Last updated: 07 June, 2023
Ezidox Pty Limited - CDR Policy
1. Consumer Data Right (“CDR”) Introduction
As an accredited CDR provider, Ezidox Pty Limited (“Ezidox”) is committed to protecting the privacy and security of the data we hold on behalf of our customers under the CDR regime in Australia.
This CDR Policy outlines our obligations and procedures for collecting, storing, using and disclosing data that you consent to sharing with us in accordance with the CDR and ensures our obligations to maintain the integrity and security at all times of this information.
2. What is the CDR?
CDR forms part of the Open Banking environment that has been developed to allow consumers greater access and flexibility to transfer their existing banking and finance arrangements more easily amongst different providers in order to source better outcomes in products, pricing and services.
Open Banking allows consumers’ data to be sent, with their approval, to other banks and institutions to allow the seamless and efficient passage to switching services, providing the consumer with a better outcome. The transfer of data is done with your full consent, knowledge, and control in a secure way.
3. Data and Your rights
Ezidox is accredited by the Australian Competition and Consumer Commission (“ACCC”) as a CDR holder and as such, we are subject to their ongoing processes, controls and procedures in the management and security of your information. We will only use and disclose your data for the purposes for which it was collected, or as required by law. We will not disclose data to third parties without your express consent, except where required by law or to provide CDR-related services you.
As a consumer you will always maintain control over who you approve our sharing of your data with. As an example, you may choose to share your data that is held by an existing data holder (eg a bank) with another accredited data recipient (eg another bank).
4. Granting and Managing Consent
At your discretion, you can consent to share your data with a data recipient. Your data sharing rights and what you choose to share are as follows:
- What data and product types (eg personal profile, your types of banking and other financial products and their applicable details, transaction types, balances etc);
- Choice of whether you are consenting to providers that you approve the ongoing sharing of your data at anytime or whether you permit sharing on a one off basis;
- Having the option to receive ongoing marketing material on the basis of the data you have provided and what is stored, and
- Upon your consent, adding or deleting of stored data, and generally, maintaining and controlling the way your data is managed by a provider.
Your consent can be ongoing without time limitation, be for a specified period (eg 12 months or another defined period) or at your discretion for withdrawal of consent.
Your CDR rights allow you to view and manage your consents with any party that has been approved to receive or send your data.
5. Withdrawing Consent
You may withdraw your consent at any time and this can be done in a number of ways:
- Directly through the dashboard of the holder of your information, and
- In writing to any holder of your information.
If your revocation is received electronically via a dashboard, that consent will be revoked real time upon receipt. For revocation received in writing, that revocation will be processed withing two (2) business days.
Regardless of which type of revocation used, any financial undertaking being processed at the time of revocation may need to be re-done if relevant information has not passed to the organisation processing the transaction.
If the consent is withdrawn, we will delete your data.
If you withdraw your consent, the services provided to you may also cease.
6. Consent Notifications
You will receive written correspondence outlining all details of your requested actions when you:
- Grant consent;
- Change the management of your consent;
- Withdraw consent, or
- Have consent that is expired.
We are obligated to provide you with written notifications every 90 days to confirm the data shared, expiry dates and any other relevant information associated with the your data stored with us. You may not opt out of these notifications.
7. Data Deletion
We are required under legislation to adhere to the data minimisation principle. This principle allows for the holding of data only for the purposes of which it was required. No other data is to be held for any other requirements or purposes that were not specified when obtained.
You may request that your collected data, and any information generated from it, be removed when it becomes redundant. Consent must be granted or obtained before it can be revoked, it expires or becomes redundant.
8. Outsourced Services and Data Disclosure
We do not provide CDR data to any third parties or outsourced service providers. All data is stored and maintained using our own software and governed by the legislation covering CDR rights.
We do not disclose or share your CDR data to any third parties or for any commercial purposes. If for whatever reason this should change, we will notify you for your information and will be required to disclose details of these third parties in this policy and on our website.
9. Where your Data is Stored
Your CDR data is stored onshore in Australia.
10. Protecting your Privacy and Complaints Resolution
If you have a question or complaint about how your personal information is being handled by us, please contact us in the first instance using the contact details provided below.
As detailed in our Complaints Process, we will immediately acknowledge receipt of your complaint and look to initially resolve your complaint within five (5) business days of being received.
Some complaints may take longer to resolve. If your complaint is taking longer, we will let you know its progress and a date by which you can reasonably expect a response.
If you are unhappy with our response or the time taking to respond, you can contact our Chief Compliance Officer who can conduct an independent review of your matter. The contact details are firstname.lastname@example.org.
If the undertaking of our Internal Dispute Resolution (IDR) process does not satisfy your underlying issue, you are not precluded from raising your issue at any time with the External Dispute Resolution (EDR) process detailed below.
Under the Privacy Act you may complain to the Office of the Australian Information Commissioner (OAIC) about the way we handle your personal information but note that you must firstly invoke the IDS process detailed above, notwithstanding existing legislation allows us 30 days to deal with your complaint before you can make a complaint to the OAIC.
The Commissioner can be contacted at:
Office of Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
Further, the Australian Financial Complaints Authority (AFCA) can consider complaints that relate to the provision of credit or credit reporting information. AFCA can be contacted at:
Phone: 1800 931 678 (free call)
Mail: Australian Financial Complaints Authority GPO Box 3 Melbourne VIC 3001
11. Contact Us
You can contact us in the following ways:
- By email at email@example.com
- In writing to Ezidox Pty Limited L2 6 The Corso, Manly NSW 2095