Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Regulated data services - Main obligations - Designated actions

19: Data holder must perform certain actions on accredited requestor’s request if customer’s authorisation is confirmed

You could also call this:

“Data holder must follow verified customer requests from approved requestors”

If someone called an accredited requestor asks a data holder to do something for a customer, the data holder has to do it if certain conditions are met. These conditions are:

The data holder has checked that the customer has given permission.

The action the accredited requestor is asking for is on a special list called ‘designated actions’.

The data holder usually does this kind of action as part of their normal business.

The request is made properly and uses the right system.

The accredited requestor is allowed to make this kind of request.

The data holder has made sure the person making the request is who they say they are.

If all these things are true, then the data holder must do what the accredited requestor has asked.

When deciding if the data holder usually does this kind of action, they need to look at any rules set out in the regulations and standards.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS710007.

Topics:
Money and consumer rights > Consumer protection Business > Industry rules Business > Fair trading Rights and equality > Privacy
Previous

18: Data holder must perform certain actions on customer’s request, or

"Companies must do certain things you ask them to do with your information"

Next

20: Data holder may or must refuse to perform actions in certain circumstances, or

"When a company can or must say no to sharing your information"

Part 2 Regulated data services
Main obligations: Designated actions

19Data holder must perform certain actions on accredited requestor’s request if customer’s authorisation is confirmed

  1. This section applies if—

  2. an accredited requestor (A) requests that a data holder perform an action in respect of a customer; and
    1. the data holder has carried out confirmation in relation to the request under section 39; and
      1. the requested action is a designated action; and
        1. the data holder would ordinarily perform the action to which the request relates in the course of the data holder’s business (see subsection (3)); and
          1. the request—
            1. is a valid request; and
              1. is made using the system described in section 27; and
              2. A is acting within the class of its accreditation; and
                1. the data holder has verified the identity of the person who made the request under section 45(2).

                  1. The data holder must perform the action.

                  2. When considering whether a data holder would ordinarily perform an action in the course of its business, regard must be had to the matters (if any) prescribed in the regulations and the standards.