Adatree Consumer Data Right Policy

CDR Policy Overview

This Consumer Data Right (CDR) Policy (the Policy) explains how Adatree Pty Ltd (Adatree) can collect, use, hold and disclose your data that you consent to sharing with us. This ensures transparency and trust between all parties. It also ensures the quality, integrity and security of your personal information under applicable CDR legislation and Privacy Laws. 

Please refer to the Privacy Policy on our website for information on our management of your personal information.

What is the CDR?

The CDR (Consumer Data Right) gives you control about the data that you share with banks and financial institutions. This is often referred to as Open Banking. It’s a secure way for you to send your data to companies with your full consent, knowledge and control. The intention is that you can help find the best products and pricing, and to help switch to new products and services.

Open Banking will allow you to ask that your data be sent to other banks, financial institutions and authorised organisations when you want to. You control who holds your data and how it is used.

Your rights as a consumer regarding your data

As a consumer you have control over who you share your data with. Any data recipient is accredited by the ACCC and is subject to: 

• ongoing processes;
• internal dispute resolution;
• information security;
• service-level agreements;
• audits; and 
• other requirements by the Data Accreditation Body. 

You may choose to share your data that is held by an existing data holder (like a banking institution) with an accredited data recipient (like another banking institution or fintech). 

Granting and managing consent

Should you choose, you can consent to share your data with a data recipient. 

CDR Legislation and Privacy Law gives you the right to choose how you share your data, including: 

• which data types (like customer information, payments, transaction or account information);
• how long you’ll share your data for: as a once-off or ongoing;
• whether you want to receive direct marketing related to the data shared; and 
• whether your data will be deleted or de-identified. 

Consent can only last for a maximum of twelve (12) months. After 12 months your consent expires and you can either re-confirm your consent or explicitly withdraw your consent. If you don’t actively state your preference, your consent will automatically be withdrawn.

You may view and manage your consent in the consent dashboard of either of the organisations that receive or send your data. The three types of consent status include: active, expired or withdrawn.

Data you may share with us

You can consent to share your data with Adatree or other CDR regulated customers (accredited persons). 

Adatree will only collect, hold and use your CDR data for the purpose of providing it to another participant that you have consented to share it with, potentially including one of our CDR Representatives for the use cases listed in Section 9.

The types of CDR data we may ask you to share will depend on the service being provided to you. We’ll let you know if a service we provide requires a particular type of data. 

We may hold and use the following types of data to provide services through our web applications:

Banking data

Account balance and details

• Name of account
• Type of account
• Account balance
• Account number
• Interest rates
• Fees
• Discounts
• Account terms
• Account mail address

Transaction details

• Incoming & outgoing transactions
• Amounts
• Dates
• Descriptions of transactions
• The account name of who you have sent money to and received money from 

Name, occupation and contact details

• Name
• Occupation
• Phone
• Email address
• Mail address
• Residential address

Organisation profile and contact details

• Agent name and role
• Organisation name
• Organisation numbers (ABN or ACN)
• Charity status
• Establishment date
• Industry
• Organisation type
• Country of registration
• Organisation address
• Mail address
• Phone number

Direct debits and scheduled payments 

• Direct debit authorisations
• Scheduled, outgoing payments

Payees

• Names and details of saved payee accounts

Energy data

Concessions and assistance

• Concession type
• Concession information

Account and plan details

• Account and plan information
• Account type
• Fees, features, rates and discounts
• Additional users

Payment preferences

• Payment and billing frequency
• Any scheduled payment details

Billing payments and history

• Account balance
• Payment method
• Payment status
• Charges, discounts, credits
• Billing data
• Usage for billing period
• Payment date
• Invoice number 

Electricity usage

• Usage
• Meter details

Electricity connection

• National Meter Identifier (NMI)
• Customer type
• Connection point details

Electricity meter

• Supply address
• Meter details
• Associated service providers

Energy generation and storage

• Generation information
• Generation or storage device type
• Device characteristics
• Devices that can operate without the grid
• Energy conversion information

Withdrawing consent

You may withdraw your consent at any time and can be done in three (3) ways::

• Through the data recipient consent dashboard; 
• Through the data holder consent dashboard; or 
• In writing to either party. 

If you use the consent dashboard to withdraw your consent, the status of your consent will be updated in near real-time and reflect your change almost immediately. If you choose to withdraw your consent in writing, this will be completed by the data recipient or data holder within two business days. 

If you withdraw your consent we’ll delete your data. However some services require your active consent and withdrawing consent could mean the services provided by the data recipient may cease. 

Consent notifications

You’ll receive a notification every 90 days to confirm the data you have shared, the expiry date and other consent information. You’ll also receive a notification with a summary of these details any time you: 

• Grant consent;
• Commence allowing Adatree to collect CDR data;
• Commence allowing Adatree to disclose CDR data;
• Manage consent;  
• Withdraw consent; or 
• Have consent that is expired. 

You may not opt out of these notifications at any time. 

Deletion of your data

Adatree must adhere to the data minimisation principle. This principle outlines  that a data recipient can only ask you for data that is absolutely necessary and can only hold it for the minimum amount of time it is needed to provide their service.

Any time you give consent to a data recipient, you can also request that your CDR data, and any data derived from it, be deleted as soon as it becomes redundant. This can be managed when you first give consent or at any time your consent status is active.  

We’ll only use your data for the purpose you have agreed to, and we will delete it after it has been used for that purpose. Adatree does not hold any redundant data. 

When you withdraw data sharing consent or your consent expires, we’ll automatically irretrievably destroy your data within seconds. We’ll also automatically notify any Outsourced Service Provider or CDR Representative with whom your data has been shared and require them to irretrievably destroy your data as well. Deletion by third parties is managed through contracts and regular attestations. 

Disclosing your data to outsourced parties

Outsourced Service Providers

Adatree leverages some third parties, referred to as outsourced service providers (OSPs). We are required to disclose details of OSPs we use for CDR. Should this change, this Policy will be updated. 

Adatree does not hold hard copies of CDR data. During business continuity events, redundant data is irretrievably destroyed before restoring service. Your data contained in backup systems is not accessible to anyone without invoking business continuity procedures, which may occur during a significant disaster or cyber security event. Backups are held for seven years after which they are destroyed.

If we share your data with an accredited person, this is because we have a written agreement with them to collect data on their behalf. This will be clear to you in the consent granting process. 

CDR Representatives 

All of Adatree’s CDR Representatives are registered with the ACCC. If we share your data with one of our CDR Representatives, it is because you have explicitly consented to their accessing and using your CDR data. Below is a list of our CDR Representatives and the nature of their services:

• G&C Mutual Bank Limited, banking
• Police Financial Services Limited, banking
• QPCU Limited T/A QBANK, banking
• Central Murray Credit Union Limited, banking
• WAW Credit Union Co-operative Ltd, banking
• Auswide Bank Ltd, banking
• Macarthur Credit Union Ltd, banking
• Central West Credit Union Limited, banking
• Southern Cross Credit Union LTD, banking
• Laboratories Credit Union Ltd, banking
• Transport Mutual Credit Union Limited, banking
• Energy Flex Pty Ltd, Energy usage monitoring service
• Macquarie Credit Union Ltd, banking
• RC2 Capital Pty Ltd,  digital wealth management platform
• Newcastle Greater Mutual Group Limited, banking
• Compare Club Australia Pty Ltd, comparison platform

Where your data is stored

Your data is held by Adatree in our secure and audited environment. Adatree only stores your data in Australia. Adatree does not share data with accredited parties based outside of Australia. 

Any data shared with one of our OSPs is processed in Australia.

Correction of your data

If any data that you share with Adatree is incorrect, you can request correction of your data using the Adatree contact details listed below. You can also ask the Data Holder (the business you authorise to share data with us) for access to your CDR data and, if required, to correct it. 

When requesting a correction, be sure to provide specific details so we can assess the issue and make the right corrections. Once we’ve assessed your request, we will make the adjustments and reply to your email with a description of the changes we’ve made. You will also have the opportunity to make a complaint if you’re unsatisfied.

Events for notifying you

In the event of a data breach (such as where an unauthorised party accesses your CDR Data, we will notify you as soon as practical. This is so you can take action to mitigate any potential damage or loss caused by the data breach.

If this occurs, we will: 

• Contain the data breach to prevent any further leak of personal information;
• Investigate the data breach by gathering the facts and taking action to reduce any risk of harm;
• Notify the Commissioner if the breach is an ‘eligible data breach’ under the Notifiable Data Breach scheme; and 
• Review the incident and improve our processes, policies and controls to prevent future breaches.

Resolving your privacy concerns and complaints – your rights

If you have a question or complaint about how your personal information is being handled by us, our affiliates or outsourced service providers, please contact us at any time by using the contact details below.

Please include the following information with your complaint.

• Your name;
• Your contact details;
• The details of your complaint.

Once we receive your complaint, we will acknowledge it as quickly as possible (within one business day) and let you know if any further information is needed to resolve your complaint.

We will assess whether the complaint can be addressed immediately, investigate if more details are required, determine the most appropriate remedy and communicate the proposed remedy to the complainant. A potential remedy could include a formal apology or a correction of details.

We aim to resolve complaints as quickly as possible, but some complaints take longer to resolve than others. If your complaint has taken longer than five (5) business days to resolve we will send you an update of our progress and include an updated timeframe of when you can reasonably expect a response.

If Adatree does not resolve the dispute within 5 business days, then Adatree will provide an internal dispute resolution (IDR) response no later than 30 days after receiving the complaint. If the complaint is particularly complex or there are circumstances beyond Adatree’s controls which are causing the delays, then Adatree will provide an ‘IDR delay notification’ which informs the complainant about the reasons for the delay, their right to complain to AFCA if they are dissatisfied and the contact details for AFCA.

If you’re unhappy with our response you can request an independent review with our Complaints Officer by emailing complaints@adatree.com.au. 

Raising your issue with our Complaints Officer does not limit you from raising your issue at any time with external disputes schemes or relevant regulators. 

Under the Privacy Act you may complain to the Office of the Australian Information Commissioner (OAIC) about the way we handle your personal information. Please note the OAIC requires any complaint must first be made to the respondent organisation. Australian law allows 30 days for the respondent organisation to deal with the complaint before any complaint is made to the OAIC.The Commissioner can be contacted at:

• Office of Australian Information Commissioner
• GPO Box 5218
• Sydney NSW 2001
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• www.oaic.gov.au

The Australian Financial Complaints Authority (AFCA) can consider certain privacy complaints relating to either the provision of credit or credit reporting information in general. The contact details for AFCA are set out below:

• Online: www.afca.org.au
• Email: info@afca.org.au
• Phone: 1800 931 678 (free call)
• Mail: Australian Financial Complaints Authority GPO Box 3 Melbourne VIC 3001

More details of our complaints process are outlined in our Complaints Policy.

Availability of policy

This policy is available electronically via our website: adatree.com.au/cdrpolicy.

An electronic or hardcopy of this policy can be obtained by emailing hello@adatree.com.au.

Contact Us

You can contact us by:

• calling (02) 8017 1118
• emailing hello@adatree.com.au 
• writing to Adatree, 58-62 Kippax St, Level 2, Surry Hills 2010