Reading time: 5 minutes

The General Data Protection Regulation (GDPR) is a network of laws that protect the privacy rights of European Union (EU) residents. It sets out the nature of these rights and restrictions and requirements for organisations that process personal data. Additionally, the GDPR includes penalties for organisations that breach its rules, including fines up to €20 million or 4% of annual global turnover. These data protection laws can also apply to businesses outside of the EU, so they may be relevant for your business. Consequently, if you are subject to the GDPR, then you will need to make sure you draft a data processing agreement when it is necessary. 

What Is the GDPR?

The GDPR is a privacy-focused set of laws that places great importance on protecting the privacy rights of EU residents. Organisations it applies to must follow its rules and provide evidence of their compliance with various forms of documentation and systems.

Its rules are similar to New Zealand’s own Privacy Act, which you will need to follow if you deal with personal information in New Zealand. However, some of its requirements go further, and you will need to ensure you know when this is the case.

For example, the GDPR requires that you get informed and explicit consent from individuals to process their personal data online. However, the New Zealand Privacy Act instead focuses on you having a legitimate business purpose when you do so.

Under the GDPR, you need to tell people when you process their personal data in a way that is:

  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and
  • in plain language.

For this reason, you need to have a privacy policy or notice.

Does the GDPR Apply to My NZ Business?

The GDPR applies to any organisation that processes personal data, which is any data relating to an identified or identifiable person. Examples include:

  • names;
  • location data; 
  • online identifiers, such as usernames; and
  • factors specific to the physical, cultural, social, or similar identity of a living individual.

Personal data is a broad term and can include various types of personal information. Therefore, the GDPR applies to many organisations within the EU that process personal data, which includes its:

  • collection;
  • use;
  • storage; or
  • disclosure.

However, the GDPR is extra-territorial, which means it can also apply to businesses outside of the EU itself. For example, it may apply to your New Zealand business if you:

  • have a presence in the EU, such as staff working there;
  • offer goods or services to residents of the EU; or
  • monitor the behaviour of residents in the EU, which can include using web analytics services.

For instance, if you sell your New Zealand based products to residents in the EU, you will likely process their personal data (such as delivery addresses or credit card details) to do so. Subsequently, the GDPR will apply to your business.

Furthermore, the GDPR differentiates between data “controllers” and “processors”. Data controllers determine why and how they process data. On the other hand, data processors are third parties that deal with data processing on behalf of a data controller. Depending on your business, you could be one or both of these. Multiple businesses can also be joint controllers together.

As an example, the cloud server that stores the personal data your business keeps would be your data processor, while you would be the data controller.

What Is a Data Processing Agreement?

The GDPR requires that whenever a processor handles personal data on behalf of a controller, they need to do so under a binding contract between the two parties. A data processing agreement is this contract. You may have this as its own standalone contract or include it as a clause or addendum as part of a larger agreement. A data processing agreement usually details, among other things:

  • the purpose and nature of the data processing;
  • the type of data processing, such as health or location information;
  • how the processor deals with personal data;
  • how long the data processing occurs for;
  • the processor’s rights and obligations;
  • the controller’s rights and obligations;
  • measures to comply with the GDPR;
  • plans for dealing with data breaches;
  • security duties;
  • what happens to personal data when the contract ends; and
  • authorised disclosures.

The exact nature of your data processing agreement will depend on your circumstances.

Suppose the GDPR applies to your business and you engage third party services to process the personal data you collect from EU residents. In that case, you need to ensure you have any necessary data processing agreements. It is your responsibility to ensure any personal data that is the subject of a data processing agreement is safe and has appropriate protection measures.

Key Takeaways

If you do business with EU residents, such as selling them your goods or services, you will likely process their personal data when you do so. Therefore, you need to ensure you comply with your GDPR obligations. One of these is to have a data processing agreement with any data processors or controllers you engage with. If you would like more information, or help with your data processing agreement, contact LegalVision’s data, privacy, and IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is the GDPR?

GDPR stands for General Data Protection Regulation. The GDPR is a set of data protection laws that aim to secure the privacy rights of European Union residents.

What is a Data Processing Agreement?

A data processing agreement is a contract between a data processor and a data controller. It sets out the nature of their relationship and compliance requirements under the GDPR.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards