The OAIC has primary responsibility for consumer complaints about privacy and data handling in the Consumer Data Right (CDR) system.

We can handle complaints from individuals and small businesses that have an annual turnover of $3 million or less.

We may refer certain complaints to an external dispute resolution (EDR) scheme or the Australian Competition and Consumer Commission if we consider they are best placed to review the matter.

A consumer must complain to the relevant business first, before they can lodge a complaint with the relevant EDR scheme or the OAIC.

Data holders and accredited data recipients must have internal dispute resolution (IDR) processes that meet the IDR requirements under the Australian Securities and Investments Commission’s Regulatory Guide 165 on internal and external dispute resolution.

Data holders and accredited data recipients are also required to be members of an EDR scheme in relation to CDR consumer complaints. In the banking sector, this is the Australian Financial Complaints Authority.

If a consumer is unsatisfied with the outcome of an entity’s IDR process, they can make a complaint to the relevant EDR scheme or to the OAIC.

Find out more about CDR complaints, including what consumers can complain to the OAIC about, and how we investigate complaints.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au