Data Transfer Agreement (NZ)
Access the University’s standard data transfer terms. These are relevant if you have a Personal Data Transfer and Protection Agreement with us.
These terms form part of a mutual data transfer agreement between the parties specified in the Details. Each party may from time-to-time transfer personal information to the other. These terms, together with the Details, form part of a single agreement and are binding on the parties even if not separately executed.
Definitions
In this agreement, terms that start with a capital letter and appear as headings in the Details (for example, Start Date, Data Exporter and Data Importer) have the meanings given in the Details. Also:
Details means the form labelled Personal Data Transfer and Protection Agreement (or similar) between the parties that specifies the details of the personal data transferred between the parties, the permitted uses, and other related matters.
End Date means the date this agreement is terminated in accordance with its terms.
Individual and data subject means an individual to whom the transferred personal data relates.
Local data laws means any data laws that apply to the Data Importer in the Data Importer's home country.
Personal information and personal data means information about an identifiable individual.
Privacy Act means the Privacy Act 2020 (NZ).
Privacy Commissioner means the Privacy Commissioner holding office under the Privacy Act.
Transferred personal data has the meaning given in the Details, but also includes any personal information about an Individual that is inferred or derived from the transferred personal data after it is disclosed to the Data Importer (whether inferred or derived solely from the transferred personal data, or with a meaningful contribution from the transferred personal data).
1 What safeguards must the Data Importer have in place?
1.1 Limits on collection
The Data Importer must only collect transferred personal data as reasonably necessary for lawful purposes connected with its functions or activities. The Data Importer must ensure that its methods of collection are lawful, fair and do not intrude unreasonably on the affairs of any Individual.
1.2 Limits on use and disclosure
The Data Importer will not use or disclose transferred personal data except as permitted in the Details.
1.3 Security
The Data Importer will protect the transferred personal data by implementing and maintaining best practice safeguards against any loss of the transferred personal data, and any unauthorised access, use, modification or disclosure of the transferred personal data. The Data Importer will also meet any additional security requirements specified in the Details.
Best practice means at least the standard of practice generally expected globally in the same or similar circumstances, from a reasonable and prudent processor of personal information that is the same or of a similar nature to the transferred personal data.
1.4 Accuracy
The Data Importer will take reasonable steps to ensure that the transferred personal data is accurate, up to date, complete, relevant and not misleading (“Accurate”) before using it.
1.5 Deletion
The Data Importer will promptly and securely destroy or delete the transferred personal data once it is no longer reasonably required by the Data Importer for any use permitted in the Details. The Data Importer will also do this as specified in the Details. The Data Importer will promptly notify the Data Exporter when it has deleted the transferred personal data.
1.6 Additional precautions for sensitive data
The Data Importer acknowledges and agrees that a failure to protect any “sensitive data” identified in the Details is particularly likely to cause harm to Individuals. The Data Importer will have in place the additional precautions set out in the Details in relation to any sensitive data.
1.7 Privacy officer
The Data Importer will maintain a person with responsibility for monitoring and ensuring the Data Importer’s compliance with this agreement (“Privacy Officer”). The Data Importer will ensure that the Privacy Officer provides reasonable co-operation to Individuals and the Data Exporter for the purposes of clauses 3 and 4. The Data Importer will notify the Data Exporter of its Privacy Officer and will keep the Data Exporter updated with the details of any new Privacy Officer if this changes.
1.8 Data Exporter may suspend transfers of information if Data Importer is in breach
If the Data Importer is in breach of this agreement, the Data Exporter may suspend any further disclosure of transferred personal data to the Data Importer, until the Data Importer has corrected the breach.
2 What if the Data Importer shares information with others?
2.1 Where third parties process personal information for the Data Importer
Without taking away from clause 1.2, if the Data Importer discloses transferred personal data to a third party, then if the third party’s use and disclosure of the information is solely as an agent for the Data Importer and not for the third party’s own purposes:
- the Data Importer must use all reasonable endeavours to prevent unauthorised use or disclosure of the transferred personal data, including by ensuring that the third party is obliged not to use or disclose the transferred personal data except as authorised by the Data Importer, and is obliged to have in place safeguards consistent with the requirements of clause 1.3 and clause 1.6;
- for the purposes of this agreement the transferred personal data held by the third party will be treated as being in the control of the Data Importer, and the Data Importer is responsible for the third party’s acts and omissions in relation to the transferred personal data.
2.2 Where third parties process personal information for their own purposes
Without taking away from clause 1.2, if the Data Importer discloses transferred personal data to a third party, then if the third party uses or discloses the information for its own purposes and not solely as agent of the Data Importer:
the Data Importer must ensure that the third party enters into a binding and enforceable agreement with the Data Importer, imposing on the third party substantially the same obligations in respect of that transferred personal data as are imposed on the Data Importer under this agreement, and giving Individuals substantially the same rights to enforce those obligations as they have under this agreement; and
if the Data Importer fails to ensure that the third party enters into such an agreement, then under this agreement the transferred personal data held by the third party will be treated as being in the control of the Data Importer, and the Data Importer will be responsible for the third party’s acts and omissions in relation to the transferred personal data.
This clause 2.2 does not apply to any disclosure required by law, or any disclosure to a third party that is subject to the Privacy Act or other laws that overall provide comparable safeguards.
3 What happens if there is a privacy breach?
3.1 The Data Importer must notify the other party of any privacy breach
The Data Importer will promptly notify the Data Exporter of any privacy breach (regardless of whether or not that privacy breach is a notifiable privacy breach) as soon as the Data Importer becomes aware that a privacy breach has occurred. If:
the Data Importer is responsible for notifying affected individuals of privacy breaches, the Data Importer must consult with the Data Exporter in relation to the handling and management of that privacy breach (including on giving notification to affected individuals);
the Data Exporter is responsible for notifying affected individuals of privacy breaches, the Data Importer will provide all assistance and information reasonably required by the Data Exporter.
3.2 The responsible party must notify affected Individuals of a notifiable privacy breach
The responsible party identified in the Details must, in consultation with the other party, notify each affected Individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred, but:
- if it is not reasonably practicable for that party to directly notify an affected Individual or each member of a group of affected Individuals, that party may give public notice of the privacy breach so long as that party ensures the public notice does not identify any affected Individual;
- that party may delay notification and/or public notice to the extent and for so long as it believes this is necessary because notification or public notice would increase the risk to the security of transferred personal data and the risk outweighs the benefits of informing affected Individuals;
- that party is not required to give any notification or public notice where that would not be required from the Data Importer under the Privacy Act if the Data Importer was subject to the Act.
Notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected Individual or Individuals or is likely to do so.
Privacy breach means any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, transferred personal data, or any action that prevents the Data Importer from accessing transferred personal data on either a temporary or permanent basis.
3.3 The Data Exporter may notify affected individuals if the Data Importer fails to do so
If the Data Importer is responsible for notifying Individuals under clause 3.2 but fails to give notice when required under that clause, the Data Exporter may give notice on behalf of the Data Importer.
3.4 The Data Importer may need to notify privacy breaches under local data laws
Nothing in this clause 3 reduces any obligation the Data Importer may have to notify a privacy breach under any local data laws, to the extent this is permitted by clause 5.2.
4 What happens if an individual asks to see or correct their personal information?
4.1 Each Individual has rights of access and correction
The Data Importer agrees that each Individual has a right to access, and to seek correction of, their personal information held by the Data Importer that is included in the transferred personal data.
4.2 How to handle a request for access
If an Individual requests access to their transferred personal data, then subject to clauses 4.4 and 4.5, the Data Importer will confirm whether or not it holds any transferred personal data about them and, if it does, will provide them with access to the information and advise them that they may request correction of their information.
4.3 How to handle a request for correction
Where an Individual requests correction of their transferred personal data, the Data Importer will take reasonable steps to ensure that the information is Accurate (as defined in clause 1.4) taking into account the permitted uses specified in the Details. If the Data Importer is not willing to correct the information as requested, the Data Importer will take reasonable steps to ensure a statement of the requested correction is attached to the information, so as to ensure it will always be read with the information. Where the Data Importer corrects any transferred personal data or attaches a statement of correction, the Data Importer must take reasonable steps to inform any person to whom the Data Importer has disclosed the relevant transferred personal data.
4.4 Timeframes for responding to requests for access or correction
The Data Importer must respond to an Individual’s request for access to or correction of their transferred personal data as soon as reasonably practicable and no later than 30 days after receiving the request. The Data Importer must provide reasonable assistance to the Individual in relation to each request.
4.5 When can a request be refused?
In relation to any request from an Individual under this clause 4, the Data Importer may refuse access, extend the timeframe for complying with the request, and/or charge the Individual for complying with the request, to the extent that this would be permitted if the request was made under the Privacy Act and the Data Importer was subject to the Privacy Act.
5 What about complying with laws?
5.1 The Data Exporter will comply with its own laws
At the time of sending to the Data Importer, the Data Exporter undertakes that the transferred personal data has been collected, processed and sent to the Data Importer in compliance with all laws applying to the Data Exporter.
5.2 The Data Importer will comply with its own laws
The Data Importer will ensure that its treatment of the transferred personal data is consistent with any local data laws. However, where a requirement of the local data law is less protective than the other requirements of this agreement, to the extent permitted by law the Data Importer will comply with the requirement that is the most protective of the transferred personal data and the interests of the relevant Individuals.
5.3 The Data Importer must notify the Data Exporter about any use or disclosure compelled by law
If the Data Importer is required by a court or government agency under any law to disclose or use the transferred personal data in a way that would not otherwise be permitted by this agreement, then to the extent law allows the Data Importer must notify the Data Exporter to give it the opportunity to contest that legal requirement (for example, by taking the matter to court).
5.4 The Data Importer is not aware of any local laws that would undermine this agreement
The Data Importer confirms that at the time of entering into this agreement it has made reasonable efforts to identify whether it is covered by any law that could reasonably be expected to have a substantial adverse effect on the protections intended by this agreement, and is not aware of any such law. The Data Importer will use reasonable efforts to ensure that, if any such law applies to it in the future, it will promptly notify the Data Exporter.
6 What can Individuals do if there is a breach?
6.1 Individuals can claim compensation or other court orders
If the Data Importer breaches any obligation(s) under clauses 1, 3 or 4, and the breach is an Interference with Privacy of an Individual, the Individual may be entitled to one or more of the following remedies, with the choice and extent of remedy determined by the tribunal hearing the matter, as it considers just and equitable:
- monetary compensation from the Data Importer for loss suffered as a result of the Interference with Privacy, which may include monetary compensation for humiliation, loss of dignity, and/or injury to the feelings of the Individual, or for any adverse effect on the Individual’s rights, benefits, privileges or obligations;
- an order restraining the Data Importer from continuing or repeating the Interference with Privacy, or from engaging in, or causing or permitting others to engage in, conduct of the same kind, or conduct of any similar kind specified in the order;
- an order that the Data Importer perform any acts specified in the order with a view to remedying the Interference with Privacy, or redressing any loss or damage suffered by the aggrieved individual or aggrieved individuals as a result of the interference, or both.
However, the Individual will not be entitled to any damages or other relief beyond the damages or other relief that could reasonably be expected to be granted under the Privacy Act in the same circumstances, if the Data Importer was subject to the Privacy Act.
Interference with Privacy in relation to an Individual, means:
- any breach by the Data Importer of clause 1 that has or may have a detrimental impact on the Individual, including any loss, damage or injury to them, or any adverse effect on their rights, benefits, obligations or privileges, or significant humiliation, significant loss of dignity, or significant injury to their feelings;
- any breach by the Data Importer of clause 3.1 in relation to a privacy breach involving that Individual’s transferred personal data; and/or
- any breach by the Data Importer of clause 4 in relation to a request by that Individual for access to or correction of their transferred personal data.
6.2 Individuals have these rights even though they are not party to this agreement
The entitlement to a remedy under clause 6.1 is directly enforceable by each Individual in accordance with Part 2 of the Contract and Commercial Law Act 2017 (NZ). The Data Exporter and Data Importer may amend the terms of this agreement without the consent of any Individual, so long as the amendment either increases the protections provided by this agreement, or ensures that if the protections are reduced they remain at such a level that any transferred personal data disclosed to the Data Importer by the Data Exporter before the amendment could still be disclosed to the Data Importer after the amendment in compliance with the Privacy Act.
6.3 The Data Exporter can claim on behalf of Individuals if requested
The Data Exporter may bring a claim or claims under clause 6.1 on behalf of one or more Individuals, at the request of those Individuals, although the Data Exporter is not obliged to do so.
7 When does this agreement start and end?
7.1 When does this agreement start?
Once signed by both parties, this agreement begins on the Start Date and continues until the End Date.
7.2 When can the Data Exporter end this agreement?
In addition to any termination rights set out in the Details, the Data Exporter can terminate this agreement by giving notice to the Data Importer if:
- a suspension under clause 1.8 has continued for more than 30 days;
- the Data Importer has persistently or materially breached this agreement, the Data Exporter has notified the Data Importer requiring the matter to be addressed, and at the end of 30 days following that notice the Data Importer has failed to demonstrate to the Data Exporter’s reasonable satisfaction that all necessary changes have been made to prevent a recurrence;
- the Data Exporter reasonably considers that the Data Importer is subject to one or more laws that have a material adverse effect on the protections intended by this agreement; or
- compliance by the Data Importer with its obligations under this agreement would put it in breach of one or more laws that apply to the Data Importer; or
- the Data Importer undergoes an Insolvency Event.
Insolvency Event means that the Data Importer: ceases, or threatens to cease, all or substantially all of its business; is insolvent or bankrupt, or has a receiver, liquidator, administrator, bankruptcy trustee, statutory manager or similar officer appointed; and/or makes an assignment for the benefit of its creditors, or makes any arrangement or composition with its creditors.
7.3 When can the Data Importer end this agreement?
In addition to any termination rights set out in the Details, the Data Importer may terminate this agreement by giving notice to the Data Exporter, if the Data Exporter has persistently or materially breached this agreement, the Data Importer has notified the Data Exporter requiring the matter to be addressed, and at the end of 30 days following that notice the Data Exporter has failed to demonstrate to the Data Importer’s reasonable satisfaction that all necessary changes have been made to prevent a recurrence.
7.4 What happens when this agreement ends?
Despite any termination or expiry, all terms of this agreement will continue to apply to the transferred personal data that the Data Exporter sent to the Data Importer prior to the End Date. The terms will stop applying once the Data Importer has securely and permanently deleted or destroyed all of the transferred personal data.
8 Anything else I should be aware of?
8.1 This agreement is governed by New Zealand law. The parties submit to the non-exclusive jurisdiction of the New Zealand courts.
8.2 This agreement takes priority over all other agreements between the Data Exporter and Data Importer, except as specifically stated otherwise in any Special Terms set out in the Details.
8.3 Each party will keep this agreement confidential, provided that:
- this will not prevent any disclosure required by law;
- either party may voluntarily disclose this agreement to the Privacy Commissioner, but only if they first inform the Privacy Commissioner that the disclosure is made on the basis that the Agreement is to be kept confidential as far as permitted by law;
- each party will disclose this agreement to an Individual who requests it, provided that the party has first consulted with the other party and redacted any information that the other party reasonably identifies as commercially sensitive and not necessary for the Individual to receive in order to enforce their rights under this agreement. If requested, the party will provide the Individual with reasons for the redactions, to the extent possible without revealing any of the redacted information.
8.4 Each party undertakes that it has full power, capacity and authority to execute, deliver and perform its obligations under this agreement.
8.5 Each party undertakes that it has, and will continue to have, all the necessary consents, permissions, licences and rights to enter into and perform its obligations under this agreement.
8.6 Each party undertakes that its obligations as set out in this agreement are legal, valid, binding, and enforceable in accordance with their terms.
8.7 Neither party may assign, transfer or otherwise dispose of any of its rights or obligations under this agreement except with the prior written consent of the other party.
8.8 No amendment to this agreement will be effective unless in writing and signed by the Data Exporter and the Data Importer.
8.9 If a party fails to exercise, or delays or holds off exercising, a power or right under this agreement, that is not a waiver of the power or right. A single or partial exercise of such a power or right does not preclude further exercises of that power or right or any other.
8.10 A determination that any provision of this agreement is illegal, void or unenforceable will not affect any other part of this agreement.
8.11 This agreement may be executed in any number of counterparts. Once each party has received a counterpart signed by the other (or a digital copy of that signed counterpart), those counterparts will together be treated as if they were a single signed copy of the Agreement.
8.12 In this agreement, unless the context requires otherwise:
- a requirement to notify or give notice is to give notice in writing, which may include email;
- a clause reference in the General Terms is to a clause of the General Terms, and not to a clause in the Details;
- a reference to a party to this agreement includes that party's personal representatives, successors and permitted assigns;
- a reference to any law is a reference to that law as amended, or to any law substituted for that law;
- as far as possible, the provisions of this agreement will be interpreted so as to promote consistency with the Privacy Act.