Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Regulated data services - Main obligations - Customer data

15: Data holder must provide customer data to accredited requestor if customer’s authorisation is confirmed

You could also call this:

“Give your info if you say it's okay and the asker is allowed”

If someone asks for your customer information, the company that holds your data must give it to them if certain conditions are met. Here’s what needs to happen:

The person asking for your data must be approved to do so. They need to use a special system to make the request. The company that has your data will check if you’ve said it’s okay to share your information. They’ll make sure the data being asked for is actually about you and is the kind of information they’re allowed to share. The company will also check that the person asking for your data is allowed to do so and that they’ve proven who they are.

If all these things check out, then the company must give your data to the person who asked for it. They’ll use the same special system to send the information.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS709487.

Topics:
Money and consumer rights > Consumer protection Business > Industry rules Rights and equality > Privacy
Previous

14: Data holder must provide customer data to customer, or

"Companies must share your personal information with you if you ask correctly"

Next

16: Data holder may or must refuse request for data in certain circumstances, or

"Sometimes people can say no when you ask for your information"

Part 2 Regulated data services
Main obligations: Customer data

15Data holder must provide customer data to accredited requestor if customer’s authorisation is confirmed

  1. This section applies if—

  2. an accredited requestor (A) requests that a data holder provides data to A in respect of a customer; and
    1. the data holder has carried out confirmation in relation to the request under section 39; and
      1. the data is designated customer data that is about that customer; and
        1. the request—
          1. is a valid request; and
            1. is made using the system described in section 27; and
            2. A is acting within the class of its accreditation; and
              1. the data holder has verified the identity of the person who made the request under section 45(2).

                1. The data holder must provide the data to A using that system.