The General Data Protection Regulation (GDPR) is a regulation that applies to the European Union (EU) and the European Economic Area (EEA). It does not directly apply to New Zealand as a country.
However, the GDPR has extraterritorial effect, which means it applies to organizations outside the EU if they offer goods or services to, or monitor the behavior of, individuals within the EU. So, if a New Zealand-based company processes personal data of individuals in the EU in connection with offering goods or services, or as a result of monitoring of behavior, it would need to comply with the GDPR.
New Zealand has its own privacy laws. The Privacy Act 2020 is the main piece of legislation which promotes and protects privacy in New Zealand. It replaced the Privacy Act 1993 and introduced several changes to align more closely with the principles of the GDPR, including mandatory reporting of privacy breaches, new criminal offences, and increased powers for the Privacy Commissioner.
It's also worth noting that the European Commission has recognized New Zealand as providing an adequate level of data protection, meaning that personal data can flow from the EU to New Zealand without needing any further safeguards.
