Cross-border data transfers: NZ privacy obligations when data leaves the country

IPP12 of the Privacy Act 2020 restricts the disclosure of personal information to overseas recipients. For businesses that operate across borders or use overseas service providers, this creates important obligations.

When does IPP12 apply?

IPP12 applies when an agency discloses personal information to a person or organisation in another country. This includes:

• Sending customer data to an overseas head office
• Using overseas cloud services that process personal information
• Sharing data with overseas partners or service providers

The conditions

You can transfer personal information overseas if:

• The individual authorises the transfer after being told that IPP12 may not protect their information overseas.

• The overseas recipient is subject to privacy laws that provide comparable safeguards.

• The overseas recipient is covered by a binding scheme or contract that provides comparable safeguards.

• The transfer is necessary for the performance of a contract between the individual and the agency.

DEIS and cross-border data

DEIS processes all data in New Zealand using NZ-based infrastructure. Lookup results and compliance evidence do not leave the country. If your business needs to share lookup results with overseas offices or partners, you should consider IPP12 obligations — and DEIS's evidence log can document your IPP12 compliance pathway.