'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on December 3, 2020 AUTHOR PRIVACY RESEARCH TEAM
On 1 December 2020, New Zealand’s new Privacy Act 2020 came into effect. Our experts at SECURITI.ai have compiled the following list of compliance actions to remind organizations of their obligations under New Zealand’s new Privacy Act.
Organizations must notify privacy breach that has caused serious harm to the affected individual or is likely to do so, to the Privacy Commissioner and the affected individuals as soon as practicable after becoming aware of the breach. Where it is not reasonably practicable to notify the affected individual or each member of a group of affected individuals, organizations must notify the public in a manner that no individual is identified. Companies that fail to notify privacy breaches without any reasonable excuse would be liable on conviction to a fine not exceeding $10,000.
Where an organization outsources data storage or data processing activities to a third-party, the third-party will be considered an agent to the organization. The principal data collecting organization will be responsible to fulfill the breach notification obligations, despite the fact that the breach is caused by any third-party acting as its agent. Anything relating to a notifiable privacy breach that is known by any employee or member of the third-party will be considered to be known by the principal data collecting organization.
Organizations must respond to a data subject’s access request as soon as is reasonably practicable, and in any case not later than 20 working days after the day on which the request is received. Where an organization refuses to respond to an access request, the individual has the right to complain before the privacy commissioner who may issue a binding access determination requiring the company to disclose personal information to the individual.
Organizations must decide whether or not to grant a data subject’s correction request as soon as is reasonably practicable after receiving a request and in any case not later than 20 days after receiving the request and notify its decision to the requester. Where an organization has to transfer the request to another organization, it must do so promptly, and in any case not later than 10 working days after receiving the request and notify the requester accordingly.
Organizations must inform data subjects about the facts that their information is collected, the purpose for which the data is collected, the intended recipients of the information, the consequences of not providing the information, and the data subjects’ rights to access to and correction of their data. An organization must not use any personal information that was obtained in connection with one purpose for another purpose except with the authorization of the data subject.
Organizations can transfer personal information outside New Zealand only if the destination country provides comparable safeguards to those in New Zealand’s Privacy Act, the destination country is part of a prescribed binding scheme issued by the government of New Zealand, or if the data subject expressly authorizes the disclosure of personal information after having been informed of the inadequate data protection standards of the foreign country.
New Zealand’s Privacy Act 2020 applies to New Zealand entities as well as to overseas entities in the course of carrying on business in New Zealand, irrespective of their size, geographical location, and whether or not they are registered in New Zealand.
Ask for a DEMO today to understand how SECURITI.ai can help you comply with New Zealand’s Privacy Act 2020, GDPR, and a whole host of other global privacy laws and regulations, such as the CCPA, with ease.