Plain language law

New Zealand law explained for everyone

Customer and Product Data Act 2025

Regulated data services - Main obligations - Designated actions

18: Data holder must perform certain actions on customer’s request

You could also call this:

“Companies must do certain things you ask them to do with your information”

If you ask a data holder to do something for you, they must do it if certain conditions are met. A data holder is someone who holds your data. Here’s what needs to happen:

You need to ask the data holder to do something that they usually do as part of their business. This action must be on a list of ‘designated actions’.

You have to make your request in the right way. This means using a special system described in section 27 of the law. Your request also needs to be valid.

The data holder needs to check that it’s really you making the request. They do this using a method described in section 45(2) of the law.

If all these things are true, then the data holder must do what you’ve asked.

When deciding if an action is something the data holder usually does, they need to look at any rules set out in the regulations and standards.

This text is automatically generated. It might be out of date or be missing some parts. Find out more about how we do this.

This page was last updated on

View the original legislation for this page at https://legislation.govt.nz/act/public/1986/0120/latest/link.aspx?id=LMS853365.

Topics:
Money and consumer rights > Consumer protection Rights and equality > Privacy Business > Industry rules Business > Fair trading
Previous

17: Sections 14 and 15 do not prevent request to access personal information being made in some other manner, or

"You can ask for your personal information in different ways"

Next

19: Data holder must perform certain actions on accredited requestor’s request if customer’s authorisation is confirmed, or

"Data holder must follow verified customer requests from approved requestors"

Part 2 Regulated data services
Main obligations: Designated actions

18Data holder must perform certain actions on customer’s request

  1. This section applies if—

  2. a customer requests that a data holder perform an action relating to the customer; and
    1. the requested action is a designated action; and
      1. the data holder would ordinarily perform the action to which the request relates in the course of the data holder’s business (see subsection (3)); and
        1. the request—
          1. is a valid request; and
            1. is made using the system described in section 27; and
            2. the data holder has verified the identity of the person who made the request under section 45(2).

              1. The data holder must perform the action.

              2. When considering whether a data holder would ordinarily perform an action in the course of its business, regard must be had to the matters (if any) prescribed in the regulations and the standards.