All Countries
Data Privacy
Data Processing Addendum

Data Processing Addendum Template for New Zealand

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Data Processing Addendum

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Data Processing Addendum

"I need a Data Processing Addendum for my software company that will process customer data in both New Zealand and Australia, with specific provisions for cross-border transfers and cloud storage services starting from March 2025."

Celebrated by
Collaborations with
Investors
Document background
The Data Processing Addendum (DPA) is an essential legal document used when an organization (the data controller) engages another party (the data processor) to process personal information on its behalf. This document is particularly crucial in the New Zealand context, where the Privacy Act 2020 imposes strict requirements on organizations handling personal information. The DPA supplements the main service agreement between parties and specifically addresses data protection obligations, security requirements, and compliance measures. It should be used whenever a service provider will have access to or process personal information on behalf of another organization, regardless of the industry or scale of processing. The document includes crucial provisions about data security, breach notification, sub-processor engagement, and international data transfers, ensuring compliance with New Zealand privacy laws while also considering international data protection standards.
Suggested Sections

1. Parties: Identification of the data controller and data processor, including full legal names and registered addresses

2. Background: Context of the addendum, reference to the main agreement, and purpose of the data processing relationship

3. Definitions: Key terms used in the addendum, including 'personal information', 'processing', 'data subject', 'privacy breach', etc.

4. Scope and Purpose of Processing: Detailed description of the types of personal information to be processed and the specific purposes for processing

5. Obligations of the Processor: Core responsibilities of the data processor, including processing only on documented instructions, confidentiality commitments, and security measures

6. Obligations of the Controller: Responsibilities of the data controller, including providing lawful instructions and ensuring legal basis for processing

7. Security Measures: Technical and organizational security measures required to protect personal information

8. Privacy Breach Management: Procedures for detecting, reporting, and responding to privacy breaches

9. Audit Rights: Controller's rights to audit the processor's compliance and processor's obligations to assist

10. Sub-processing: Conditions and requirements for engaging sub-processors

11. Term and Termination: Duration of the addendum and conditions for termination

12. Return or Deletion of Data: Obligations regarding personal information upon termination of services

Optional Sections

1. Cross-border Transfers: Requirements for transferring personal information outside New Zealand - include when international data transfers are contemplated

2. Specialized Processing Activities: Additional requirements for special categories of personal information or high-risk processing - include when processing sensitive data

3. Data Protection Impact Assessments: Processor's obligations to assist with impact assessments - include for high-risk processing activities

4. Government Access Requests: Procedures for handling government requests for personal information - include when operating in multiple jurisdictions

5. Insurance Requirements: Specific insurance obligations related to data processing - include for high-value or high-risk processing

6. Disaster Recovery: Detailed disaster recovery and business continuity requirements - include for critical processing activities

Suggested Schedules

1. Schedule 1 - Processing Details: Detailed description of processing activities, including categories of data subjects, types of personal information, and processing purposes

2. Schedule 2 - Security Measures: Detailed technical and organizational security measures implemented by the processor

3. Schedule 3 - Approved Sub-processors: List of pre-approved sub-processors and their processing activities

4. Schedule 4 - Privacy Breach Response Plan: Detailed procedures and contact information for privacy breach response

5. Appendix A - Data Transfer Mechanisms: Specific mechanisms and safeguards for international data transfers

6. Appendix B - Audit Requirements: Detailed audit procedures, timelines, and requirements

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Authorised Person
Business Day
Confidential Information
Controller
Data Subject
Information Privacy Principles
Personal Information
Privacy Act
Privacy Breach
Privacy Commissioner
Processor
Processing
Regulatory Authority
Representative
Security Measures
Services
Sub-processor
Technical and Organisational Measures
Term
Third Party
Transfer Mechanism
Overseas Recipient
Cross-border Transfer
Privacy Framework
Notifiable Privacy Breach
Processing Instructions
Processing Records
Security Event
Sensitive Information
Clauses
Interpretation
Appointment
Scope of Processing
Controller Obligations
Processor Obligations
Sub-processing
Confidentiality
Security
Privacy Breach Notification
Data Subject Rights
Impact Assessments
Audit Rights
Cross-border Transfers
Technical Requirements
Personnel Requirements
Record Keeping
Liability
Insurance
Term and Termination
Data Return and Deletion
Governing Law
Dispute Resolution
Force Majeure
Assignment
Notices
Severability
Entire Agreement
Variation
Regulatory Compliance
Government Access
Relevant Industries

Technology and Software

Healthcare and Medical Services

Financial Services

Professional Services

E-commerce and Retail

Education

Insurance

Telecommunications

Government and Public Sector

Manufacturing

Research and Development

Marketing and Advertising

Cloud Services

Consulting

Relevant Teams

Legal

Compliance

Information Security

IT

Risk Management

Operations

Procurement

Privacy

Information Governance

Data Protection

Vendor Management

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Privacy Manager

Legal Counsel

Compliance Officer

Information Security Manager

IT Director

Chief Information Security Officer

Risk Manager

Operations Manager

Procurement Manager

Contract Manager

Chief Technology Officer

Privacy Analyst

Information Governance Manager

Industries
Privacy Act 2020: New Zealand's primary data protection legislation that sets out the privacy principles, regulates how personal information can be collected, used, and disclosed, and includes mandatory data breach reporting requirements.
Contract and Commercial Law Act 2017: Provides the fundamental legal framework for forming and enforcing contracts in New Zealand, including electronic transactions and digital signatures.
Fair Trading Act 1986: Ensures fair conduct in trade and protects against misleading and deceptive conduct, which is relevant for data processing terms and representations.
Unsolicited Electronic Messages Act 2007: Relevant if the data processing involves electronic marketing or communications, regulating spam and electronic message consent requirements.
Consumer Guarantees Act 1993: May be relevant if the data processing services are provided to consumers, ensuring quality and fitness for purpose of services.
Privacy (Cross-border Information) Amendment Act 2010: Specifically addresses international data transfers and the requirements for sending personal information overseas.
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Intra Group Data Processing Agreement

A New Zealand law-governed agreement regulating intra-group personal data processing activities and ensuring Privacy Act 2020 compliance within corporate groups.

find out more

Pre Negotiation Agreement

A New Zealand law-governed agreement establishing terms for preliminary business negotiations, including confidentiality and non-binding provisions.

find out more

Product Development Non Disclosure Agreement

A New Zealand-law governed agreement protecting confidential information shared during product development activities.

find out more

Joint Controller Agreement

A New Zealand law-governed agreement establishing responsibilities and obligations between organizations that jointly control and process personal data under the Privacy Act 2020.

find out more

Data Processing Addendum

A New Zealand-compliant legal agreement governing the processing of personal information between a data controller and data processor under the Privacy Act 2020.

find out more

Data Agreement

A New Zealand-compliant agreement governing the terms and conditions for data handling between parties, ensuring alignment with local privacy laws and regulations.

find out more

Subprocessor Agreement

A New Zealand law-governed agreement that regulates the relationship between a data processor and subprocessor for handling personal data processing activities.

find out more

DPA Contract

A New Zealand-compliant Data Processing Agreement governing personal data handling between controllers and processors under NZ Privacy Act 2020.

find out more

Controller To Controller Data Processing Agreement

A New Zealand-compliant agreement governing personal data sharing between two independent data controllers, ensuring adherence to the Privacy Act 2020.

find out more

DPA Agreement

A New Zealand-compliant agreement governing the processing of personal data between a controller and processor, ensuring adherence to the Privacy Act 2020.

find out more

Data Transfer Addendum

A New Zealand law-compliant addendum governing cross-border personal data transfers under the Privacy Act 2020, establishing security measures and compliance requirements.

find out more

International Data Transfer Agreement

A New Zealand law-governed agreement establishing requirements and safeguards for international transfer of personal and business data, ensuring compliance with NZ Privacy Act 2020.

find out more

Data Protection Addendum

A legal document under New Zealand law that establishes data protection obligations and privacy compliance requirements between parties processing personal information.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.