How to make a CDR complaint

On this page

  • Complain to the business first
  • What to include in your complaint
  • Keep a record of your complaint
  • Give the business at least 30 days to respond

Complain to the business first

If you think a business has mishandled your Consumer Data Right (CDR) data or breached your privacy, you should complain to them first, before you lodge your complaint with the OAIC or a recognised external dispute resolution scheme.

Check the business’ CDR policy, which must explain how a consumer can make a complaint. The policy must be available on the business’ website or in their mobile app. Businesses participating in the Consumer Data Right are required to provide you with a copy of the policy if you ask for it.

What to include in your complaint

When making a complaint to the business, you should:

  • identify yourself
  • give any identification or reference number(s), if relevant
  • give a brief description of the matter and why you think the business has mishandled your data (what happened, when it happened and any consequences)
  • let them know what you would like them to do to resolve the matter.

If you put your complaint in writing, also include:

  • a contact address
  • a contact phone number
  • the date (if you are sending a letter).

You may wish to use this template to make your complaint:

Dear Privacy/Consumer Data Right Officer,

I am writing to you to make a Consumer Data Right complaint about how [name of business] has handled my data.

On [date], [provide an explanation of what happened, including as much detail as possible].

As a result of this [explain the impact the incident has had on you and why you are concerned about this].

To resolve this complaint, I would like you to [outline what you are seeking to resolve the complaint].

Please call me on [your phone number] to discuss the complaint.

If I do not receive a response from you within a reasonable time (generally 30 days) or the complaint is not resolved, I may contact the relevant external dispute resolution scheme or the Office of the Australian Information Commissioner to make a complaint.

Yours sincerely

[Your name]

Keep a record of your complaint and any responses

Make sure you keep a record of your complaint.

If you complained in person or over the phone, make a record of:

  • the date you complained
  • the name of the business you complained to
  • the name of the person you complained to, if available
  • a brief description of why you think the business has mishandled your CDR data (what happened, when it happened and any consequences)
  • a brief description of what you asked the business to do to resolve the matter.

If you receive a response, make a record of:

  • the date you received the response
  • the name of the business that responded
  • the name of the person you spoke to, if available
  • a description of the response.

If the business responds in writing, keep a record of their response.

Give them at least 30 days to respond

You need to give the business a reasonable amount of time to respond to your complaint. We think 30 days is a reasonable time.

If the business doesn’t respond to your complaint or you are not happy with their response, you can lodge a complaint with us or the relevant external dispute resolution scheme.

If your complaint would be better handled by an external dispute resolution scheme, the OAIC will generally refer your complaint to the appropriate scheme. We will notify you if we refer your complaint.

The Australian Financial Complaints Authority is the external dispute resolution scheme for the Consumer Data Right in the banking sector.