Tompkins Wake
What law(s) specifically govern personal data / information?
The Privacy Act 2020 (the Act).
The Act came into force on 1 December 2020, and replaces the Privacy Act 1993.
There are also currently seven codes of practice issued under the Act which modifies the operation of the Act for specific industries, organisations or type of personal information. The codes of practice are:
- Civil Defence National Emergencies (Information Sharing) Code 2020;
- Credit Reporting Privacy Code 2020;
- Health Information Privacy Code 2020;
- Justice Sector Unique Identifier Code 2020;
- Superannuation Schemes Unique Identifier Code 2020; and
- Telecommunications Information Privacy Code 2020.
- Biometrics Processing Privacy Code 2025.
The Biometrics Processing Privacy Code 2025 was issued on 21 July 2025 and comes into force:
- 3 November 2025 for biometric processing that starts after 3 November 2025; and
- 3 August 2026 for biometric processing already in use on or before 3 November 2025.
The Biometrics Processing Privacy Code 2025 sets out the privacy rules for organisations and businesses that collect and use a person’s biometric information in biometric processing including, for example, facial recognition technology.
In addition, the Customer and Product Data Act 2025 established a framework to enable greater access to, and sharing of, customer and product data between businesses (including personal information).
What are the key data protection principles in this jurisdiction?:
Almost every person or organisation that collects or holds personal information is an 'Agency' and subject to the Act. This includes individuals, companies, government departments, religious groups, schools, clubs and so on.
'Personal information' under the Act is any information about a living identifiable individual.
The Act sets out 13 Information Privacy Principles (IPP) relating to the collection, use, disclosure, storage and security of an individual's personal information which are summarised below.
Purpose of collection (IPP 1)
Agencies must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose.
Source of personal information (IPP 2)
Personal information should be collected directly from the individual concerned unless the Agency believes on reasonable grounds that:
- the information is publicly available;
- the individual concerned authorises collection of the information from someone else;
- non-compliance would not prejudice the interests of the individual concerned;
- non-compliance is necessary;
- to avoid prejudice to the maintenance of the law
- for the enforcement of a law that imposes a pecuniary penalty
- for the protection of public revenue
- for the conduct of proceedings before any court or tribunal
- to prevent or lessen a serious threat to the life or health of the individual concerned or any other individual
- compliance would prejudice the purposes of the collection;
- compliance is not reasonably practicable in the circumstances of the case
- the information;
- will not be used in a form in which the individual concerned is identified; or
- will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned; and
- collection is authorized by the Privacy Commissioner under the Act.
Collection of information from subject (IPP 3)
When collecting personal information from the individual concerned, reasonable steps must be taken to ensure the individual is aware of:
- The fact that the personal information is being collected;
- The purpose for which it is being collected;
- The intended recipients;
- The name and address of the entity collecting the information, and of the entity that will hold the information;
- Where the collection is authorised or required by law, the particular law requiring the information to be given and whether the provision of information is voluntary or compulsory;
- Any consequences of not providing all or part of the information; and
- The individual's rights of access to, and correction of, their personal information under the Act.
Manner of collection of personal information (IPP 4)
Personal information must be collected by means that are lawful, fair and not unreasonably intrusive.
Storage and Security (IIP 5)
Agencies must ensure there are reasonable safeguards in place to prevent loss, disclosure or misuse of personal information. Where the information is required to be given to a person in connection with the provision of a service to the Agency, the Agency should do everything reasonably within its power to prevent unauthorised use or disclosure of the information.
Access to personal information (IPP 6)
Individuals have a right to ask for confirmation of whether information is held about them and a right to access their own personal information if it can readily be retrieved.
Correction of personal information (IPP 7)
A person has a right to ask an Agency that holds personal information about them to correct their information if they think it is incorrect and a right to request notice of a correction sought but not made to be attached to the information.
Accuracy (IPP 8)
An Agency must check before using or disclosing personal information that it is accurate, up to date, complete, relevant and not misleading.
Agency not to keep personal information for longer than necessary (IPP 9)
An Agency should not keep personal information for longer than it is required for the purposes for which the information may lawfully be used.
Limits on use (IPP 10)
An Agency can generally only use personal information for the purpose for which it was collected. The Act provides a number of exceptions including, for example, where the purpose for which the information will be used is directly related to the purpose in connection with which the information was obtained, and use where the information is de-identified.
Limits on disclosure (Privacy Principle 11)
An Agency may only disclose personal information to a third party in limited circumstances prescribed by the Act.
Disclosure outside New Zealand (IPP 12)
An Agency may only disclose personal information to a foreign person or entity if:
- the individual consents; and
- the overseas recipient of the personal information will protect the data in a way that is consistent with New Zealand privacy laws.
Unique identifiers (IPP 13)
An Agency can only use unique identifiers if the identifier is necessary to enable the Agency to carry out its functions efficiently. There are limited circumstances in which an Agency may knowingly use the same identifier assigned by another agency for an individual.
In addition, the Customer and Product Data Act 2025 was passed into law on 29 March 2025. The purpose of which is to establish a framework to:
- give customers greater control over their data (including personal data), making it easier for them to switch providers (e.g. banking, electricity, and telecommunications);
- allow for innovation and the introduction of new products and services;
- enable efficient data services; and
- provide a standardised and secure way for customers to access and use their data.
The Customer and Product Data Act 2025 applies to:
- individual sectors through a designation process, which sets out the basic requirements that will apply to the sectors designated; and
- allows for further regulations and standards that set out additional requirements.
At a high level, the Customer and Product Data Act 2025 sets out when a data holder must:
- provide data to a customer or to an accredited requestor;
- perform certain actions on an account following a customer or an accredited requestor’s request; and
- provide data and information about particular products on request.
What is the supervisory authority / regulator in charge of data protection?
The Office of the Privacy Commissioner (Privacy Commissioner).
Is there a requirement to register with a supervisory authority / regulator?
No. The Act does not require an Agency to register with the Privacy Commissioner prior to personal information being collected, used, disclosed, stored or otherwise processed.
However, personal information may only be collected, used, disclosed, stored or otherwise processed by an Agency for lawful purposes connected with a function or activity of that Agency after obtaining the individual's authorisation and otherwise in accordance with the IPP discussed above.
Is there a requirement to notify the supervisory authority / regulator?
No prior notification to the Privacy Commissioner is required before commencing any information processing activities in New Zealand, or prior to transferring or disclosing data outside New Zealand.
For completeness, in the event of a privacy breach that is reasonably believed to cause harm, or to be likely to cause harm, to an affected individual or individuals (Notifiable Breach), the Act provides for mandatory notification to the Privacy Commissioner and any affected individuals. This is discussed further in relation to Question 10 below.
Is it possible to register with / notify the supervisory authority / regulator online?
As stated above, no registration or notification to the Privacy Commissioner is required before commencing any information processing activities in New Zealand, or prior to transferring or disclosing data outside New Zealand.
Notifiable Breaches may be notified to the Privacy Commissioner using the “NotifyUs” facility on its website at https://privacy.org.nz/responsibilities/privacy-breaches/notify-us/ . The website incorporates tools to assist in assessing whether or not notification is required.
What are the key data subject rights under the data protection laws of this jurisdiction?
Generally, individuals have the right to:
- Know whether personal information is being collected about them;
- Have their personal information kept safe and secure;
- Authorise the collection, use, storage, disclosure and processing of their personal information;
- Access to their personal information; and
- Request the correction of personal information they do not consider to be correct or complete.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes. The Act requires that every Agency appoints a privacy officer to ensure that the Agency is complying with its privacy obligations. The privacy officer can be located in or outside of New Zealand.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No. The Act does not require data protection impact assessments to be provided to the Privacy Commissioner.
However, a 'Privacy Impact Assessment Toolkit' is available on the website of the Privacy Commissioner to assist Agencies to perform self-assessments if they choose to do so.
For completeness, in the event of a privacy breach the Agency will need to perform a self-assessment of the likelihood of serious harm occurring as a result of the privacy breach in order to determine whether a breach notification to the Privacy Commissioner is required under the Act.
The Privacy Commissioner has also launched an online toolkit called Poupou Matatapu, which is also available on its website. This toolkit can help assist agencies to “do privacy well” as it clearly sets out the Privacy Commissioner’s expectations in regard to privacy compliance and data protection.
Does this jurisdiction have any specific data breach notification requirements?
Yes. Where a privacy breach occurs that causes, or is likely to cause, 'serious harm' to an affected individual or individuals, the breach must be notified to the Privacy Commissioner and the affected individuals as soon as practicable after becoming aware of the breach. The expectation is that a breach notification should be made to the Privacy Commissioner no later than 72 hours after agencies are aware of a notifiable privacy breach.
The breach notification to the Privacy Commissioner must:
- Describe the notifiable privacy breach;
- Explain the steps the Agency has taken or intends to take in response to the breach;
- Whether the Agency has or will notify any affected individuals and, if not, why;
- The names of individuals or organisations in which the Agency has contacted about the privacy breach; and
- Contact person for further inquiries.
The breach notification to the affected individual must include the above information as well as the following:
- Any steps the affected individuals may wish to take to mitigate any the risk of harm or loss (when notifying the individual);
- The affected individual's right to complain to the Privacy Commissioner; and
- Confirmation that the Privacy Commissioner has been notified.
When considering whether 'serious harm' has occurred or is likely to occur to warrant mandatory notification of the breach, the Agency must consider the following factors:
- Any action taken by the Agency to reduce the risk of harm following the breach;
- Whether the personal information is sensitive in nature (there is no statutory category of 'sensitive information' in New Zealand. The term refers to the type of personal information that is the subject of the breach);
- The nature of the harm that may be caused to affected individuals;
- The person or body that has obtained or may obtain personal information as a result of the breach (if known);
- Whether the personal information is protected by a security measure; and
- Any other relevant matters.
What restrictions apply to the international transfer of personal data / information?
Personal information may only be disclosed by an Agency to an overseas recipient, including a data storage provider, if:
- The relevant individual consents to the disclosure after being expressly informed that the recipient may not be required to protect the information to the same extent required by the Act; or
- The disclosing Agency believes on reasonable grounds that the overseas recipient either:
- is subject to the Act because the overseas recipient carries on business in New Zealand;
- is subject to privacy laws that provide comparable safeguards to the Act;
- is covered by a 'binding scheme' or is subject to the privacy laws of a 'prescribed country' specified in regulations; or
- The disclosing Agency has taken reasonable steps to ensure that the overseas recipient will protect the information in a way that, overall, provides comparable safeguards to those in the Act (for example, pursuant to a data protection agreement).
If an Agency holds information on behalf of a third party the information will be treated as held by that third party and transfer of information as between that Agency and the third party, for example for processing, is not a transfer of information for the purposes of the Act.
In practice, Agencies take the following steps to enable the lawful disclosure of personal information outside New Zealand:
- Ensure its privacy policy and relevant documentation clearly inform individuals that their personal information will be shared with recipients outside New Zealand and the reasons for the disclosure (e.g., data storage, provision of services, etc);
- Conduct due diligence on the overseas recipient to ensure that it will protect the information in a manner that is equivalent to protection available under the Act; and
- Enter into data protection agreements with the overseas recipient prior to the disclosure.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes. Overseas organisations that 'carry on business in New Zealand' are subject to the Act.
Whether an overseas organisation is 'carrying on business in New Zealand' will depend on the specific circumstances as the term is not defined in the Act.
However, an overseas organisation may be treated as 'carrying on business in New Zealand' without necessarily:
- Being a commercial operation;
- Having a place of business in New Zealand;
- Receiving any monetary payment for the supply of goods or services; or
- Intending to make a profit from its business in New Zealand.
What rules specifically deal with marketing?
The Agency must obtain the individual's consent to use their personal information for marketing purposes as required by the Act.
In addition to New Zealand privacy law requirements, agencies must also comply with general consumer protection laws and the Unsolicited Electronic Messages Act 2007 where electronic messages are being used for marketing purposes.
Do different rules apply to business-to-business and business-to-consumer marketing?
No. The Act applies to the use of personal information for marketing purposes irrespective of whether the marketing is on a B2B or B2C basis.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The Unsolicited Electronic Messages Act 2007 provides that 'commercial electronic messages' that promotes a good, service, land, interest in land or a business or investment opportunity may only be sent to an individual if:
- That individual has given the sender their consent;
- The electronic message includes a functional unsubscribe facility to enable the individual to unsubscribe from receiving commercial electronic messages at any time; and
- The electronic message contains accurate information about the 'sender'.
The Act applies to B2B and B2C communications and covers email, fax, instant messaging via online platforms, and texts, but does not cover online advertisements or voice calls.
What rules specifically deal with cookies?
There are no specific rules dealing with the use of cookies in New Zealand. Cookies are permitted in New Zealand provided that their use complies with the Act. Where cookies collect any personal information that can identify a person, it is a requirement to inform that person.
What are the consequences of non compliance with data protections laws (including marketing laws)?
There are a range of consequences for breaching the Act, including criminal liability for both the overseas company and its directors, with fines of up to NZD$10,000.
Complaints may be referred by the Privacy Commissioner to the Human Rights Review Tribunal (Tribunal). The Act now permits the Tribunal to bring class actions for a personal data breach on behalf of aggrieved individuals. If successful, each member of the class action may be awarded up to NZD$350,000.
Liability for breaching the Unsolicited Electronic Messages Act 2007 includes fines of up to NZD$200,000 for an individual and NZD$500,000 for a body corporate.
The maximum penalty under the Customer and Product Data Act 2025 for Tier 1 offences (for example a data holder failing to operate an electronic system for providing regulated data services, data holder failing to verify identity, or making a request as an unauthorised person) is NZD$500,000 for an individual and NZD$2,500,000 in all other cases. For Tier 2 offences, penalties apply for a wide range of offences including failure of a data holder to provide customer data to customers or accredited requestors, failing to confirm customer authorisations or failing to perform certain actions on requests, is NZD$200,000 for individuals and NZD$600,000 in all other cases.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The Act has extra-territorial application and applies to an overseas company that 'carries on business in New Zealand', whether or not the overseas company has a physical presence in New Zealand. Accordingly, any disclosure of personal information outside of New Zealand is lawfully permitted under the Act if, and only if, the specific requirements for overseas disclosure are met, namely that the overseas recipient will protect the information in a way that is comparable to the requirements under the Act.
The best and most practical way to ensure the 'comparable safeguard' requirement is met is by having a specific agreement between the disclosing Agency and the overseas recipient.
New Zealand law does not prescribe what those contractual arrangements ought to be or their form, however model contracts have been provided by the New Zealand Privacy Commissioner which can be voluntarily adopted, if suitable.
What upcoming data protection developments should multinational organisations be aware of?
The Privacy Amendment Bill (which received its third reading in Parliament in May 2025) proposes to include new disclosure requirements in the form of a new information privacy principle 3A (IPP3A). Parliament has indicated that IPP3A will come into force on 1 May 2026.
The proposed IPP3A would require (with some exceptions) an Agency collecting personal information from a source other than from the individual concerned to take reasonable steps to ensure that the individual is aware of:
- the fact the information has been collected and the purpose of collection;
- the recipients of the information;
- the name and address of the Agency collecting and holding the information;
- whether the collection is authorised or required by law; and
- the individual’s rights of access to and correction of the information.
Following the enactment of the Customer and Product Data Act 2025, the Government is in the process of:
- drafting regulations that will designate the banking sector or accelerate ‘open banking’, which allow customers to ability share their banking information with trusted third parties, such as fintechs and allow accredited persons to initiate payments on behalf of customers. These regulations are expected to be in force from December 2025; and
- exploring the ability of regulations that designates the electricity sector under the Customer and Product Data Act 2025. This will allow customers in New Zealanders to share information about their electricity consumption with trusted third parties, such as comparison websites and may require electricity companies to share their ‘pricing’ information on their goods and services.