Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Protections - Restriction on who may request regulated data service

43: Only customer, secondary user, or accredited requestor may request regulated data service

You could also call this:

“Only you, your helper, or a special approved person can ask for your customer data”

You can only ask for a regulated data service about a customer if you are the customer, someone helping the customer, or a special approved person.

If you are the customer, you can ask for your own data.

If you are helping the customer (called a secondary user), you can ask for their data if they let you, as explained in section 24.

If you are a special approved person (called an accredited requestor), you can ask for the customer’s data if the customer says it’s okay and if you’re allowed to ask for that kind of data.

If you’re a special approved person and the customer takes away their permission, you won’t get in trouble if you didn’t know they changed their mind and you couldn’t have known about it.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS710773.

Topics:
Money and consumer rights > Consumer protection Rights and equality > Privacy Business > Industry rules
Previous

42: Authorisation must not be required as condition of providing product, or

"You don't have to agree to data sharing to get a product"

Next

44: Offence for contravention of request restriction, or

"You can get in trouble for asking for private information when you're not supposed to"

Part 3 Protections
Restriction on who may request regulated data service

43Only customer, secondary user, or accredited requestor may request regulated data service

  1. A person must not request, or purport to request, a regulated data service that relates to a customer unless the person is—

  2. the customer; or
    1. a secondary user who is acting on behalf of the customer in accordance with section 24; or
      1. an accredited requestor that is—
        1. authorised by the customer to request the service; and
          1. acting within the class of its accreditation.

          2. An accredited requestor does not contravene this section if—

          3. a customer (or a secondary user on their behalf) has ended an authorisation; and
            1. the accredited requestor did not know, and could not reasonably be expected to know, that the authorisation had ended.