This Consumer Data Right (CDR) Policy (the Policy) explains how Payble can collect, use, hold and disclose your data that you consent to sharing with us. This ensures transparency and trust between all parties, as well as ensuring the quality, integrity, and security of your personal information under applicable CDR legislation and Privacy Laws.
Please refer to the Privacy Policy on our website for information on our management of your personal information.
The CDR (Consumer Data Right) gives you control about the data that you share with other banks and financial institutions. This is often referred to as Open Banking. It helps you send your data to other companies with your full consent, knowledge, and control in a secure way. The intention is that you can help find the best products, prices, suitable and to help switch to new products and services.
Open Banking will allow you to ask that your data be sent to other banks, financial institutions and authorised organisations when you want to. You control who holds your data and how it is used.
As a consumer you have control over who you can share your data with. Any data recipient is accredited by the ACCC and is subject to ongoing processes, internal dispute resolution, information security, service-level agreements, audit and other requirements by the Data Accreditation Body.
You may choose to share your data that is held by an existing data holder (for example, a banking institution) with an accredited data recipient (for example, another banking institution or a fintech).
Payble is able to use or disclose (by sale or otherwise) the de-identified redundant data without seeking further consent from you.
Should you choose, you can consent to share your data with a data recipient. You have rights to choose the following about sharing:
● which data types (for example, profile, payments, transaction or product information);
● how long you will share your data for, whether one-off sharing or ongoing sharing;
● whether you opt in to receiving direct marketing related to the data shared; and
● election of deletion of redundant data, if an alternative de-identification of data is offered.
Consent may only last for a maximum of twelve (12) months, until the time that you withdraw consent, re-grant consent or the consent expires.
You may view and manage your consent in the consent dashboard of either of the organisations that receive or send your data.
You may withdraw your consent at any time. You can withdraw your consent in multiple ways, including:
● Through the data recipient consent dashboard;
● Through the data holder consent dashboard; or
● In writing to either party.
The consent revocation must be completed within two business days if notified in writing. If revocation occurs through the consent dashboard, the dashboard will be updated in near real-time to reflect your change in consent status (for example, active, expired or withdrawn).
If the consent is withdrawn, we will delete your data.
If you withdraw your consent, the services provided to you by the Data Recipient may cease.
You will receive notifications with all details in writing when you:
You will also receive notifications in writing every 90 days to confirm the data shared, expiry date and other information. You may not opt out of these notifications.
Legislation requires that Payble adheres to the data minimisation principle, which requires that only the required data is held as long as needed. This is related to the purposes stated for data capture.
If you give consent to an accredited data recipient to collect and use their CDR data, you may elect that your collected data, and any data derived from it, be deleted when it becomes redundant. This can be managed when consent is given or during the consent lifecycle before consent is withdrawn or expired.
8. Outsourced parties
Payble does not disclose your CDR data to any parties. If this does change, this list will be updated based on any changed arrangements with outsourced parties.
Payble leverages some Australian-based third parties, referred to as outsourced service providers (OSPs). We are required to disclose details of OSPs we use for CDR.
These third-party service providers are:
Data Recipient Platform to collect
CDR data. Adatree is an accredited
and active Data Recipient
Hosting of Payble’s infrastructure.
AWS holds SOC2 certification.
Your CDR data is stored onshore. Copies of your data are stored in the following countries:
● Australia
This list will be updated based on outsourced parties and their storage policies.
If you have a question or complaint about how your personal information is being handled by us, our affiliates or contracted service providers, please contact us first by using the contact details provided below.
We will acknowledge your complaint as soon as we can after receipt of your complaint. We will let you know if we need any further information from you to resolve your complaint.
We aim to resolve complaints as quickly as possible. We strive to resolve complaints within five (5) business days but some complaints may take longer to resolve. If your complaint is taking longer, we will let you know what is happening and a date by which you can reasonably expect a response.
If you are unhappy with our response, you can contact our Complaints Officer who can conduct an independent review of your matter. The contact details are complaints@payble.com.au.
Raising your issue with our Complaints Officer does not preclude you from raising your issue at any time with external disputes schemes or relevant regulators whose details are set out below.
Under the Privacy Act you may complain to the Office of the Australian Information Commissioner (OAIC) about the way we handle your personal information. Please note the OAIC requires any complaint must first be made to the respondent organisation. The law also allows 30 days for the respondent organisation to deal with the complaint before a person may make a complaint to the OAIC.
The Commissioner can be contacted at:
Office of Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
www.oaic.gov.au
The Australian Financial Complaints Authority (AFCA) can consider certain privacy complaints relating to either the provision of credit or credit reporting information in general. The contact details for AFCA are set out below:
Online: www.afca.org.au
Email: info@afca.org.au
Phone: 1800 931 678 (free call)
Mail: Australian Financial Complaints Authority GPO Box 3 Melbourne VIC 3001
You can contact us in the following ways:
● by email at hello@payble.com.au
● by phone on +61 488 842 515
● in writing to 129 Cathedral St, Woolloomooloo NSW 2011