What is a data holder?
A data holder is a business that holds consumer data and must transfer the data to an accredited data recipient at the consumer’s request.
In the case of banking, the initial data holders required to share Consumer Data Right (CDR) data are the four major banks. From 1 July 2021, this expanded to include most authorised deposit taking institutions (ADIs), with some limited exceptions (such as foreign ADIs).
What is an accredited data recipient?
Under the CDR system, consumers consent to a transfer of their data from a data holder to an accredited data recipient, or from one accredited person to another accredited data recipient.
An accredited data recipient has been accredited by the Australian Competition and Consumer Commission (ACCC) to receive consumer data to provide a product or service. They may also be referred to as ‘ADRs’ or ‘accredited providers’.
Accredited data recipients may use a CDR brand mark to help consumers recognise that the business is able to receive their data securely and manage it in line with the rules and safeguards of the CDR system.
Those who wish to become accredited must demonstrate that they:
- are a fit and proper person
- are able to take the steps required to adequately protect CDR data from misuse, interference, loss, and unauthorised access, modification or disclosure
- have internal dispute resolution processes meeting the requirements of the CDR Rules
- are a member of a recognised external dispute resolution scheme
- have adequate insurance to compensate consumers for any loss that might occur from a breach of their CDR-related obligations, and
- have an Australian address.
An accredited data recipient also has ongoing obligations under the CDR Rules.
For the full definition of a data holder and an accredited data recipient, see chapter B of our CDR Privacy Safeguard Guidelines.
Our Guide to privacy for data holders outlines data holders’ key privacy obligations under the CDR. The ACCC website has more information about the accreditation criteria.