Marketplace Data Processing Addendums in New Zealand: Key Privacy Issues to Check

If your business sells through an online marketplace, payment platform, app store, booking site, or software marketplace, there is a good chance you will be asked to accept a marketplace data processing addendum. This document often gets buried in platform terms, but it can decide who handles customer data, who carries privacy risk, and who pays if something goes wrong.

Founders commonly make three mistakes here. They assume the platform is fully responsible for privacy compliance, they accept overseas data transfer terms without checking whether they fit New Zealand law, and they overlook security, subcontractor, and breach notification clauses until a customer complaint lands. Those mistakes can become expensive fast.

This guide explains what a marketplace data processing addendum usually does, when New Zealand businesses need to pay close attention, and which privacy issues are worth checking before you sign a contract or spend money on setup. It is written for startups and SMEs that collect, share, or receive customer information through third party marketplaces.

Overview

A marketplace data processing addendum sets the rules for how personal information is collected, used, stored, transferred, and secured when a marketplace platform and a business both touch the same customer data. For New Zealand businesses, the main question is not just whether the platform has a privacy document, but whether the allocation of responsibility matches the Privacy Act 2020, your privacy policy and customer promises, and the way your business actually operates.

• Identify who is acting as a controller style decision-maker and who is acting as a processor style service provider, even if the document uses different wording.
• Check what personal information is shared, why it is shared, and whether those purposes match your privacy policy, customer terms, and marketing practices.
• Review overseas storage and transfer clauses, especially where the marketplace uses offshore servers or subcontractors.
• Confirm security standards, access controls, retention periods, and deletion rights at the end of the relationship.
• Look closely at data breach notification timing, cooperation obligations, and who communicates with affected customers.
• Check whether the platform can appoint sub-processors without notice, and whether you get any say or exit rights.
• Review indemnities, liability caps, and any clause that pushes all privacy risk onto your business.
• Make sure your internal processes can handle access requests, correction requests, complaints, and cross-border privacy questions.

What Marketplace Data Processing Addendum Means For New Zealand Businesses

A marketplace data processing addendum is usually the privacy engine room of your platform contract. It spells out the practical rules for data handling that sit behind the general marketplace terms.

Many marketplaces use international templates built around controller and processor concepts from larger overseas privacy regimes. New Zealand businesses still need to read those documents in a local context. The labels matter less than the substance of who decides why personal information is collected and how it is used.

Why this matters under New Zealand privacy law

The Privacy Act 2020 requires agencies, including most businesses, to handle personal information in line with the Information Privacy Principles. If your business collects customer names, emails, phone numbers, delivery details, payment-related information, booking details, or usage data through a marketplace, you may still have direct privacy obligations even where the platform does much of the processing.

This is where founders often get caught. A marketplace may present itself as the main customer-facing brand, but your business might still be using the data for fulfilment, support, analytics, remarketing, or account management. Once you use that data for your own business purposes, you need to be confident the addendum permits it and your privacy disclosures are accurate.

Common legal issues hiding inside the addendum

The document can look technical, but several clauses have immediate business consequences.

• Purpose limits: The addendum may restrict you to very narrow uses of customer data, such as order fulfilment only. If your team plans to add customers to mailing lists or use data for product research, that may not be allowed.
• Cross-border disclosure: The platform may store or route information through Australia, the United States, Europe, or Asia. New Zealand rules on overseas disclosure can become relevant depending on the arrangement and safeguards used.
• Sub-processors: The marketplace may rely on cloud hosting, analytics, support, fraud detection, and payment providers. Each extra provider creates another layer of privacy and security risk.
• Breach response: If there is a suspected breach, the contract may require very fast notification, evidence preservation, and cooperation steps.
• Audit and information rights: Some addendums let the platform request information about your systems, staff access, and security practices. That can be manageable for a mature business, but disruptive for a small team without documented processes.

Controller and processor language can still affect your risk

Even though New Zealand businesses often focus on practical obligations rather than labels, the controller and processor distinction still matters commercially. If the marketplace says you are the party deciding the purposes of processing, it may try to push privacy notices, consent wording, customer complaints, and regulator engagement onto you.

If the marketplace says it is only acting on your instructions, ask whether that matches reality. Many platforms decide their own fraud checks, analytics, ranking systems, advertising, and customer communications. A clause that oversimplifies those roles can create confusion later, especially if a customer asks who is responsible for a disputed use of their personal information.

When This Issue Comes Up

This issue usually comes up at platform onboarding, contract renewal, product expansion, or when a privacy incident forces everyone to read the fine print. The best time to review the addendum is before you sign a contract and before you build your customer journey around the marketplace.

Typical founder scenarios

You are likely to encounter a marketplace data processing addendum in situations such as:

• selling products through a large online marketplace that gives you buyer details for shipping and support
• offering software through an app marketplace that shares end-user account data and usage information
• using a booking or ordering platform for hospitality, health, events, or services businesses
• listing on a B2B procurement or supplier marketplace that exchanges contact, transaction, and account information
• joining a payment, wallet, or checkout marketplace where customer and transaction data moves between multiple providers

Expansion often changes the privacy position

A business may start with simple fulfilment and later add marketing automations, customer profiling, loyalty programmes, or offshore support. That shift can change the legal analysis. A clause that looked harmless when you only needed names and delivery addresses may become restrictive once you want deeper access to user data.

This also matters if you are trying to start a business in New Zealand with an online-first model. Founders often focus on business structure, registration with the Companies Office, brand protection such as a trade mark, sales terms, and website privacy policy disclosures. Those are all important, but the platform contract can quietly override or limit what you thought your customer data strategy would be.

Red flags before launch or renewal

Certain moments call for a closer review.

• You are asked to accept a new addendum through a click-through update with little notice.
• The marketplace expands its rights to use transaction or customer data for its own analytics, advertising, or product development.
• You plan to export goods or services and the marketplace routes data through multiple countries.
• You rely on customer data from the platform to run support, subscriptions, remarketing, or post-sale communications.
• You work in a sector where information is more sensitive, such as health-adjacent services, children’s products, education, or financial services support.

Those moments are worth treating as contract review points, not just admin tasks.

Practical Steps And Common Mistakes

The safest approach is to compare the addendum against your actual customer flow, not against assumptions about what the platform probably does. A short legal review now can save a much messier privacy problem later.

1. Map the data before you sign

Start with a simple data map. Identify what information comes in, where it goes, who can access it, and what your business does with it.

Your map should cover:

• customer identity information, such as names and contact details
• order, booking, or account information
• payment-related data, even if full card details are handled elsewhere
• customer support messages and complaint records
• device, location, or usage data if the marketplace shares it
• marketing preferences and consent records

Without this map, it is hard to tell whether the addendum reflects reality.

2. Check whether your privacy policy lines up

If your privacy policy says you only use customer details to fulfil orders, but your marketplace setup sends those details into your CRM for future campaigns, you have a mismatch. The same problem appears where the marketplace promises one thing to users and your business does another behind the scenes.

Your customer-facing documents should align across:

• privacy policy wording
• website or app collection statements
• terms of trade or platform terms
• checkout disclosures
• email and SMS marketing practices

Under the Fair Trading Act 1986, misleading statements about data handling can create separate risk from privacy law itself.

3. Review overseas transfer terms carefully

Many marketplaces process data offshore. That is not automatically a problem, but you should know where data goes and on what basis.

Questions worth asking include:

• Which countries are involved in storage, support, analytics, or backup services?
• Does the addendum explain the safeguards used for overseas disclosure?
• Can the platform change processing locations without notice?
• Are you making any promises to customers about where data is held?

This matters because New Zealand businesses may need to think carefully about overseas disclosures of personal information and whether contractual protections are adequate in the circumstances.

4. Do not ignore security clauses

The main risk is not just hacking. It is also weak access control, shared logins, poor offboarding, or a support team downloading customer data to local devices.

Check whether the addendum covers:

• access restrictions based on role
• multi-factor authentication or similar account protections
• encryption in transit and at rest where appropriate
• logging and monitoring of access
• staff confidentiality obligations
• subcontractor security standards

If the addendum lets the marketplace assess your security, make sure your business can actually meet the stated standard.

5. Pin down breach response obligations

Breach clauses are often drafted for big enterprise customers with dedicated legal and IT teams. A small New Zealand business may have no realistic way to investigate and respond within a few hours unless it plans ahead.

Look for:

• how quickly each party must notify the other
• what information must be provided in an initial report
• who decides whether affected individuals need to be notified
• who handles regulator engagement if required
• whether the platform can make public statements without consulting you

Under New Zealand law, notifiable privacy breaches can trigger reporting obligations. Your contract should not leave everyone guessing about who does what.

6. Check retention and deletion rights

Customer data should not sit around forever because no one thought to deal with deletion in the contract. Some marketplaces retain information for long periods for fraud, legal, or platform integrity reasons. That may be justified, but it should be transparent.

Before you commit, ask:

• When does the platform delete or anonymise data?
• Can you request deletion of certain datasets?
• What happens to backups and archived material?
• Can you export business records you need before termination?

This point matters during exits, disputes, and migrations to a new platform.

7. Watch for one-sided liability clauses

A marketplace may cap its own liability at a low amount while requiring your business to indemnify it for broad privacy claims. That can leave you carrying risk for incidents you did not fully control.

Common problem clauses include:

• indemnities triggered by any alleged privacy breach linked to your use of the platform
• liability caps that exclude data incidents or make recovery unrealistic
• clauses allowing the marketplace to suspend you immediately after a privacy concern
• terms making you solely responsible for all customer notices and complaints

If the commercial value of the arrangement is modest, but the privacy exposure is large, that imbalance should be addressed before you sign.

8. Prepare your internal process, not just the contract

Even a well-drafted addendum will not help much if your team does not know what to do with customer information. Simple internal rules can make a big difference.

Set up processes for:

• who can access marketplace customer data
• how long staff may keep downloaded reports
• how access and correction requests are handled
• how marketing use is approved
• how incidents are escalated internally
• how departing staff lose access promptly

This is especially relevant for growing businesses that are hiring quickly or using contractors.

Common mistakes New Zealand SMEs make

Several mistakes come up repeatedly.

• Accepting click-through updates without comparing the new addendum to the old one.
• Assuming a global platform’s template automatically fits New Zealand privacy expectations.
• Using marketplace customer data for unrelated marketing without checking permissions.
• Forgetting that customer complaints often turn on what your business told people, not just what the platform contract says.
• Failing to review connected documents such as privacy policies, supplier agreements, and customer terms at the same time.

These issues often surface only after a complaint, suspension, or due diligence process for funding or sale.

FAQs

Does every New Zealand business need a marketplace data processing addendum?

No. It usually matters where a marketplace or platform handles personal information on behalf of, alongside, or in connection with your business. If you receive customer information through a third party platform, you should check whether the platform terms already include one.

Can I rely on the marketplace to handle all privacy compliance?

Usually not. Even if the platform manages much of the data processing, your business may still have obligations under the Privacy Act 2020 and under your own customer-facing statements and contracts.

What if the addendum is non-negotiable?

That is common with large marketplaces. You can still assess the risk, adjust your internal practices, limit how you use the data, and update your own documents so they match the platform arrangement. In some cases, the right commercial decision is to avoid the platform or change how you use it.

Do overseas servers automatically breach New Zealand privacy law?

No. Offshore storage is not automatically unlawful. The real issue is whether overseas disclosure is handled appropriately, customers are told what is happening where required, and the protections in place are suitable for the data involved.

Should I review related contracts at the same time?

Yes. Privacy risk often sits across several documents at once, including your platform terms, customer terms, privacy policy, marketing consents, software vendor contracts, and any contractor arrangements involving support or fulfilment.

Key Takeaways

• A marketplace data processing addendum can shift major privacy and liability risk onto your business, even when the platform looks like the main operator.
• New Zealand businesses should check who decides the purposes of data use, what information is shared, and whether the arrangement aligns with the Privacy Act 2020 and customer-facing disclosures.
• Overseas transfers, sub-processors, security standards, breach response, retention, and deletion terms deserve close review before you sign.
• One-sided indemnities and low liability caps are common commercial pressure points in marketplace contracts.
• Your internal processes matter just as much as the contract, especially for access control, marketing use, and breach escalation.
• It is often worth reviewing the addendum together with your privacy policy, customer terms, and related supplier agreements so the documents work together in practice.

If your business is dealing with marketplace data processing addendum and wants help with privacy policy updates, platform contract reviews, data breach response clauses, and customer terms, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.