Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Protections - Authorisation

40: Customer or secondary user must be able to control authorisation

You could also call this:

“You can check and change who sees your information”

When a data holder confirms that a customer or secondary user has given permission, they need to have a way for that person to see and stop the permission if they want to. The data holder must make sure their system follows any rules set by regulations and standards.

If you give permission to an accredited requestor, they also need to have a system that lets you see and stop the permission. Their system must also follow any rules set by regulations and standards.

Both the data holder and the accredited requestor must make sure that when you decide to stop the permission, it happens right away in their systems.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS722015.

Topics:
Money and consumer rights > Consumer protection Rights and equality > Privacy Business > Industry rules
Previous

39: Authorisation must be confirmed, or

"Companies must check if you've allowed them to share your information before they do it"

Next

41: Accredited requestor must comply with prescribed duties in respect of authorisation, or

"Approved askers must follow special rules when getting permission"

Part 3 Protections
Authorisation

40Customer or secondary user must be able to control authorisation

  1. If a data holder has confirmed an authorisation under section 39 given by a customer (or by a secondary user on their behalf), the data holder—

  2. must have systems in place to enable the customer or secondary user (as the case may be) to view or end the authorisation; and
    1. must ensure that those systems meet the requirements (if any) provided for by the regulations and the standards.

      1. If a customer (or a secondary user on their behalf) has given an accredited requestor an authorisation, the accredited requestor—

      2. must have systems in place to enable the customer or secondary user (as the case may be) to view or end the authorisation; and
        1. must ensure that those systems meet the requirements (if any) provided for by the regulations and the standards.

          1. The data holder or accredited requestor must ensure that the systems are able to give immediate effect to the ending of an authorisation.