Need A Data Processing Agreement? (2026 Updated)

If your business uses third parties to store, handle, analyse or otherwise “process” personal information, a Data Processing Agreement (DPA) can be one of the most practical ways to protect your business from day one.

In plain terms, a DPA is the contract that sets out what your service provider can (and can’t) do with the personal information you’ve trusted them with. And because privacy compliance keeps getting more attention in New Zealand, it’s worth making sure your approach is up to date.

Below, we’ll break down what a DPA is, when you need one, what it should cover, and how it fits into your wider privacy and contracting setup.

What Is A Data Processing Agreement (DPA)?

A Data Processing Agreement is a written agreement between:

• you (the organisation deciding why and how personal information is used), and
• your service provider (the organisation processing that personal information on your behalf).

You’ll often hear these roles described as the “principal” (or controller) and the “processor”. The key idea is this: you’re still responsible for the personal information, even if someone else is handling it for you.

Common examples of “processing” include:

• hosting customer data in a CRM or cloud platform
• payroll providers handling employee details
• email marketing platforms sending newsletters to your list
• IT providers accessing systems for support and maintenance
• outsourced customer support teams accessing customer accounts
• analytics providers collecting user behaviour data on your site or app

In New Zealand, privacy compliance is primarily governed by the Privacy Act 2020. While the Act doesn’t prescribe one single “mandatory template” for DPAs, the Act does require you to take reasonable steps to protect personal information and to ensure it’s handled appropriately. A DPA is often the most direct way to set those rules with a third party.

And importantly: a DPA isn’t the same thing as a website privacy policy. Your Privacy Policy explains how your business collects and uses information. A DPA is the behind-the-scenes contract that controls how your suppliers process it.

Do I Need A Data Processing Agreement For My NZ Business?

You’re more likely to need a DPA if you answer “yes” to any of these:

• Do you use third-party software or service providers that store personal information (e.g. customer names, emails, addresses, payment info, health details, employee records)?
• Do contractors, offshore teams or vendors access your customer database or internal systems?
• Do you outsource any customer support, IT support, payroll or marketing?
• Do you share personal information with another business to provide your service?

If you do, it’s not just about “being compliant” in a vague sense. It’s about risk management.

Without a DPA (or at least strong processing clauses in your broader contract), you can end up with:

• unclear responsibility when something goes wrong (like a data breach)
• uncontrolled subcontracting (your provider passes data to someone else without you knowing)
• weak security expectations and no real way to enforce improvements
• disputes about who should notify affected individuals or the Privacy Commissioner
• customer trust issues if your privacy practices don’t match what your providers are actually doing

A good DPA helps you stay in control of the data lifecycle, even when you don’t physically hold the information yourself.

Common Situations Where A DPA Matters

Some DPAs are obvious (like outsourcing payroll). Others sneak up on you as you grow.

For example, imagine you’re a growing eCommerce brand. At the start, you might only collect customer contact details and order history. Then you add:

• a new shipping and fulfilment provider
• a customer support ticketing platform
• behavioural marketing tools
• an overseas developer with database access

Each one potentially becomes a data processor. And each one is another place where things can go wrong if responsibilities aren’t clear.

How Does A DPA Fit With The Privacy Act 2020?

The Privacy Act 2020 applies to most organisations in New Zealand that collect and use “personal information” (information about an identifiable individual).

While the Act is principles-based (rather than being a checklist), there are a few practical takeaways for businesses working with processors:

You Still Carry The Main Accountability

If you’re the business collecting the data (from customers, users, employees, patients, members, etc.), you generally remain accountable for ensuring it’s handled in a way that aligns with the Privacy Act.

That’s why a DPA is so useful: it creates enforceable rules that require your processor to meet your standards.

Security And Access Controls Need To Be “Reasonable”

The Privacy Act expects you to protect personal information by reasonable security safeguards. What’s “reasonable” depends on context, but a DPA can specify minimum requirements, such as:

• encryption in transit and at rest
• role-based access control
• MFA for privileged accounts
• logging and monitoring
• secure deletion practices

This matters because if your provider’s security is weak, the consequences don’t stay with them - it can quickly become your problem too.

Data Breach Response Can’t Be An Afterthought

New Zealand has mandatory privacy breach notification obligations in certain circumstances. If a breach happens at your vendor, you need fast answers. A DPA should require the processor to notify you promptly and to cooperate with investigations and notifications.

Many businesses also formalise this internally with a Data Breach Response Plan, so everyone knows what to do and who owns which steps.

What Should A Data Processing Agreement Include?

There isn’t one perfect DPA for every business. A small business using a basic SaaS provider will have different risks to a health provider outsourcing sensitive patient data processing.

That said, a well-drafted DPA usually covers the following core areas.

1. The Scope Of Processing

Your DPA should clearly set out:

• what types of personal information are being processed
• why it’s being processed
• how long it will be processed for
• the categories of individuals involved (customers, employees, app users, etc.)

This is important because a processor should only process personal information on your documented instructions.

2. Confidentiality Obligations

If your vendor’s staff (or subcontractors) can access personal information, you’ll want confidentiality obligations that are clear, enforceable and tied to real consequences.

Depending on the relationship, you might also pair a DPA with a separate NDA, or include confidentiality terms in your main services agreement.

3. Security Measures

Good DPAs don’t just say “the processor must keep data secure.” They spell out what that means in a practical way.

This may include:

• minimum technical security standards
• requirements for security training and internal policies
• requirements to maintain and patch systems
• restrictions around downloading data to personal devices
• penetration testing / vulnerability management expectations (where appropriate)

4. Subcontractors (Sub-Processors)

A common pain point is where your service provider on-sells or outsources parts of the processing.

Your DPA should deal with:

• whether the vendor can use subcontractors
• whether they need your written approval first
• what terms must flow down to any subcontractor
• who is responsible if the subcontractor causes a breach

This matters even more if processing happens offshore (or data is stored in multiple jurisdictions), because you’ll want to understand where the data is going and who can access it.

5. Assistance With Privacy Requests

Individuals in New Zealand can request access to, and correction of, their personal information. If your vendor holds the data, your DPA should require them to help you respond within a reasonable timeframe.

Many businesses use an internal Access Request Form so requests are handled consistently and can be tracked.

6. Data Breach Notification And Cooperation

Your DPA should cover:

• how quickly your vendor must notify you after becoming aware of a breach
• what information they must provide (what happened, what data, who is affected, mitigation steps)
• how investigations will be handled
• who communicates with affected individuals and regulators

This is where vague wording can really hurt you. If your contract doesn’t require speedy notification, you might learn about an incident late - when the damage is already done.

7. Data Return Or Deletion

At the end of the relationship, you’ll want to know what happens to the data.

Your DPA should set out whether the vendor must:

• return the personal information to you
• delete it (and confirm deletion)
• retain it only where legally required (and for how long)

8. Audit Rights And Evidence Of Compliance

For higher-risk processing, you may want the right to request reasonable evidence that the vendor is meeting their obligations.

This doesn’t always mean you’re physically auditing their servers. It could be things like:

• security certifications
• policies and procedures
• third-party audit reports
• incident management processes

Do I Need A DPA If My Provider Has Their Own Terms?

Many SaaS providers (especially international ones) offer standard terms, including a “DPA addendum”. Sometimes those terms are fine. Sometimes they’re very one-sided, or don’t match how your business actually operates.

Here are a few common red flags we see:

• They can change the terms unilaterally without giving you meaningful notice.
• They disclaim most liability even if they’re responsible for a major incident.
• They can use broad sub-processors without clear controls.
• They don’t commit to practical security steps (it’s all “reasonable measures” with no detail).
• They don’t give clear breach notification timeframes or the timeframe is too long for your business needs.

If you’re handling sensitive or high-volume data, or you operate in a regulated space, it’s worth getting tailored legal advice on whether the provider’s DPA is actually enough.

And if you’re drafting your own customer contracts, it’s important your privacy commitments are consistent across the board - your public statements, your internal processes, and your supplier agreements should all line up. This is often where your Privacy Collection Notice and your processing contracts need to work together.

How Do DPAs Work For Overseas Providers And Cross-Border Data?

It’s incredibly common for New Zealand businesses to use overseas providers (cloud hosting, analytics tools, helpdesk software, payment platforms, and so on).

Using overseas providers isn’t automatically a problem. But it does mean you should be a bit more deliberate about your contracting and privacy setup.

Practically, you’ll want to consider:

• Where the data is stored (and whether it moves between regions)
• Who can access it (including support teams in other countries)
• Which laws apply under the contract and how disputes will be handled
• Whether subcontractors are used and where they’re based

Even if your provider is global, your business still needs to meet its obligations under NZ law. A properly drafted DPA helps bridge that gap by setting clear privacy and security obligations that match your real-world risk.

If your arrangements are complex (for example, multiple vendors, multiple jurisdictions, or sensitive categories of data), getting a lawyer to tailor the agreement can save you a lot of stress later.

And if you’re building or scaling a tech product, it’s also worth making sure your broader legal docs support your privacy position - such as your platform Terms of Use and, where relevant, customer-facing terms and service agreements.

Key Takeaways

• A Data Processing Agreement (DPA) sets enforceable rules for how third-party providers can process personal information on your behalf.
• If you use vendors for hosting, payroll, marketing, IT support, customer service, analytics or SaaS tools that handle personal information, a DPA (or strong processing clauses) is usually a smart move.
• Under the Privacy Act 2020, you generally remain accountable for protecting personal information, even when it’s held by a service provider.
• A strong DPA should cover scope, confidentiality, security standards, subcontracting controls, breach notification, assistance with privacy requests, and return/deletion of data at the end of the relationship.
• Relying on a provider’s standard terms can be risky if the terms are vague, one-sided, or don’t reflect your business’s privacy commitments.
• DPAs are especially important where data is sensitive, high-volume, or processed overseas, because the practical and reputational risks are higher.

If you’d like help putting the right Data Processing Agreement in place (or reviewing what a supplier has given you), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.