Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Overview
Practical Steps And Common Mistakes
- Step 1: Map your offshore data flows
- Step 2: Check the legal basis for the transfer
- Step 3: Review the addendum with the main contract
- Step 4: Match your privacy policy and collection notices to reality
- Step 5: Set internal approval rules
- Common mistakes New Zealand businesses make
- What good practice looks like for SMEs
FAQs
- Does every New Zealand business need a cross border data transfer addendum?
- Is storing data overseas the same as disclosing it overseas?
- Can we rely on a global provider's standard data processing terms?
- Do we need customer consent for every offshore transfer?
- What if our provider changes sub-processors or hosting countries later?
- Key Takeaways
If your business uses overseas software, cloud storage, offshore developers, or a global payroll or CRM platform, your customer and staff data is probably leaving New Zealand. That is where founders often get caught. A common mistake is assuming the software provider handles all privacy compliance. Another is signing a vendor contract without checking where the data goes, who can access it, and what happens if there is a breach. A third is copying overseas data transfer wording that does not fit the Privacy Act 2020 or your actual operations.
A cross border data transfer addendum can help set the rules for international data flows, but it is only useful if it matches the way your business collects, stores, uses and shares personal information. For New Zealand businesses, the real question is not just whether data goes offshore, but whether you have taken reasonable steps before that transfer happens. This guide explains what a cross border data transfer addendum does, when you are likely to need one, and the practical issues to sort out before you sign a contract or spend money on setup.
Overview
A cross border data transfer addendum is a contract document that deals with how personal information can be transferred, stored, accessed and protected when data moves from New Zealand to another country. It usually sits alongside a broader services agreement, software contract, outsourcing agreement or data processing terms.
For New Zealand businesses, the legal focus is usually whether the offshore transfer meets your obligations under the Privacy Act 2020, especially Information Privacy Principle 12, and whether your privacy policy, collection notices and supplier contracts line up with what actually happens in practice.
- Identify what personal information leaves New Zealand, including customer, employee and contractor data.
- Check which countries are involved, including remote access from support teams or developers overseas.
- Review whether the overseas provider is subject to privacy safeguards that are broadly comparable, or whether contractual protections are needed.
- Make sure your contract clearly sets out security, sub-processors, breach notification, deletion, return of data and audit rights.
- Update your privacy policy and collection notices so they accurately describe offshore disclosure.
- Confirm who is legally responsible if there is a misuse, security incident or unauthorised transfer.
What Cross Border Data Transfer Addendum Means For New Zealand Businesses
A cross border data transfer addendum is usually about allocating risk and documenting privacy protections before information leaves New Zealand.
Many New Zealand SMEs use software built overseas. Your accounting platform may host data in Australia, your CRM may process information in the United States, and your support tool may allow access from the Philippines or India. Even if your business is based entirely in New Zealand, your data arrangements may be international from day one.
That matters because the Privacy Act 2020 places limits on disclosing personal information to foreign persons or entities. The main issue is whether the receiving party is subject to privacy protections that are comparable to New Zealand's, or whether another permitted basis for disclosure applies. In practical terms, a business often needs both a legal basis for the transfer and a contract that deals with the risks properly.
Why businesses use an addendum
The addendum is usually not a stand-alone privacy cure. It is a supporting document that helps fill gaps in a broader commercial agreement.
It commonly covers:
- the purpose of the transfer and what data is involved
- whether the overseas provider acts only on your instructions
- minimum security standards
- confidentiality obligations
- use of sub-processors and subcontractors
- what happens if there is a privacy breach
- whether data must be returned or destroyed at the end of the relationship
- which party handles access requests, correction requests and complaints
Founders often assume a supplier's standard terms already cover these points. Sometimes they do, but often only at a high level, and not in a way that reflects New Zealand law or your actual data flows.
How the Privacy Act affects offshore transfers
The key legal issue is not simply storage overseas. It is disclosure to an overseas person or entity and whether that disclosure is allowed.
Information Privacy Principle 12 is particularly relevant when your business sends personal information offshore or gives an overseas provider access to it. Depending on the arrangement, you may need to be satisfied that the overseas recipient is subject to privacy laws that provide comparable safeguards, or that the recipient has to protect the information in a way that overall provides comparable protections. In some cases, informed authorisation from the individual may also be relevant, but businesses should be careful about relying on that as a catch-all solution.
This is where a cross border data transfer addendum becomes useful. It helps show what standards the overseas provider must meet. But the document should not be treated as a box-ticking exercise. If the supplier can freely use sub-processors you have not assessed, or if the contract gives weak notification rights after a breach, the addendum may not do much practical work when a real problem appears.
It is not only a privacy team issue
For startups and growing companies, cross-border data transfers often begin as a purchasing decision. A founder signs up to a platform, an operations manager outsources support, or a development team uses an overseas analytics tool. Nobody labels it a data export project, but legally that may be what it is.
The issue also affects:
- sales teams collecting leads through offshore platforms
- HR teams using global payroll, recruitment or performance software
- ecommerce businesses storing customer accounts and order histories offshore
- health, education and professional services businesses handling sensitive personal information
- franchise and group structures sharing information with related companies in other countries
If your privacy policy says one thing, your vendor contracts say another, and your actual workflow is different again, the business is exposed from several angles at once.
When This Issue Comes Up
This issue usually comes up when a business buys software, outsources a function, enters a group sharing arrangement, or expands into a new market.
You do not need to be a large enterprise for this to matter. A two-person startup can have offshore transfers through simple tools used every day.
When you sign overseas SaaS and cloud contracts
If you use a CRM, project management tool, payment platform, booking system, document storage service or customer support product with offshore hosting or support, personal information may be transferred overseas. This often happens before anyone in the business has reviewed the privacy position.
Before you sign a contract, check:
- where the data is stored
- whether support staff in other countries can access it
- whether the supplier uses third party sub-processors
- which entity in the supplier group actually receives the data
- what rights you have if the supplier changes hosting regions later
When you outsource operations
New Zealand businesses often outsource customer support, data entry, software development, payroll processing, marketing automation or back-office work to providers outside New Zealand. In these arrangements, the overseas service provider may receive direct access to personal information or be sent data sets to work with.
This is where businesses need to think beyond price and functionality. The contract needs to define who can access the data, for what purpose, under what security controls, and what happens after the engagement ends.
When your group shares data across borders
Businesses with Australian or wider international operations often share data between parent companies, subsidiaries, franchise networks or regional support teams. Founders sometimes treat this as internal admin, but from a privacy perspective it can still be a cross-border disclosure.
A group arrangement should still be documented carefully. Shared systems, common databases and regional reporting lines do not remove the need to address the overseas transfer properly.
When sensitive information is involved
The more sensitive the information, the more carefully the arrangement should be assessed.
Extra caution is sensible where the transfer involves:
- health information
- identity documents
- financial details
- children's information
- employee records
- disciplinary or performance information
- location data or behavioural profiles
A supplier may offer standard privacy wording that sounds acceptable, but that does not mean it is right for your business or for the type of information involved.
When you are fundraising, selling, or preparing for due diligence
Investors, buyers and larger commercial partners often ask how your business handles personal information. If you cannot explain where data goes, which contracts control offshore transfers, and whether your privacy policy reflects reality, the issue can slow a transaction or reduce confidence.
This is one reason founders should address cross-border data transfer terms early, not after the first breach or after a due diligence list arrives.
Practical Steps And Common Mistakes
The best approach is to map your actual data flows first, then align your contracts, privacy documents and internal processes with that map.
Businesses often start with the supplier's paper. That is understandable, but it is usually the wrong first step. If you do not know what data leaves New Zealand and why, you cannot properly assess whether the proposed addendum is suitable.
Step 1: Map your offshore data flows
List each system, provider and team that receives or accesses personal information from outside New Zealand. This should include remote access, not just storage location.
Your review should cover:
- what categories of personal information are involved
- whether the information includes customer, employee, contractor or prospect data
- which countries are involved
- whether the data is stored, viewed, analysed or backed up offshore
- whether any sub-processors or affiliates are involved
- whether the transfer is one-off, occasional or ongoing
This exercise sounds simple, but it often reveals shadow tools or legacy systems the business has forgotten about.
Step 2: Check the legal basis for the transfer
Your business should assess why the offshore disclosure is permitted under New Zealand privacy law. The answer may differ depending on the country, the provider and the type of information.
A common mistake is assuming an overseas provider's reputation solves the legal question. Brand recognition is not the test. The issue is whether the transfer fits within the Privacy Act framework and whether you have taken reasonable steps before disclosing the information.
Step 3: Review the addendum with the main contract
The addendum should be read together with the master services agreement, SaaS terms, outsourcing contract or procurement terms. The main risk is inconsistency.
For example, the addendum might say the provider only acts on your instructions, but the main terms may allow broad internal use for analytics, service improvement or affiliate sharing. The addendum may promise deletion on termination, while the main contract permits indefinite retention for legal, security or product purposes.
Key clauses to review include:
- permitted purpose and processing instructions
- security measures and technical standards
- sub-processor approvals and notice rights
- cross-border onward transfers
- privacy breach notification timing and content
- cooperation on access and correction requests
- audit rights or evidence of compliance
- termination, deletion, return and backup handling
- liability caps and privacy-related indemnities
Step 4: Match your privacy policy and collection notices to reality
If your website, app, onboarding flow or employment paperwork is silent about overseas disclosure, but your business routinely uses offshore systems, your documents may be misleading or incomplete.
Your privacy wording should accurately explain:
- that personal information may be stored or accessed overseas
- the general purpose of that disclosure
- the kinds of providers or recipients involved
- how individuals can contact your business about privacy concerns
You do not need to turn your privacy policy into a technical manual, but it should reflect what actually happens.
Step 5: Set internal approval rules
Many privacy issues start with decentralised purchasing. A team member signs up to a tool using a company card, uploads personal information, and only later does someone ask where the data is hosted.
Before you spend money on setup, create a simple internal process for new tools and outsourcing arrangements. That process might require legal, privacy, IT or management sign-off where personal information will be transferred offshore.
Common mistakes New Zealand businesses make
The same problems appear again and again.
- Relying on supplier marketing statements instead of the actual contract terms.
- Reviewing hosting location but ignoring offshore support access.
- Assuming an Australian or global parent company arrangement does not count as a disclosure.
- Copying overseas data transfer wording without checking New Zealand law.
- Forgetting employee data and contractor data, while focusing only on customers.
- Leaving privacy compliance to procurement or IT without legal review or contract review.
- Failing to update privacy policies, onboarding materials and internal procedures after signing the supplier.
- Accepting weak breach notification clauses that allow delays.
What good practice looks like for SMEs
You do not need a huge privacy team to improve your position. Good practice is usually about clarity, consistency and timing.
For an SME, that often means:
- keeping a current register of systems that involve offshore transfers
- using reviewed contract terms for common vendor arrangements
- training managers not to approve tools without checking privacy implications
- making sure customer-facing and staff-facing privacy notices are accurate
- having a basic response plan for suspected privacy breaches involving overseas providers
That kind of discipline helps when customers ask questions, when commercial partners send vendor questionnaires, and when your business grows quickly.
FAQs
Does every New Zealand business need a cross border data transfer addendum?
No. Not every arrangement needs a separate addendum, but many offshore software, outsourcing and data processing relationships need clear contractual terms dealing with international transfers. The real question is whether personal information is being disclosed overseas and whether your contract properly addresses that risk.
Is storing data overseas the same as disclosing it overseas?
Not always in a simple practical sense, but overseas storage often forms part of a broader disclosure or access arrangement that needs legal assessment. Businesses should look at the full picture, including hosting, support access, backups, affiliates and sub-processors.
Can we rely on a global provider's standard data processing terms?
Sometimes, but not automatically. Standard terms may be a useful starting point, but they should be checked against New Zealand privacy requirements, your data flows, the sensitivity of the information, and the rest of the commercial contract.
Do we need customer consent for every offshore transfer?
No. Consent or authorisation is not the only possible basis, and it is not always the best one to rely on. Many businesses instead focus on whether the overseas recipient is subject to comparable safeguards or contractual protections. The right approach depends on the arrangement.
What if our provider changes sub-processors or hosting countries later?
Your contract should deal with that. Ideally, you should have notice rights, visibility over material changes, and a practical ability to object or reconsider the arrangement if the privacy risk changes.
Key Takeaways
- A cross border data transfer addendum helps document privacy protections when personal information is transferred or accessed outside New Zealand.
- For New Zealand businesses, the main legal issue is whether the offshore disclosure fits the Privacy Act 2020, especially the rules around overseas recipients.
- The document should be reviewed with the main supplier or outsourcing contract, not in isolation.
- You should map actual data flows first, including offshore support access, affiliates and sub-processors.
- Your privacy policy, collection notices and internal purchasing process should match the reality of your offshore data arrangements.
- Common mistakes include relying on generic supplier wording, missing employee data, and failing to negotiate breach, deletion and onward transfer terms.
If your business is dealing with cross border data transfer addendum and wants help with supplier contract reviews, privacy compliance, data processing terms, and privacy policy updates, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.
Alex SoloCo-Founder
