If you’re concerned about how a business has handled your Consumer Data Right (CDR) data, you can make a CDR complaint with us if:

  • you complained to the business more than 30 days ago and have not yet received a response or the matter remains unresolved
  • the matter occurred less than 12 months ago.

Your CDR data includes information about you such as your name and contact details, as well as detailed information about your use of a specific product or service.

Generally, we can investigate a complaint about a business that already holds your CDR data and will transfer it to another business under the CDR at your request (known as a data holder), or a business who will have your CDR data transferred to it under the CDR at your request (known known as an accredited data recipient).

Under the CDR, a data holder and an accredited data recipient must have an internal dispute resolution process to respond to a consumer complaint. But you must give the business a reasonable amount of time to respond to your complaint. We think 30 days is reasonable. Only in exceptional circumstances will we investigate a complaint where you haven’t first complained to the business you believe has mishandled your CDR data.

We handle complaints from individuals or small businesses with an annual turnover of $3 million or less. If you’re a business with a higher annual turnover contact the Australian Competition and Consumer Commissioner (ACCC). The Australian Financial Complaints Authority will also accept a complaint from a business with fewer than 100 employees.

Issues you might believe the business mishandled may relate to:

  • collection of CDR data without your consent
  • notification of certain matters, including what data was collected and when
  • consent that has been bundled, coerced, not explicit or unauthorised
  • use and/or disclosure of your CDR data
  • open and transparent management of your CDR data
  • quality of your CDR data
  • correction of your CDR data
  • failure to ensure accuracy or completeness of your CDR data
  • failure to allow anonymity/pseudonymity
  • failure to destroy unsolicited CDR data
  • security of your CDR data
  • failure to advise of a data breach involving your CDR data.

Generally, a complaint must be about a matter that occurred less than 12 months ago. It can be hard to investigate effectively and fairly for both parties beyond this period.

We may refer your complaint to an external dispute resolution scheme or to the ACCC if we consider they are best placed to review the matter. We will notify you if we refer your complaint.