RollCall

DPA — New Zealand

Last Updated: March 2026
Back to Data Processing Agreement

1. Applicability

This New Zealand-specific addendum supplements the global Data Processing Agreement and applies where the Controller is a New Zealand educational institution or where Personal Data of New Zealand residents is processed. This addendum addresses obligations under the Privacy Act 2020 (NZ) and the Information Privacy Principles (IPPs).

2. Privacy Act 2020 Compliance

RollCall commits to processing Personal Data in accordance with the Information Privacy Principles under the Privacy Act 2020, including:

  • IPP 1 (Purpose of collection): Collecting Personal Data only for a lawful purpose connected with our functions
  • IPP 3 (Collection from subject): Collecting Personal Data directly from the individual concerned, where practicable
  • IPP 5 (Storage and security): Ensuring Personal Data is protected against loss, unauthorised access, and misuse
  • IPP 10 (Limits on use): Using Personal Data only for the purpose for which it was collected
  • IPP 12 (Disclosure outside New Zealand): Ensuring adequate protections when data is disclosed overseas

3. Notifiable Privacy Breaches

RollCall will assist the Controller in complying with the mandatory privacy breach notification regime under the Privacy Act 2020. Where RollCall becomes aware of a privacy breach that has caused or is likely to cause serious harm, RollCall shall:

  • Notify the Controller as soon as practicable, and in any event within 72 hours
  • Provide sufficient information for the Controller to assess whether notification to the Office of the Privacy Commissioner (OPC) is required
  • Assist the Controller in preparing notifications to the OPC and affected individuals
  • Cooperate with the OPC in any investigation relating to the breach

4. Data Storage Location

Personal Data of New Zealand data subjects is stored in the AWS Asia Pacific (Sydney) region (ap-southeast-2). RollCall does not transfer New Zealand Personal Data to jurisdictions that do not provide comparable privacy protections, except as specifically authorised by the Controller or as required for the operation of sub-processors listed in the global DPA.

5. Children's Data

RollCall recognises the particular sensitivity of children's data under New Zealand law and the obligations of schools under the Education and Training Act 2020. We implement additional safeguards including:

  • Strict access controls limiting who can view student information
  • No use of student data for marketing, profiling, or commercial purposes
  • Immediate deletion of student records upon school request or service termination
  • Compliance with Ministry of Education data governance requirements

6. Te Tiriti o Waitangi Considerations

RollCall acknowledges the importance of Te Tiriti o Waitangi and the principles it embodies. We are committed to working with Kura Kaupapa Maori and other educational institutions to ensure our data handling practices respect Maori data sovereignty principles and cultural considerations where applicable.

7. Governing Law

This addendum is governed by the laws of New Zealand. The parties submit to the exclusive jurisdiction of the courts of New Zealand for any disputes arising under this addendum.

8. Contact

For enquiries regarding this DPA addendum, contact the RollCall Privacy Officer:

Email: privacy@rollcall.com.au
Phone: 1300 821 116
Address: 1/146-148 Thistlethwaite Street, South Melbourne VIC 3205, Australia