Does GDPR apply in New Zealand?

The GDPR is a European Union data privacy regulation that may affect New Zealand businesses that offer products or services via a website to individuals within the European Union (EU) or the European Economic Area (EEA).

This article gives a high level overview of the GDPR from a business owners’ point of view and gives you links to other resources that will help you understand your obligations in the context of the services you use, such as WooCommerce or MailChimp.

You Are Responsible For GDPR Compliance

The GDPR is a complex legal subject on which Anyware Ltd is not qualified to offer legal advice and we do not present this as a substitute for legal advice. Complying with the GDPR is your responsibility as a business owner and if you do not get qualified legal advice you may be taking on a significant risk for your business.

What Anyware can do is give you an overview of the GDPR and provide links to other relevant information so you don’t have to do as much research and the time you spend with your lawyer is more productive.
We can also help you to access tools that may help you comply with the GDPR, on the basis that only you can decide whether any tools you use have satisfied your compliance of the GDPR.

Does The GDPR Apply To Your Business?

If you sell a product or service to any person who resides in the European Union then there is a good chance the GDPR does apply to you. The NZ Law Society explains this well
The first step is to talk to your lawyer to establish whether the GDPR applies to you.
The GDPR applies to your customers and prospects in Europe and does not apply in NZ, but it’s likely to arrive in New Zealand in some form sooner or later and complying with it sooner could be considered best practice and is likely to earn more trust from your customers.

Controller vs. Processor

The GDPR separates data protection responsibilities into two categories: controllers and processors.
A Controller is the party that determines for what purposes and how personal data is processed.
A Processor is the party that processes personal data on behalf of the controller.

Normally you, the merchant, collect information from your customers as a controller and your service providers (e.g. MailChimp or Google Analytics) act as processors of your customers’ personal data.
There are a number of situations where these roles and their responsibilities change and the easiest way to understand them is to read a GDPR guide written about your specific processor, e.g. MailChimp, Google Analytics or WooCommerce. The Shopify guide at end of this article has a nice explanation with diagrams that make this easy to understand.

Legal basis for processing

Personal data cannot be processed except under a recognized legal basis (unless an exemption applies). The GDPR sets out a list of possible legal bases under which personal data may be processed. These reasons include:

  • Consent
  • Contractual obligations
  • Legal obligations
  • The public’s interests
  • Legitimate interests of the controller or third party, balanced against the rights of the data subject

Consent of the data subject means the data subject (your customer) has agreed to the processing of their personal data with a clear affirmative action.
This agreement must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous

Merchants (you), as controllers of their customers’ personal data, are responsible for ensuring they have a proper legal basis for doing so, including keeping evidence of consent when processing is based on consent.

Consent For Children

When offering goods or services online directly to children under 16 years of age, the controller is responsible for obtaining verifiable consent from the child’s parents for processing their data.
Merchants are responsible for assessing whether they need to obtain a higher level of consent for certain customers.

Email Marketing

Before sending email to customers you need their consent, which should be obtained from both new subscribers and existing subscribers.
MailChimp have an excellent guide on this topic.

Any form on your website that is used for subscribing customers to your mailing list needs to explicitly describe why you are collecting the data.
Signup forms could include your newsletter sign up form and the checkout page in your shopping cart, where customers can tick a box to subscribe to your newsletter.
Your forms should give customers the option to subscribe/unsubscribe to each method of communication that you use, eg: email, direct mail or customised online advertising.
If you add a method of communication later, such as online advertising (Google Ads), take care to add it to your forms.

Existing EU subscribers will need to be sent an opt in campaign. The MailChimp guide provides some good advice on this.

Other Considerations


If you have contact forms on your website that store data you need to ask for consent to do so. Also consider disabling tracking of cookies and other info

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cookie Notice.

Privacy Policy

Your privacy policy is a key component of your GDPR compliance.

Your privacy policy should include:

  • who you are
  • what data you collect
  • for what reason you collect the data
  • for how long you retain it
  • which third parties receive it
  • how to download data
  • how to delete data
  • how to get in touch with you for data-related issues

Your privacy policy and terms of service can be linked to from every page on your website (the footer works well). Also decide if you need to add a privacy policy check box next to things like opt-ins, user registration forms and checkout forms.

More Info

Many service providers have written a GDPR guide with specific advice and information about complying with GDPR when using their service. We recommend that you read any guide that applies to any service you use. Here are some good examples:

Most importantly, understand your GDPR obligations as best you can and then speak to a lawyer who specialises in GDPR.

We are happy to help you implement any of the tools you need to comply with the GDPR. Call us for a chat .