Office of the Privacy Commissioner | Model Clause Agreement Builder

Introduction

This agreement is between two parties: the Discloser and the Recipient. The Discloser has personal information that it wants to share with the Recipient.

The Recipient is based outside New Zealand. New Zealand’s Privacy Act 2020 requires that the Discloser must have a reasonable basis to believe that the personal information it discloses to the Recipient will still be covered by safeguards comparable to those in the Act. This agreement is designed to help provide those safeguards.

This agreement is made up of 2 parts. The Details in Part 1 are specific to the parties to this agreement. The General Terms in Part 2 are standard legal clauses designed to work with the Details in Part 1.

In this agreement, terms that start with a capital letter and appear as headings in the Details (for example, Start Date, Discloser and Recipient) have the meanings given in the Details. Also:

Details means the details set out in Part 1 of this agreement.

End Date means the date this agreement is terminated in accordance with its terms.

General Terms means the general terms set out in Part 2 of this agreement.

Individual means an individual to whom the transferred information relates.

Personal information means information about an identifiable individual.

Privacy Act means the Privacy Act 2020 (NZ).

Privacy Commissioner means the Privacy Commissioner holding office under the Privacy Act.

Transferred information has the meaning given in the Details, but also includes any personal information about an Individual that is inferred or derived from the transferred information after it is disclosed to the Recipient (whether inferred or derived solely from the transferred information, or with a meaningful contribution from the transferred information).

Part 1: Details

Part 1: Details (Required Terms)

Start Date

When will the cross-border transfer of personal information start?

Start date for the cross-border transfer of personal information

Discloser

What is the full legal name of the individual or organisation sending the personal information? If you can, provide any other helpful identifying details e.g. NZBN, company number or registered address.

Full legal name of the individual or organisation sending the personal information

Recipient

What is the full legal name of the overseas individual or organisation receiving the personal information? If you can, provide any other helpful identifying details, company number or registered address.

Full legal name of the overseas individual or organisation receiving the personal information

Related Agreements

If the sending of personal information by the Discloser to the Recipient is part of one or more other agreements between the two parties, you can list the other agreement(s) here, to create a link between this agreement and the other agreement(s).

If one or more related agreements are listed below, then this agreement will terminate automatically once all those agreements have been terminated or expired. This will not affect the continuing obligations under clause 7.4 of the General Terms.

If there are no related agreements, leave this field blank and move to the next question.

If the sending of personal information by the Discloser to the Recipient is part of one or more other agreements between the two parties, the agreement(s) are listed here to create a link between this agreement and the other agreement(s).

If one or more related agreements are listed, then this agreement will terminate automatically once all those agreements have been terminated or expired. This will not affect the continuing obligations under clause 7.4 of the General Terms.

Transferred Information

Identify what personal information will be covered by this agreement. To keep things short, this is referred to everywhere else in this agreement as “transferred information”. The transferred information can be a one-off disclosure or an ongoing or periodic disclosure. Tick whatever applies and complete the corresponding information as required.

This is a required term for the agreement and you must complete it.

The personal information covered by this agreement is as follows. To keep things short, this is referred to everywhere else in this agreement as “transferred information”.

One-off disclosure

The Transferred Information consists of the following personal information disclosed by the Discloser to the Recipient on a one-off basis:

Ongoing or periodic disclosure

The Transferred Information consists of all personal information disclosed by the Discloser to the Recipient while this agreement is in place, i.e. from the Start Date up to and including the End Date.

The Transferred Information consists of the following personal information disclosed by the Discloser to the Recipient while this agreement is in place, i.e. during the period from the Start Date up to and including the End Date:

Personal information disclosed in connection with the related agreement(s)

Personal information disclosed in connection with the following activities or arrangements:

Other categories of personal information, as follows:

Permitted Uses

How is the Recipient allowed to use the transferred information? If applicable, you can also tick the box to allow the Recipient to use the transferred information for other uses that are directly related.

This is a required term for the agreement and you must complete it.

The Recipient is allowed to use the transferred information as follows.

Permitted Use 1

The Recipient can use the Transferred Information as follows…

The Recipient can also use the above information for any directly related purpose

Privacy Breach Notification

Who is responsible for giving notice to Individuals affected by a notifiable privacy breach? Under New Zealand's Privacy Act 2020, a privacy breach is notifiable if it has caused or is likely to cause serious harm to affected individuals. Select the Recipient or the Discloser below.

This is a required term for the agreement and you must complete it.

The party specified below is responsible for giving notice to Individuals affected by a notifiable privacy breach. Under New Zealand's Privacy Act 2020, a privacy breach is notifiable if it has caused or is likely to cause serious harm to affected individuals.

is responsible for giving notice to Individuals affected by a notifiable privacy breach

Local Data Law

What data protection laws apply in the Recipient’s home country?

If you know what they are, list the applicable laws. If you do not, ask the Recipient to complete this field when they sign the Agreement.

The data protection laws applicable in the Recipient’s home country are as listed below. (The Recipient is required to list the applicable laws when signing the Agreement if they have not already been listed, or listed correctly, by the Discloser.)

The Recipient also undertakes to notify the Discloser as soon as reasonably practicable after any new applicable law is enacted. A Recipient’s notification of a local data law forms part of this agreement.

Part 1: Details (Optional Terms)

Permitted Disclosures

Optional - move to the next question if not applicable

Are there third parties with whom the Recipient is allowed to share the transferred information? If so, list those third parties here, along with details of the purposes for which those third parties can receive the information, plus any conditions on the third parties’ handling of the information.

If applicable, you can also tick the box to allow the Recipient to share the specified information with the third parties for any directly related purpose.

The Recipient is allowed to share the transferred information with third parties as follow.

Permitted Disclosure 1

Third party recipients

Purposes and/or conditions

The Recipient can also share the above information with the third parties for any directly related purpose

Security

Optional - move to the next question if not applicable

Are there any specific security requirements that the Recipient must put in place to protect the transferred information, over and above what is required by clause 1.3 of the General Terms?

The Recipient must put in place the following specific security requirements to protect the transferred information, over and above what is required by clause 1.3 of the General Terms

Sensitive Information

Optional - move to the next question if not applicable

Does the transferred information include any particularly sensitive information? For example, information that relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or sex life, criminal convictions or offences, or an individual's genetic, biometric or health data.

If so, the parties may want to consider whether the Recipient should be required to apply additional precautions to protect the sensitive information. Use the fields below to specify any additional precautions if required.

The Recipient is required to apply the following additional precautions to protect the sensitive information included in the transferred information.

Sensitive Information 1

Description of Sensitive Information

Additional Precautions

Deletion

Optional - move to the next question if not applicable

When transferred information is no longer required for any of the permitted uses, the Recipient must promptly and securely destroy or delete that transferred information, as required by clause 1.5 of the General Terms. In addition, if a particular event or date is specified below, then when that event occurs or that date arrives, the Recipient will promptly destroy or delete the relevant transferred information as specified.

When transferred information is no longer required for any of the permitted uses, the Recipient must promptly and securely destroy or delete that transferred information, as required by clause 1.5 of the General Terms. In addition, if the particular event or date specified below occurs or arrives, the Recipient will promptly destroy or delete the relevant transferred information as specified.

Deletion 1

Deletion Event / Date

Transferred Information to be deleted

Termination

Optional - move to the next question if not applicable

Do you want to include any rights for the parties to terminate this agreement, over and above what is already included in clause 7 of the General Terms? Tick whatever applies and specify how much advance notice is required. You can skip these options if none of them apply.

The parties have the right to terminate this agreement as specified below, over and above what is already included in clause 7 of the General Terms

The Discloser may terminate this agreement on giving notice of not less than:

days

The Recipient may terminate this agreement on giving notice of not less than:

days

Consequences of termination

Optional - move to the next question if not applicable

On termination of this agreement, the parties’ obligations will continue in relation to any transferred information already sent by the Discloser to the Recipient, but anything sent after that point in time will not be covered by the terms. What else should happen on termination? Tick whatever applies. You can skip these options if none of them apply.

All the related agreements listed above will also terminate on the End Date

Promptly following the End Date, the Recipient will securely delete or destroy all the transferred information, and notify the Discloser that it has done so

Special Terms

Optional - move to the next question if not applicable

Are there any other rights or obligations you want to include in the Agreement? If so, you can set them out in the space provided below. Where these contradict or overlap with the other provisions of the Agreement, the terms you set out below will take priority. Be aware that any extra terms that undermine the protections provided by the standard template version of this document may affect the Discloser’s ability to comply with Principle 12 of the Privacy Act for sending personal information overseas. Alternatively, you can leave this section blank.

The following special rights or obligations are included in this Agreement. Where these contradict or overlap with the other provisions of this Agreement, the terms set out below will take priority.

Part 1: Details (Signatures)

Details for giving notice under the Agreement

Any notice given by a party under this agreement must be sent to the other party’s address as notified by the other party from time to time, and each party expressly authorises the service of legal proceedings by email or physical delivery to their notified address. As at the Start Date, each party’s address is:

Discloser

Attention

Address

Recipient

Attention

Address

Signatures

The parties agree to the terms of this Part 1, and the General Terms in Part 2 below.

Signed for and on behalf of Discloser:

Signed for and on behalf of :

Name

Title

Date

Signed for and on behalf of Recipient:

Signed for and on behalf of :

Name

Title

Date

What if things change?

The parties can agree updates to the Details in Part 1 at any time. Each update will be legally binding once confirmed in writing by both parties.

Part 2: General Terms

The General Terms in Part 2 are standard legal clauses designed to work with the Details in Part 1. The General Terms are the same across all Model Clauses Agreements.

Read full General terms

1. What safeguards must the Recipient have in place?

1.1. Limits on collection
The Recipient must only collect transferred information as reasonably necessary for lawful purposes connected with its functions or activities. The Recipient must ensure that its methods of collection are lawful, fair and do not intrude unreasonably on the affairs of any Individual.

1.2. Limits on use and disclosure
The Recipient will not use or disclose transferred information except as permitted in the Details.

1.3. Security
The Recipient will protect the transferred information by implementing and maintaining best practice safeguards against any loss of the transferred information, and any unauthorised access, use, modification or disclosure of the transferred information. The Recipient will also meet any additional security requirements specified in the Details.

Best practice means at least the standard of practice generally expected globally in the same or similar circumstances, from a reasonable and prudent processor of personal information that is the same or of a similar nature to the transferred information.

1.4. Accuracy
The Recipient will take reasonable steps to ensure that the transferred information is accurate, up to date, complete, relevant and not misleading (“Accurate”) before using it.

1.5. Deletion
The Recipient will promptly and securely destroy or delete the transferred information once it is no longer reasonably required by the Recipient for any use permitted in the Details. The Recipient will also do this as required by any “deletion event / date” specified in the Details. The Recipient will promptly notify the Discloser when it has deleted the transferred information.

1.6. Additional precautions for Sensitive Information
The Recipient acknowledges and agrees that a failure to protect the “sensitive information” identified in the Details is particularly likely to cause harm to Individuals. The Recipient will have in place the additional precautions set out in the Details in relation to the sensitive information.

1.7. Privacy officer
The Recipient will maintain a person with responsibility for monitoring and ensuring the Recipient’s compliance with this agreement (“Privacy Officer”). The Recipient will ensure that the Privacy Officer provides reasonable co-operation to Individuals and the Discloser for the purposes of clauses 3 and 4. The Recipient will notify the Discloser of its Privacy Officer and will keep the Discloser updated with the details of any new Privacy Officer if this changes.

1.8. Discloser may suspend transfers of information if Recipient is in breach
If the Recipient is in breach of this agreement, the Discloser may suspend any further disclosure of transferred information to the Recipient, until the Recipient has corrected the breach.

2. What if the Recipient shares information with others?

2.1. Where third parties process personal information for the Recipient
Without taking away from clause 1.2, if the Recipient discloses transferred information to a third party, then if the third party’s use and disclosure of the information is solely as an agent for the Recipient and not for the third party’s own purposes:

the Recipient must use all reasonable endeavours to prevent unauthorised use or disclosure of the transferred information, including by ensuring that the third party is obliged not to use or disclose the transferred information except as authorised by the Recipient, and is obliged to have in place safeguards consistent with the requirements of clause 1.3;
for the purposes of this agreement the transferred information held by the third party will be treated as being in the control of the Recipient, and the Recipient is responsible for the third party’s acts and omissions in relation to the transferred information.

2.2. Where third parties process personal information for their own purposes
Without taking away from clause 1.2, if the Recipient discloses transferred information to a third party, then if the third party uses or discloses the information for its own purposes and not solely as agent of the Recipient:

the Recipient must ensure that the third party enters into a binding and enforceable agreement with the Recipient, imposing on the third party substantially the same obligations in respect of that transferred information as are imposed on the Recipient under this agreement, and giving Individuals substantially the same rights to enforce those obligations as they have under this agreement; and
if the Recipient fails to ensure that the third party enters into such an agreement, then under this agreement the transferred information held by the third party will be treated as being in the control of the Recipient, and the Recipient will be responsible for the third party’s acts and omissions in relation to the transferred information.

This clause 2.2 does not apply to any disclosure required by law, or any disclosure to a third party that is subject to the Privacy Act or other laws that overall provide comparable safeguards.

3. What happens if there is a privacy breach?

3.1. The responsible party must notify affected Individuals of a notifiable privacy breach
The responsible party identified in the Details must notify each affected Individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred, but:

if it is not reasonably practicable for that party to directly notify an affected Individual or each member of a group of affected Individuals, that party may give public notice of the privacy breach so long as that party ensures the public notice does not identify any affected Individual;
that party may delay notification and/or public notice to the extent and for so long as it believes this is necessary because notification or public notice would increase the risk to the security of transferred information and the risk outweighs the benefits of informing affected Individuals;
that party is not required to give any notification or public notice where that would not be required from the Recipient under the Privacy Act if the Recipient was subject to the Act.

Notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected Individual or Individuals or is likely to do so.

Privacy breach means any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, transferred information, or any action that prevents the Recipient from accessing transferred information on either a temporary or permanent basis.

3.2. The Discloser may notify affected individuals if the Recipient fails to do so
If the Recipient is responsible for notifying Individuals under clause 3.1 but fails to give notice when required under that clause, the Discloser may give notice on behalf of the Recipient.

3.3. The Recipient may need to notify privacy breaches under local data laws
Nothing in this clause 3 reduces any obligation the Recipient may have to notify a privacy breach under the local data law specified in the Details, to the extent this is permitted by clause 5.2.

3.4. The Recipient must notify the Discloser if the Recipient learns of a privacy breach
The Recipient will promptly notify the Discloser as soon as the Recipient becomes aware that a notifiable privacy breach has occurred, and if the Discloser is responsible for notifying Individuals of privacy breaches will provide all assistance and information reasonably required by the Discloser to meet its obligations under this clause 3.

4. What happens if an individual asks to see or correct their personal information?

4.1. Each Individual has rights of access and correction
The Recipient agrees that each Individual has a right to access, and to seek correction of, their personal information held by the Recipient that is included in the transferred information.

4.2. How to handle a request for access
If an Individual requests access to their transferred information, then subject to clauses 4.4 and 4.5, the Recipient will confirm whether or not it holds any transferred information about them and, if it does, will provide them with access to the information and advise them that they may request correction of their information.

4.3. How to handle a request for correction
Where an Individual requests correction of their transferred information, the Recipient will take reasonable steps to ensure that the information is Accurate (as defined in clause 1.4) taking into account the permitted uses specified in the Details. If the Recipient is not willing to correct the information as requested, the Recipient will take reasonable steps to ensure a statement of the requested correction is attached to the information, so as to ensure it will always be read with the information. Where the Recipient corrects any transferred information or attaches a statement of correction, the Recipient must take reasonable steps to inform any person to whom the Recipient has disclosed the relevant transferred information.

4.4. Timeframes for responding to requests for access or correction
The Recipient must respond to an Individual’s request for access to or correction of their transferred information as soon as reasonably practicable and no later than 30 days after receiving the request. The Recipient must provide reasonable assistance to the Individual in relation to each request.

4.5. When can a request be refused?
In relation to any request from an Individual under this clause 4, the Recipient may refuse access, extend the timeframe for complying with the request, and/or charge the Individual for complying with the request, to the extent that this would be permitted if the request was made under the Privacy Act and the Recipient was subject to the Privacy Act.

5. What about complying with laws?

5.1. The Discloser will comply with its own laws
At the time of sending to the Recipient, the Discloser undertakes that the transferred information has been collected, processed and sent to the Recipient in compliance with all laws applying to the Discloser.

5.2. The Recipient will comply with its own laws
The Recipient will ensure that its treatment of the transferred information is consistent with the “local data law” specified in the Details. However, where a requirement of the local data law is less protective than the other requirements of this agreement, to the extent permitted by law the Recipient will comply with the requirement that is the most protective of the transferred information and the interests of the relevant Individuals.

5.3. The Recipient must notify the Discloser about any use or disclosure compelled by law
If the Recipient is required by a court or government agency under any law to disclose or use the transferred information in a way that would not otherwise be permitted by this agreement, then to the extent law allows the Recipient must notify the Discloser to give it the opportunity to contest that legal requirement (for example, by taking the matter to court).

5.4. The Recipient is not aware of any local laws that would undermine this agreement
The Recipient confirms that at the time of entering into this agreement it has made reasonable efforts to identify whether it is covered by any law that could reasonably be expected to have a substantial adverse effect on the protections intended by this agreement, and is not aware of any such law. The Recipient will use reasonable efforts to ensure that, if any such law applies to it in the future, it will promptly notify the Discloser.

6. What can Individuals do if there is a breach?

6.1. Individuals can claim compensation or other court orders
If the Recipient breaches any obligation(s) under clauses 1, 3 or 4, and the breach is an Interference with Privacy of an Individual, the Individual will be entitled to one or more of the following remedies, with the choice and extent of remedy determined by the tribunal hearing the matter, as it considers just and equitable:

monetary compensation from the Recipient for loss suffered as a result of the Interference with Privacy, which may include monetary compensation for humiliation, loss of dignity, and/or injury to the feelings of the Individual, or for any adverse effect on the Individual’s rights, benefits, privileges or obligations;
an order restraining the Recipient from continuing or repeating the Interference with Privacy, or from engaging in, or causing or permitting others to engage in, conduct of the same kind, or conduct of any similar kind specified in the order;
an order that the Recipient perform any acts specified in the order with a view to remedying the Interference with Privacy, or redressing any loss or damage suffered by the aggrieved individual or aggrieved individuals as a result of the interference, or both.

However, the Individual will not be entitled to any damages or other relief beyond the damages or other relief that could reasonably be expected to be granted under the Privacy Act in the same circumstances, if the Recipient was subject to the Privacy Act.

Interference with Privacy in relation to an Individual, means:
• any breach by the Recipient of clause 1 that has or may have a detrimental impact on the Individual, including any loss, damage or injury to them, or any adverse effect on their rights, benefits, obligations or privileges, or significant humiliation, significant loss of dignity, or significant injury to their feelings;

• any breach by the Recipient of clause 3.1 in relation to a privacy breach involving that Individual’s transferred information; and/or

• any breach by the Recipient of clause 4 in relation to a request by that Individual for access to or correction of their transferred information.

6.2. Individuals have these rights even though they are not party to this agreement
The entitlement to a remedy under clause 6.1 is directly enforceable by each Individual in accordance with Part 2 of the Contract and Commercial Law Act 2017 (NZ). The Discloser and Recipient may amend the terms of this agreement without the consent of any Individual, so long as the amendment either increases the protections provided by this agreement, or ensures that if the protections are reduced they remain at such a level that any transferred information disclosed to the Recipient by the Discloser before the amendment could still be disclosed to the Recipient after the amendment in compliance with the Privacy Act.

6.3. The Discloser can claim on behalf of Individuals if requested
The Discloser may bring a claim or claims under clause 6.1 on behalf of one or more Individuals, at the request of those Individuals, although the Discloser is not obliged to do so.

7. When does this agreement start and end?

7.1. When does this agreement start?
Once signed by both parties, this agreement begins on the Start Date and continues until the End Date. If the Start Date is earlier than the date of signing, this agreement will apply as if it had been signed on the Start Date.

7.2. When can the Discloser end this agreement?
In addition to any termination rights set out in the Details, the Discloser can terminate this agreement by giving notice to the Recipient if:

a suspension under clause 1.8 has continued for more than 30 days;
the Recipient has persistently or materially breached this agreement, the Discloser has notified the Recipient requiring the matter to be addressed, and at the end of 30 days following that notice the Recipient has failed to demonstrate to the Discloser’s reasonable satisfaction that all necessary changes have been made to prevent a recurrence;
the Discloser reasonably considers that the Recipient is subject to one or more laws that have a material adverse effect on the protections intended by this agreement; or
compliance by the Recipient with its obligations under this agreement would put it in breach of one or more laws that apply to the Recipient; or
the Recipient undergoes an Insolvency Event.

Insolvency Event means that the Recipient: ceases, or threatens to cease, all or substantially all of its business; is insolvent or bankrupt, or has a receiver, liquidator, administrator, bankruptcy trustee, statutory manager or similar officer appointed; and/or makes an assignment for the benefit of its creditors, or makes any arrangement or composition with its creditors.

7.3. When can the Recipient end this agreement?
In addition to any termination rights set out in the Details, the Recipient may terminate this agreement by giving notice to the Discloser, if the Discloser has persistently or materially breached this agreement, the Recipient has notified the Discloser requiring the matter to be addressed, and at the end of 30 days following that notice the Discloser has failed to demonstrate to the Recipient’s reasonable satisfaction that all necessary changes have been made to prevent a recurrence.

7.4. What happens when this agreement ends?
Despite any termination or expiry, all terms of this agreement will continue to apply to the transferred information that the Discloser sent to the Recipient during the period from the Start Date up to and including the End Date. The terms will stop applying once the Recipient has securely and permanently deleted or destroyed all of the transferred information.

8. Anything else I should be aware of?

8.1. This agreement is governed by New Zealand law. The parties submit to the non-exclusive jurisdiction of the New Zealand courts.

8.2. This agreement takes priority over all other agreements between the Discloser and Recipient, except as specifically stated otherwise in any Special Terms set out in the Details.

8.3. Each party will keep this agreement confidential, provided that:

this will not prevent any disclosure required by law;
either party may voluntarily disclose this agreement to the Privacy Commissioner, but only if they first inform the Privacy Commissioner that the disclosure is made on the basis that the Agreement is to be kept confidential as far as permitted by law;
each party will disclose this agreement to an Individual who requests it, provided that the party has first consulted with the other party and redacted any information that the other party reasonably identifies as commercially sensitive and not necessary for the Individual to receive in order to enforce their rights under this agreement. If requested, the party will provide the Individual with reasons for the redactions, to the extent possible without revealing any of the redacted information.

8.4. Each party undertakes that it has full power, capacity and authority to execute, deliver and perform its obligations under this agreement.

8.5. Each party undertakes that it has, and will continue to have, all the necessary consents, permissions, licences and rights to enter into and perform its obligations under this agreement.

8.6. Each party undertakes that its obligations as set out in this agreement are legal, valid, binding, and enforceable in accordance with their terms.

8.7. Neither party may assign, transfer or otherwise dispose of any of its rights or obligations under this agreement except with the prior written consent of the other party.

8.8. No amendment to this agreement will be effective unless in writing and signed by the Discloser and the Recipient.

8.9. If a party fails to exercise, or delays or holds off exercising, a power or right under this agreement, that is not a waiver of the power or right. A single or partial exercise of such a power or right does not preclude further exercises of that power or right or any other.

8.10. A determination that any provision of this agreement is illegal, void or unenforceable will not affect any other part of this agreement.

8.11. This agreement may be executed in any number of counterparts. Once each party has received a counterpart signed by the other (or a digital copy of that signed counterpart), those counterparts will together be treated as if they were a single signed copy of the Agreement.

8.12. In this agreement, unless the context requires otherwise:

a requirement to notify or give notice is to give notice in writing, which may include email;
a clause reference in the General Terms is to a clause of the General Terms, and not to a clause in the Details;
a reference to a party to this agreement includes that party's personal representatives, successors and permitted assigns;
a reference to any law is a reference to that law as amended, or to any law substituted for that law;
as far as possible, the provisions of this agreement will be interpreted so as to promote consistency with the Privacy Act.

Model Clause Agreement Builder

Agreement for cross-border transfer of personal information

Introduction