European Union General Data Protection Regulation (GDPR)

Introduction to Te Pūkenga – New Zealand Institute of Skills and Technology

Te Pūkenga – New Zealand Institute of Skills and Technology (Te Pūkenga) is a Crown Entity established on 1 April 2020 with a legislative mandate to, among other things, ensure there is collaboration across its national network and meet the needs of its learners1.  

Te Pūkenga markets itself as NZIST in the international space and is one of the components of the Reform of Vocational Education (RoVE) currently taking place in New Zealand.  RoVE seeks to achieve a unified system for the delivery of high-quality vocational education and training in New Zealand. All personal information that is provided to Te Pūkenga / NZIST (or a subsidiary of Te Pūkenga / NZIST) will ultimately be held exclusively by Te Pūkenga / NZIST and as otherwise described in our Privacy Notice. 

By providing your personal information to Te Pūkenga / NZIST (or a subsidiary of Te Pūkenga / NZIST), you are deemed to consent to your information being shared within Te Pūkenga in order to ensure that we are able to perform the functions that we are established to perform and best serve all staff and learners during RoVE. 

Meaning of Process 

For the purposes of this section, the term 'process' has the meaning given to it under the GDPR and may include any operation or a series of operations performed on EU personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

EU personal data that is collected by us may have been sourced directly from you, a third party (for example, our European associates) or implied from your use of our services.

We process EU personal data in accordance with this section and as set out in our Privacy Notice. 

GDPR Principles

Any EU personal data will be:

  • processed lawfully, transparently and in a fair manner;
  • collected only for the purposes identified in our Privacy Notice or any other agreed specified purposes and not further processed in a manner incompatible with those purposes;
  • collected in an adequate and relevant manner and limited to what is necessary in relation to the purposes for which the EU personal data is processed;
  • kept current and up-to-date in accordance with our obligations;
  • stored in a form which permits us to identify you, but only for the period necessary in relation to the relevant purposes identified in our Privacy Notice;
  • stored and processed securely to protect EU personal data against unlawful or unauthorized access and accidental loss, damage or disclosure in accordance with Privacy Notice. 

Lawful bases for processing

We will collect and process EU personal data only where:

  • you have given consent;
  • the processing of EU personal data is necessary for the performance of a contract with you (such as to deliver the services you have requested or that have been requested on your behalf); and
  • the processing of EU personal data is necessary for the purposes of our 'legitimate interests', provided that such processing does not outweigh your rights or freedoms. 

Where we rely on your consent to process personal data, you have the right to withdraw, restrict or decline your consent at any time and where we rely on legitimate interests, you have the right to object.

We do not use automatic decision making, such as profiling, to make a decision that may produce a legal effect concerning a data subject of EU personal data.

Rights of EU Personal data subjects

In addition to other rights you may have as set out in our Privacy Notice, you may exercise the data protection rights set out below in relation to your EU personal data:

  • Access and Portability: a request can be made by you for a copy of your EU personal data (and any other information relating to your EU personal data permitted under Article 15 of the GDPR) held by us. In addition, you may request to be provided with such EU personal data in a structured, commonly used and machine readable format (including for the purposes of transferring to another party).
  • Restrictions and Objections: You may request that we limit our use of your EU personal data or processing by requesting that we no longer use your EU personal data or limit how we use your data; this may include where you believe it is not lawful for us to hold your EU personal data or instances where your EU personal data was provided for direct marketing purposes and now you no longer want us to contact you.
  • Deletion:  You may request that we delete your EU personal data, if that data is not required by us to meet applicable legal requirements.
  • Complaint:  Without prejudice to any other remedy, you have the right to lodge a complaint with a supervisory authority if you consider that our processing of your EU personal data infringes the GDPR. 

Our responsibilities as a ‘Data Controller’ and ‘Data Processor’

We may act as the ‘data controller’, the ‘data processor’ or, in some instances, both the data controller and data processor simultaneously in relation to EU personal data.

We will be a data controller where we determine the purposes and means of the processing of EU personal data alone or jointly with others. To the extent we are a data controller with respect to EU personal data, we:

  • set out in this statement and our Privacy Notice how we collect personal information (including EU personal data), how it is stored, to whom such personal information is disclosed and how the EU personal data is otherwise processed;
  • appoint processors only under agreements that the processor will comply with the GDPR;
  • will maintain a record of processing activities which are under our responsibility (where required by GDPR);
  • co-operate with relevant authorities which enforce the GDPR;• implement appropriate technical and organisation security measures to protect EU personal data and report any data breaches to authorities and affected individuals as required by the GDPR.

If a third party discloses EU personal data to us for a specific purpose, we will be acting as a data processor in processing the EU personal data for that purpose. Where we act as a data processor, we will:

  • act only on the controller’s documented instructions;
  • impose confidentiality obligations on all personnel who process the EU personal data;
  • not appoint sub-processors without the prior written consent of the controller;
  • at the instruction of the controller, return or destroy the EU personal data; and
  • where applicable, assist the controller in complying with the rights of the data subjects of the EU personal data;
  • maintain and keep accurate records of processing activities (where required by GDPR); and
  • implement appropriate technical and organisation security measures to protect EU personal data and report any data breaches to the controller without undue delay.

Disclosure to third parties

If we are required to disclose your EU personal data to third parties, including data processors or sub-processors, we will notify the third party that it has an obligation to handle any EU personal data in accordance with the GDPR.

In the event we are responsible for a transfer of EU personal data outside of the EU, such transfer will be for the necessary and lawful performance of our activities, including the establishment, exercise or defence of any legal right.

Express consent to transfer

Further to the section above, by providing us with your EU personal data, you are consenting to the disclosure of your EU personal data to third parties outside of the EU. You also acknowledge that we are not required to ensure that those third parties comply with its obligation under the GDPR.