processor is engaged, impose an obligation on the Processor to confirm that sub-processors are bound by equivalent obligations, and confirm that the Processor remains liable for sub-processor acts and omissions.

The audit and compliance clause gives the Controller the right to verify that the Processor is complying with its obligations under the DPA. It should specify the notice required before an audit, the scope of the audit rights, and the obligation of the Processor to provide all necessary information and access.

The data return and destruction clause addresses what happens to personal information at the end of the engagement. Upon expiry or termination of the DPA, the Processor should be required to return all personal information to the Controller (in a usable format) or to permanently and securely destroy it, with written confirmation.

The term and termination clause should tie the duration of the DPA to the duration of the underlying services agreement and specify how long data retention obligations survive termination. The governing law clause must confirm that the DPA is governed by New Zealand law, including the Privacy Act 2020 and the Contract and Commercial Law Act 2017, and specify the New Zealand courts as the forum for disputes. The forms-legal.com Data Processing Agreement (New Zealand) provides a ready-to-use template that meets New Zealand legal requirements.