Privacy Policy (New Zealand)
Effective Date: [Effective Date]
This Privacy Policy explains how [Organisation Name] ([NZBN]) (“we”, “us”, or “our”) collects, uses, discloses, stores, and protects personal information in accordance with the Privacy Act 2020 (NZ) and the 13 Information Privacy Principles (IPPs) set out in that Act.
This Policy applies to all personal information we collect through our website at [Website URL], our products and services, and any other means by which you interact with us. By using our website or services, you acknowledge that you have read and understood this Privacy Policy.
1. ABOUT THIS POLICY (IPP 1 — PURPOSE AND TRANSPARENCY)
1.1 We are committed to managing personal information in an open and transparent manner, consistent with Information Privacy Principle 1 (IPP 1) of the Privacy Act 2020. This Privacy Policy is publicly available on our website and sets out how we manage personal information.
1.2 The Privacy Act 2020 applies to every agency (which includes businesses and organisations) that collects, holds, uses, or discloses personal information about individuals in New Zealand. Unlike under the repealed Privacy Act 1993, the 2020 Act applies regardless of the size of your organisation and introduces mandatory privacy breach notification requirements.
1.3 If you have any questions or concerns about how we handle your personal information, or if you wish to make a complaint, you may contact our Privacy Officer using the contact details set out in clause 12 of this Policy.
2. PERSONAL INFORMATION WE COLLECT (IPP 1, 2 AND 3)
2.1 We collect only such personal information as is necessary for a lawful purpose connected with our functions and activities, in accordance with Information Privacy Principle 1 of the Privacy Act 2020. The types of personal information we collect include: [Personal Information Types].
2.2 We collect personal information in the following ways: [Collection Methods].
2.3 Where it is reasonably practicable to do so, we collect personal information directly from the individual concerned (IPP 2). Where we collect personal information about an individual from a third party, we will take reasonable steps to ensure the individual is aware that we have collected that information and the circumstances of collection (IPP 3).
2.4 You are not obliged to provide us with your personal information. However, if you choose not to provide certain information, we may not be able to provide you with some or all of our products and services.
3. HOW WE USE YOUR PERSONAL INFORMATION (IPP 3, 10 AND 11)
3.1 We use personal information for the following primary purposes: [Collection Purpose].
3.2 Under IPP 10 of the Privacy Act 2020, we will not use personal information collected for one purpose for an unrelated secondary purpose without your consent, unless an exception under the Privacy Act 2020 applies (for example, where use for the secondary purpose is authorised or required by law, or is directly related to the primary purpose and the individual would reasonably expect such use).
3.3 We will not use or disclose personal information collected for one purpose for another unrelated purpose without your consent or unless otherwise required or authorised by law.
4. DISCLOSURE OF PERSONAL INFORMATION (IPP 11)
4.1 We may disclose your personal information to third parties in the following circumstances:
- to our employees, contractors, and related entities who require access to perform our functions and activities;
- to service providers engaged to assist us in providing our services, such as IT service providers, payment processors, and analytics providers, who are bound by confidentiality and data protection obligations;
- to government agencies, regulators, or law enforcement bodies where required or authorised by law;
- with your consent; or
- where permitted or required under the Privacy Act 2020 or any other applicable New Zealand law.
4.2 We require all third parties to whom we disclose personal information to protect that information in a manner consistent with this Privacy Policy and the Information Privacy Principles under the Privacy Act 2020.
5. SECURITY OF PERSONAL INFORMATION (IPP 5)
5.1 We take reasonable steps to protect the personal information we hold from loss, misuse, and unauthorised access, modification, or disclosure, in accordance with Information Privacy Principle 5 of the Privacy Act 2020. Our security measures include: [Security Measures].
5.2 Despite our reasonable security measures, no data transmission over the internet or electronic storage system is entirely secure. We cannot guarantee the absolute security of personal information transmitted to or from us.
5.3 We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by applicable law (IPP 9). Our general data retention practices are: [Retention Period]. When personal information is no longer required, we will take reasonable steps to destroy or de-identify it.
5.4 In the event of a privacy breach that has caused or is likely to cause serious harm to any individual, we will notify the affected individual(s) and the Privacy Commissioner as soon as reasonably practicable, as required under sections 113-119 of the Privacy Act 2020 (mandatory privacy breach notification).
6. ACCESS TO AND CORRECTION OF YOUR PERSONAL INFORMATION (IPP 6 AND 7)
6.1 Under Information Privacy Principle 6 of the Privacy Act 2020, you have the right to obtain confirmation of whether we hold personal information about you and, if we do, to access that information. To make an access request, please contact us using the details in clause 12 of this Policy.
6.2 We will respond to your access request as soon as reasonably practicable and in any case within 20 working days of receiving the request, as required by the Privacy Act 2020. In some circumstances, we may refuse access or limit the information we provide — for example, where access would be unlawful, would prejudice an investigation, or would unreasonably affect the privacy of other individuals. If we refuse or limit access, we will give you written notice explaining our reasons and informing you of your right to complain to the Privacy Commissioner.
6.3 Under Information Privacy Principle 7 of the Privacy Act 2020, you have the right to request that we correct personal information we hold about you that you believe is inaccurate, out of date, incomplete, irrelevant, or misleading. We will consider your correction request and take reasonable steps to correct the information. If we refuse to make the correction, we will notify you and attach a statement of the correction sought, if you request this.
7. CONTACT US AND COMPLAINTS PROCESS
7.1 For any privacy enquiries, access or correction requests, or complaints about how we handle your personal information, please contact our Privacy Officer:
[Organisation Name] Postal address: [Contact Address] Email: [Privacy Email] Phone: [Phone Number]
7.2 We will acknowledge your complaint within 5 working days and aim to resolve it within 20 working days, as required by the Privacy Act 2020. If you are not satisfied with our response, you may lodge a complaint with the Privacy Commissioner of New Zealand:
Office of the Privacy Commissioner PO Box 10094, The Terrace, Wellington 6143 Phone: 0800 803 909 Website: www.privacy.org.nz
7.3 The Privacy Commissioner can investigate complaints and take action if we have breached the Information Privacy Principles. Complaints to the Privacy Commissioner are free of charge. If the Privacy Commissioner is unable to resolve the complaint, the matter may be referred to the Human Rights Review Tribunal.
8. CHANGES TO THIS PRIVACY POLICY
8.1 We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements under the Privacy Act 2020, or business operations. When we make material changes, we will notify you by posting the updated Privacy Policy on our website at [Website URL] and updating the Effective Date at the top of this Policy.
8.2 We encourage you to review this Privacy Policy periodically. Your continued use of our website or services after the publication of any updated Privacy Policy constitutes your acknowledgement of the updated terms.
What Is a Privacy Policy (New Zealand)?
A Privacy Policy (New Zealand) is a document published by an organisation that collects personal information — including businesses, non-profit entities, and government agencies — that explains to individuals how their personal information is collected, used, disclosed, stored, and protected in New Zealand. Privacy Policies are governed primarily by the Privacy Act 2020, which came into force on 1 December 2020 and replaced the Privacy Act 1993.
The Privacy Act 2020 is administered by the Privacy Commissioner, whose office (the Office of the Privacy Commissioner) oversees compliance and handles privacy complaints from individuals. Unlike in some countries, New Zealand's Privacy Act applies to every agency that handles personal information, regardless of the size or turnover of the organisation. There is no small business exemption — a sole trader with a single client is subject to the same Information Privacy Principles as a large corporation.
The 13 Information Privacy Principles (IPPs) in the Privacy Act 2020 set out the binding standards for how personal information must be handled. The IPPs cover the purpose and method of collection (IPPs 1-4), the storage and security of information (IPP 5), individuals' access and correction rights (IPPs 6-7), accuracy and retention requirements (IPPs 8-9), and limits on use and disclosure (IPPs 10-12). A Privacy Policy must explain how your organisation complies with each relevant IPP.
One of the most significant changes introduced by the Privacy Act 2020 is mandatory privacy breach notification. Under sections 113 to 119 of the Act, organisations must notify the Privacy Commissioner and affected individuals of a privacy breach that has caused, or is likely to cause, serious harm. This obligation was not present under the Privacy Act 1993 and represents a major shift towards greater accountability and transparency in New Zealand privacy law.
New Zealand businesses that operate websites or online services must also be aware of the Unsolicited Electronic Messages Act 2007, which prohibits commercial electronic messages (including email marketing and SMS) unless the recipient has consented, the sender is identified, and a functional unsubscribe mechanism is provided. A thorough New Zealand Privacy Policy should address both the Privacy Act 2020 and the Unsolicited Electronic Messages Act 2007 where relevant. Complaints about privacy breaches are handled by the Office of the Privacy Commissioner, whose decisions can be referred to the Human Rights Review Tribunal for enforcement. Serious or repeated breaches can result in civil liability, compliance notices, and — in egregious cases — referral to the Director of Human Rights Proceedings. The Privacy Act 2020's extraterritorial reach also means overseas businesses that collect personal information from New Zealand residents may be subject to its requirements.
When Do You Need a Privacy Policy (New Zealand)?
A New Zealand Privacy Policy is needed by every organisation — including every business, regardless of size — that collects, holds, uses, or discloses personal information about individuals in New Zealand. This is because the Privacy Act 2020 applies universally to all agencies, with no small business exemption.
You need a Privacy Policy if you operate a website or online store that collects personal information (such as names, email addresses, or payment details) from visitors or customers. You need one if you provide professional services and collect client information. You need one if you operate a subscription service, SaaS platform, or any digital product that processes user data. You need one if you employ staff in New Zealand, as employee information is also personal information under the Privacy Act 2020.
From a practical standpoint, a Privacy Policy is essential for several additional reasons. Payment processors, app stores (including Apple App Store and Google Play), and digital advertising platforms typically require a Privacy Policy as a condition of using their services. If you collect email addresses for marketing purposes, the Unsolicited Electronic Messages Act 2007 requires that recipients can unsubscribe and that your identity as the sender is clear — both points typically addressed in a Privacy Policy. If your business handles personal information from individuals in the European Union, the General Data Protection Regulation (GDPR) may also apply to you independently of New Zealand law, typically requiring a more detailed Privacy Policy.
For New Zealand businesses that send personal information overseas — for example, by using US-based cloud services such as AWS, Google Cloud, Salesforce, Mailchimp, or similar platforms — IPP 12 of the Privacy Act 2020 requires that you take steps to confirm the overseas recipient protects the information in accordance with New Zealand privacy standards. Your Privacy Policy must disclose these overseas disclosures.
Given that the Privacy Act 2020 applies universally and breach notifications are now mandatory, having a clear, accurate, and up-to-date Privacy Policy is both a legal obligation and a fundamental element of customer trust for any New Zealand business.
What to Include in Your Privacy Policy (New Zealand)
A compliant New Zealand Privacy Policy must address all 13 Information Privacy Principles and include several key provisions.
Identification of the agency — The Privacy Policy must clearly identify who is collecting personal information, including the full legal name of the business, its NZBN (if registered), and contact details for the Privacy Officer or designated privacy contact. This satisfies IPP 1's requirement that the purpose of collection and the identity of the collecting agency be made known.
Purpose of collection — Under IPP 1 and IPP 3, individuals must be told at or before the time of collection what personal information is being collected and for what purpose. The Privacy Policy should clearly list all primary purposes for collection (e.g. processing orders, providing services, marketing).
Types of information collected and collection methods — The Privacy Policy must describe what types of personal information are collected (e.g. names, contact details, payment information, health information, usage data) and how they are collected (e.g. directly from the individual, through website forms, via cookies and analytics tools, from third parties).
Use and disclosure — Under IPPs 10 and 11, personal information may only be used for the primary purpose of collection and disclosed to third parties in limited circumstances. The Privacy Policy must explain who receives your customers' personal information, including domestic service providers and any overseas recipients.
Overseas disclosure (IPP 12) — Any disclosure of personal information to overseas recipients must be disclosed, with the countries identified and the steps taken to confirm equivalent protection described.
Security measures (IPP 5) — The Privacy Policy must describe the technical and organisational security measures in place to protect personal information from loss, misuse, and unauthorised access.
Access and correction rights (IPPs 6-7) — Individuals have the right to access their personal information and to request corrections. The Privacy Policy must explain how to exercise these rights and state the 20-working-day response timeframe under the Privacy Act 2020.
Mandatory breach notification — The Privacy Policy should disclose your obligation under sections 113-119 of the Privacy Act 2020 to notify individuals and the Privacy Commissioner of privacy breaches that cause or are likely to cause serious harm.
Complaint process — The Privacy Policy must explain how individuals can make a privacy complaint, both internally and to the Privacy Commissioner at www.privacy.org.nz. The forms-legal.com Privacy Policy (New Zealand) provides a ready-to-use template that meets New Zealand legal requirements.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (New Zealand) (New Zealand) [Legal document template]. Forms Legal. https://forms-legal.com/new-zealand/business/policies/privacy-policy-new-zealand
"Privacy Policy (New Zealand) (New Zealand)." Forms Legal, 2026, https://forms-legal.com/new-zealand/business/policies/privacy-policy-new-zealand.
@misc{formslegal-privacy-policy-new-zealand,
author = {{Forms Legal}},
title = {Privacy Policy (New Zealand) (New Zealand)},
year = {2026},
howpublished = {\url{https://forms-legal.com/new-zealand/business/policies/privacy-policy-new-zealand}},
note = {Free legal document template. Based on Privacy Act 2020}
}
Frequently Asked Questions
Yes. Unlike the repealed Privacy Act 1993, the Privacy Act 2020 (NZ) applies to every agency — including all businesses, regardless of size or turnover — that collects, holds, uses, or discloses personal information about individuals in New Zealand. There is no small business exemption under the New Zealand Privacy Act. Under Information Privacy Principle 1 (IPP 1), you must have a clear and accessible privacy statement that explains your information practices. A published Privacy Policy is the standard way of meeting this obligation. Additionally, any website or online service that collects personal information — including through cookies, contact forms, account registration, or checkout processes — must have a Privacy Policy that accurately describes those practices. Under New Zealand law, specifically the Privacy Act 2020, parties should seek independent legal advice to confirm compliance with all applicable requirements and confirm the document meets the standards set by the relevant regulatory authorities.
The 13 Information Privacy Principles (IPPs) in the Privacy Act 2020 (NZ) set out legally binding standards for how agencies must handle personal information. IPP 1 requires collection only for a lawful purpose and limits collection to what is necessary. IPP 2 requires collection directly from the individual where practicable. IPP 3 requires agencies to tell individuals the purpose of collection at the time of collection. IPP 4 requires that personal information is collected in a way that is lawful, fair, and not unreasonably intrusive. IPP 5 requires agencies to protect personal information against loss, misuse, and unauthorised access. IPP 6 gives individuals the right to access their personal information. IPP 7 gives individuals the right to request correction of their information. IPP 8 requires agencies to check the accuracy of information before use. IPP 9 limits retention of personal information to what is necessary. IPP 10 restricts use of personal information to the primary purpose of collection. IPP 11 restricts disclosure to third parties. IPP 12 restricts the use of unique identifiers. IPP 13 (added by the 2020 Act) requires agencies to disclose personal information held offshore.
The Privacy Act 2020 introduced mandatory privacy breach notification (sections 113-119), which was not present under the repealed Privacy Act 1993. Under the 2020 Act, if your organisation experiences a privacy breach that has caused or is likely to cause serious harm to any individual, you must: (1) notify the affected individual(s) as soon as reasonably practicable; and (2) notify the Privacy Commissioner as soon as reasonably practicable. A privacy breach includes unauthorised or accidental access, disclosure, alteration, loss, or destruction of personal information. Serious harm is assessed by factors including the nature of the information, the likelihood of harm, and the sensitivity of the affected individuals. Failure to notify when required is an interference with the privacy of an individual and can result in action by the Privacy Commissioner and, ultimately, the Human Rights Review Tribunal.
Information Privacy Principle 12 of the Privacy Act 2020 restricts the disclosure of personal information to overseas recipients. Before disclosing personal information to an overseas person or entity, the New Zealand agency must take one of the following steps: (a) take reasonable steps to requires the overseas recipient will not breach the IPPs in relation to that information — this typically means entering into data transfer agreements requiring the overseas recipient to comply with New Zealand privacy standards; (b) believe on reasonable grounds that the overseas recipient is subject to privacy laws that provide comparable safeguards (such as the GDPR or Australian Privacy Act); or (c) obtain the individual's express authority to make the disclosure after informing them that the New Zealand privacy protections may not apply overseas. Using overseas cloud services (AWS, Google Cloud, Azure, Salesforce, etc.) typically constitutes an overseas disclosure and must be addressed in your Privacy Policy.
An individual who believes their privacy rights have been breached by an organisation can first raise the complaint directly with that organisation. If the organisation does not resolve the complaint within a reasonable time, or if the individual is not satisfied with the response, they can lodge a complaint with the Privacy Commissioner at www.privacy.org.nz. The Privacy Commissioner has broad powers to investigate privacy complaints, issue compliance notices, and refer matters to the Human Rights Review Tribunal. The Tribunal can order organisations to cease breaching the Privacy Act, to correct or delete personal information, and to pay damages to affected individuals. Complaints to the Privacy Commissioner are free of charge and the process is designed to be accessible without legal representation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Website Terms of Use (New Zealand)
Create compliant Website Terms of Use for your New Zealand business, drafted in accordance with the Contract and Commercial Law Act 2017 (CCLA), the Consumer Guarantees Act 1993 (CGA), the Fair Trading Act 1986 (FTA), the Privacy Act 2020, and the Harmful Digital Communications Act 2015. Our template covers acceptance mechanisms, intellectual property protections under the Copyright Act 1994 and Trade Marks Act 2002, user obligations, limitation of liability, consumer guarantee disclaimers, and governing law. Unlike generic templates, this document reflects New Zealand-specific legal requirements — including the mandatory acknowledgement that consumer guarantees under the CGA cannot be excluded in consumer transactions.
Cookie Policy (New Zealand)
Create a compliant Cookie Policy for your New Zealand website, drafted in accordance with the Privacy Act 2020 (NZ) and the 13 Information Privacy Principles (IPPs). Unlike the EU's GDPR cookie rules, New Zealand does not have a specific cookie consent law, but cookies that collect personal information are regulated by the Privacy Act 2020. Our template covers essential cookies, analytics cookies (Google Analytics, Matomo), functionality cookies, marketing and advertising cookies (Google Ads, Meta Pixel), cookie consent mechanisms, browser controls, and users' rights under IPP 6 and IPP 7. Includes mandatory breach notification obligations and Privacy Commissioner complaint process.
Terms and Conditions (New Zealand)
Create New Zealand Terms and Conditions compliant with the Contract and Commercial Law Act 2017 (CCLA), Consumer Guarantees Act 1993 (CGA), and Fair Trading Act 1986 (FTA). Covers consumer guarantees under sections 6-12 (goods) and 28-31 (services) of the CGA, B2B contracting-out under section 43 of the CGA, GST at 15% under the Goods and Services Tax Act 1985, Privacy Act 2020 obligations, intellectual property under the Copyright Act 1994, payment terms in NZD, cancellations, returns, limitation of liability, and dispute resolution (including Disputes Tribunal). Suitable for NZ businesses selling goods or services to consumers or other businesses.
Non-Disclosure Agreement (NDA) (New Zealand)
Protect your confidential business information under New Zealand law with a legally sound Non-Disclosure Agreement (NDA). Whether you are sharing trade secrets with a prospective partner, disclosing proprietary technology to a developer, or presenting financial projections to a potential investor, a properly drafted NZ NDA keeps your sensitive information under strict legal protection. Our template complies with the Contract and Commercial Law Act 2017 (CCLA) and includes provisions addressing the Privacy Act 2020 and the Information Privacy Principles (IPPs). Choose between a unilateral or mutual NDA, with optional non-solicitation and liquidated damages clauses.
Terms of Service (New Zealand)
Create New Zealand Terms of Service compliant with the Contract and Commercial Law Act 2017 (CCLA), Consumer Guarantees Act 1993 (CGA), Fair Trading Act 1986 (FTA), and Privacy Act 2020. Covers consumer guarantees for digital services (ss 28-31 of the CGA), B2B contracting-out under section 43, GST at 15% under the Goods and Services Tax Act 1985, user registration, acceptable use, intellectual property under the Copyright Act 1994, limitation of liability, Privacy Act 2020 obligations (including mandatory breach notification), termination, and dispute resolution (including Disputes Tribunal). Suitable for New Zealand SaaS platforms, websites, apps, and online service providers.