Skip to Content

Effective Date: 9 September 2024

Mastercard Asia/Pacific Pte. Ltd. and its affiliates (collectively, "Mastercard", “us” or "we") respect your rights under the Consumer Data Right ("CDR") in Australia. The CDR is governed by legislation including the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020 (the "CDR Regime"). Mastercard is an Accredited Data Recipient under the CDR Regime.

This CDR Policy explains how we manage your data under the CDR Regime and describes how you can access and correct your data, or make a complaint regarding our CDR practices when we are acting as an accredited person.

Data under the CDR Regime is known as CDR Data, and references in this CDR Policy to 'data' shall mean "CDR Data" as defined in the CDR Regime.

This CDR Policy is limited to how we manage your CDR Data in accordance with the CDR Regime. For information about Mastercard’s collection, use, disclosure or transfer of personal information outside of the CDR Regime, please refer to the Mastercard Global Privacy.

1. What is the CDR Regime

The CDR Regime provides individuals and organisations with greater control over their data and allows you to securely share this data with trusted third parties.

2. Collection, use, handling and disclosure of data

You may consent to share your data with us so that we can provide you with the goods and services you requested.

Depending on the goods and services we are providing you, we may collect, use, hold and disclose the following data:

  • Account balance and details
    • Name of account;
    • Type of account;
    • Account balance;
    • Account number;
    • Interest rates;
    • Fees;
    • Discounts;
    • Account terms; and
    • Account mail address.
  • Transaction details
    • Incoming and outgoing transactions;
    • Amounts;
    • Dates;
    • Descriptions of transactions; and
    • Who you have sent money to and received money from.
  • Direct debits
    • Details of direct debit authorisations.
  • Scheduled payments
    • Scheduled outgoing payments.
  • Payees
    • Names and details of saved payee accounts.
  • Name, occupation, contact details (if you are an individual consumer).
    • Name;
    • Occupation;
    • Phone;
    • Email address;
    • Mail address; and
    • Residential address.
  • Organisation profile and contact details (if you are a business consumer)
    • Agent name and role;
    • Organisation name;
    • Organisation number (ABN or ACN);
    • Charity status;
    • Establishment date;
    • Industry;
    • Organisation type;
    • Country of registration;
    • Organisation address;
    • Mail address; and
    • Phone number.

All data that we collect, use and store is held on servers located in Australia.

3. Access to your data

You may access the data we collect as an Accredited Data Recipient by logging onto your Mastercard consumer dashboard.

You may access the data we collect on behalf of a CDR Representative by logging onto your consumer dashboard made available through that CDR Representative’s customer platform.

If you have any concerns or are not able to access your data, please contact us at using the details listed under "How to Contact Us" below.

4. Correction of your data

If any of your data that is shared with us is incorrect, you may request a correction of your data that we hold. To request a correction, please contact us using the details listed under "How to Contact Us" below. No fee will be charged in connection with such a correction request. We will notify you in writing within 10 Business Days after receipt of your correction request of the steps we took in response.

You may make a complaint if you are not satisfied with our response to your request to correct your data.

5. Consent notifications

In addition to your consumer dashboards, we will send you a notification via email every 90 days to confirm the data you have shared, the expiry date and other information regarding your consent. We will also send you a notification with this information if:

  • you provide consent for the collection, use or disclosure of your data;
  • you amend your consent;
  • you withdraw your consent; or
  • your consent expires.

We will also notify you promptly in the event an eligible data breach occurs in relation to your CDR data.

6. Withdrawing consent and deleting your data

You may withdraw your consent at any time by:

  • logging on to your consumer dashboard and managing your consent through the options provided within the dashboard; or
  • by sending an email to DataComplaints_au@mastercard.com

If you use the consumer dashboard to withdraw your consent, the status of your consent will be updated in near real-time and reflect your change almost immediately. If you choose to withdraw your consent via email, this will be completed within 2 business days.

Mastercard will irretrievably delete your data within one (1) business day of any of the following events:

  • your consent expires;
  • you stop sharing data with us before consent expires via an election on your consent dashboard;
  • you request data sharing to stop via the data holder that provided your data;
  • an accredited person requests that we delete your data; or
  • you notify Mastercard in writing that you withdraw your consent, by sending an email to DataComplaints_au@mastercard.com.

When any of these events occur, we will delete all the data you shared with us from our systems, unless it is required to be held by law.

Mastercard will retain records that are required by the CDR Regime to allow us to track activities such as consents, consent withdrawal and data sharing in accordance with our obligations under the CDR Regime. We will delete these records at the end of six years as required.

Some goods and services we provide require your active consent. If you withdraw your consent, we may no longer be able to provide you with those goods and services.

7. Outsourced service providers

Mastercard Asia/Pacific Pte Ltd has appointed the following affiliate entities as direct outsourced service providers:

  • Finicity Corporation (based in the United States)
  • Finicity Technologies Private Limited (based in India)
  • Mastercard Technologies LLC (based in the United States)
  • Mastercard International Incorporated (based in the United States)
  • Mastercard Asia/Pacific (Australia) Pty Ltd (based in Australia)

As direct outsourced service providers, these Mastercard entities will receive the classes of data referred to in section 2 above in order to provide customer servicing support, technology and infrastructure, and data processing services to Mastercard Asia/Pacific Pte. Ltd, in accordance with the CDR Regime. As part of this arrangement, data may be disclosed overseas, including to the United States and India. None of these entities are an accredited person.

Mastercard does not disclose CDR data to any third party outsourced service providers.

Mastercard does not disclose CDR data to any unaccredited persons, other than the direct outsourced service providers listed above.

8. Mastercard acting as a CDR Principal

Mastercard has appointed the following entity as its CDR Representative:

  • EonX Services Pty Ltd, which provides a service enabling consumers to make payments to merchants directly from any of a consumer’s chosen bank accounts, known as “Pay by Account”.

9. Mastercard acting as an outsourced service provider

Other Accredited Data Recipients may appoint Mastercard to act as their outsourced service provider.

If this occurs, Mastercard is an Accredited Outsourced Service Provider and we will provide services to the other Accredited Data Recipient to whom you have provided consent. We will use, disclose and hold data we have collected from the Data Holder on behalf of the Accredited Data Recipient in accordance with their instructions and the terms of your consent.

10. Making a complaint

How to make a complaint?

If you believe we have breached any of our obligations under the CDR Regime or you have a question about how your data is handled by us, and you would like to make a complaint or provide feedback, please submit your complaint using one of the following methods listed below:

  • By sending an email to DataComplaints_au@mastercard.com
  • By calling this Toll free number 1800-573-146
  • By writing to 72 Christie Street St Leonards NSW 2065 and addressing to Mastercard Open Banking Data Complaints.

We may need to verify your identify in order to assist you. Please include the following information when submitting your complaint or feedback:

  • your name and contact details;
  • details of your complaint or query and any specific information related to the cause of the CDR-related complaint such as why you think your data has been mishandled; and
  • your preferred way to be contacted (for example, via phone, email or post).

Here at Mastercard, we are committed to providing you with the best possible customer experience. Telling us when you are unhappy is important to us as it means we have an opportunity to put things right and improve the service we offer to you in the future.

How will we respond?

Once we have received your complaint, we will:

  • investigate your complaint; and
  • make a decision about your complaint and provide reasons in writing.

You can submit your complaint at any time and our customer service team is available 24/7.

If you phone outside of business hours, our agents will listen to your complaint and create a case number.

You will receive an acknowledgement that we have received your complaint within 1 calendar day with your case number to the email address given. If you raise your complaint over the phone, our agents will ask for your email address.

We aim to resolve all complaints within 30 days and we will notify you of any resolution. We will work with you to find a fair outcome. The resolution we provide will depend upon the circumstances surrounding your compliant, and may include correction of data, deletion or data or an apology.

You will receive status updates throughout this process, for example, when we receive your complaint, when it is under investigation and when it has been resolved. If you would like further updates, you can call the toll-free number to check the status of your complaint. If you submit the same complaint multiple times, our agents will inform you that the same complaint is already open and share an update on that case as well as the case number via email.

If we require more time, we will notify you in writing in relation to any additional time required to complete our investigation for resolution of your complaint, the reason for the delay, and on what date a decision can be reasonably expected.

If you are not satisfied with our response

Mastercard does not offer an internal review process for complaint responses. However, if you are not satisfied with our response, you may lodge a dispute with the Australian Financial Complaints Authority (AFCA). The AFCA is a fee, fair and independent dispute resolution scheme.

You may also raise your concern directly with the Office of the Australian Information Commissioner:

11. Availability of the CDR Policy

This CDR Policy is available electronically at: https://www.mastercard.com.au/en-au/business/issuers/products-and-solutions/open-banking.html.

To request a hard copy of this CDR Policy, please email this request to: Open.Banking.AU@mastercard.com or contact us on 1800 573 146.

12. Updates to this CDR Policy

This CDR Policy may be updated periodically to reflect changes in our CDR data handling practices. We will post a prominent notice on relevant websites to notify you of any significant or material changes to our CDR Policy prior to them becoming effective and indicate at the top of the CDR Policy when it was most recently updated.

13. How to Contact Us

You may contact us at:

Open.Banking.AU@mastercard.com

For enquiries about your Mastercard card and your purchase, you should contact your financial institution or merchant. More information about how to contact them can be found on their respective websites.