Do I need to comply with the GDPR?
The European Union General Data Protection Regulation (GDPR) may apply to your agency if it handles the personal information of anyone living in the European Union (EU).
The GDPR will almost certainly apply to New Zealand agencies that have offices in EU countries, but it can also apply to agencies that don’t.
You are likely to be covered by the GDPR if your agency is operating within the EU.
The GDPR will also apply to an agency outside the EU that targets individuals in the EU by offering goods and services, or that monitor the behaviour of individuals in the EU.
Some of the factors to consider are whether your agency:
- has websites in European languages, with the possibility of ordering goods and services in that other language
- accepts European currency
- frequently sells goods or services to EU citizens
- provides data processing services to EU-based companies.
Find out more about the GDPR here.(external link)
If you’re based solely in New Zealand and you only occasionally sell something to a European client, it’s unlikely that the GDPR will cover your agency.
Because the GDPR is European rather than New Zealand law, the New Zealand Privacy Commissioner does not have any legal power or responsibilities to advise NZ companies of their obligations under a European data protection law, to investigate breaches of the GDPR or to enforce GDPR requirements.
You can also find out more about the GDPR here: How do I comply with the GDPR?