The OAIC has primary responsibility for consumer complaints about privacy and data handling in the Consumer Data Right system. We can handle complaints from individuals and small businesses that have an annual turnover of $3 million or less. We may refer certain complaints to an external dispute resolution scheme or the ACCC if we consider they are best placed to review the matter.

A consumer must complain to the relevant business first, before they can lodge a complaint with the OAIC.

More information about CDR complaints, including how consumers can make a complaint, is available at

Data holders and accredited data recipients must have internal dispute resolution (IDR) processes that meet the IDR requirements under the Australian Securities and Investments Commission’s Regulatory Guide 165 on internal and external dispute resolution.

If a consumer is unsatisfied with the outcome of an entity’s IDR process, they can make a complaint to us.

Data holders and accredited data recipients are also required to be members of a recognised external dispute resolution scheme in relation to CDR consumer complaints. In the banking sector, this is the Australian Financial Complaints Authority.

Read more about how we handle complaints.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at