ATHENA MORTGAGE PTY LIMITED CDR POLICY
Date: 02/07/2026
Version: 1.00
1. Purpose and scope
The purpose of this Policy is to provide guidance relating to data requests, access to and correction of CDR Data, and handling of complaints, in each case as required under the CDR Laws.
This Policy outlines:
(a) how we manage CDR Data;
(b) how customers can access and correct their CDR Data;
(c) how any person can request required product data; and
(d) how customers can make an inquiry or complaint about our handling of CDR Data.
We are committed to:
(e) ensuring we meet all requirements expected of us under the CDR;
(f) communicating appropriately to all customer requests for data; and
(g) handling all complaints in an appropriate manner, including clarity in communications.
This Policy applies to all customers, employees and directors.
2. Defined terms
In this document:
(a) ACCC means the Australian Competition and Consumer Commission;
(b) Accredited Data Recipient means an Accredited Person who has been disclosed CDR Data under a consumer data request, or collected that CDR Data, in accordance with the CDR Laws;
(c) Accredited Person means a person who is accredited under section 56CA of the Competition and Consumer Act 2010 (Cth);
(d) AFCA means the Australian Financial Complaints Authority;
(e) Athena, we, our, us means Athena Mortgage Pty Limited (ABN 24 619 536 506);
(f) APP means Australian Privacy Principle;
(g) CDR means Consumer Data Right;
(h) CDR Consumer means, in relation to CDR Data, an individual whose identity is apparent or can be reasonably ascertained from the CDR Data, and who is a customer or prospective customer of Athena;
(i) CDR Consumer Dashboard means the online service provided by Athena to CDR Consumers to manage their authorisations to disclose CDR Data to Accredited Data Recipients;
(j) CDR Data means data that is the subject of the CDR regime under the CDR Laws;
(k) CDR Laws means the Competition and Consumer Act 2010 (Cth), the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) and the Competition and Consumer Regulations 2010 (Cth);
(l) NBL means Non-Bank Lender;
(m) OAIC means Office of the Australian Information Commissioner;
(n) Policy means this CDR Policy;
(o) Privacy Act means Privacy Act 1988 (Cth); and
(p) Privacy Officer means Athena's Privacy Officer, who can be contacted using the details in section 11 (Contact us) of this Policy.
3. About the CDR
The CDR was introduced by the Australian Government to give consumers greater access to and control over their data.
Under the CDR Laws, consumers can ask for their data to be securely transferred to an Accredited Data Recipient so they can investigate, compare, and access products and services more easily.
The ACCC is the lead CDR regulator, and more information about the CDR regime is available on the ACCC's website.
4. About us
We are a CDR Participant. CDR Participants include Data Holders and Accredited Data Recipients.
A Data Holder is a business that holds CDR Data and must disclose the data to an Accredited Data Recipient at the customer's request, provided the customer has given their authorisation.
We are a Data Holder in the NBL sector and are classified as a large provider under the CDR Rules.
Under the CDR regime, customers can consent to a transfer of their data from a Data Holder to an Accredited Data Recipient. An Accredited Data Recipient has been accredited by the ACCC to receive consumer data to provide a product or service. Examples of Accredited Data Recipients include banks, other financial institutions, and financial technology companies.
Our product data sharing obligations commence from 13 July 2026, and consumer data sharing obligations (other than complex requests) commence from 10 May 2027.
5. About this Policy
This Policy only applies to CDR Data.
This Policy is reviewed annually, or more frequently if required by law. We may make changes to this Policy from time to time to reflect changes in legal or business requirements. The current version of this Policy is published on our website. Customers can also contact us to request an electronic or hard copy, free of charge.
For information about how we collect, use, hold, and disclose personal information under the Privacy Act, please view our Privacy Policy.
6. Customer Access to CDR Data
Once our consumer data sharing obligations commence, customers will be able to request access to their CDR Data at any time. This will authorise us to share specific CDR Data that we hold about those customers with an Accredited Data Recipient.
This specific CDR Data is called 'required consumer data' under CDR Laws, and it includes:
(a) customer data, including name and contact details;
(b) account data, including the account number, account name, balances, and scheduled payment arrangements;
(c) transaction data, including the amount of a transaction, date of transaction, and description of transaction; and
(d) product specific data for a product used, including product name, interest rates, fees, and product features.
Where a customer requests us to share their CDR Data with an Accredited Data Recipient, we will require sufficient details from the customer to identify the Accredited Data Recipient before we can action the request.
If a customer requests to share their CDR Data, we will disclose it in a machine-readable format to the chosen Accredited Data Recipient.
We may also provide access to CDR Data directly to customers in human-readable form in response to direct requests. To make a request, please contact us using the details listed under section 11 (Contact us) below.
Customers can withdraw their authorisation at any time through the CDR Consumer Dashboard or by contacting us. We will give effect to a withdrawal of authorisation as soon as practicable, and in any event within 2 business days.
CDR Data sharing requests can be managed through the CDR Consumer Dashboard, or by using the details listed under section 11 (Contact us) below.
We can only share CDR Data with Accredited Data Recipients if the customer is an eligible CDR Consumer under CDR Laws, unless otherwise required by law.
Under CDR Laws applicable to NBLs, eligible CDR Consumers are individuals who hold an account in their own name and have online access to that account. At this time, eligibility does not extend to joint account holders, secondary users, non-individuals (such as corporations), partnerships, or persons acting through a nominated representative.
7. Other customer data
In line with APP 12, customers can request access to their personal information at any time.
Access can be provided via any reasonable and practicable method, noting that some methods might be considerably unreasonable and impractical depending on the type and quantity of information requested.
This extends to requests relating to CDR Data that we hold.
Further information relating to access to information governed by the APPs can be accessed via our Privacy Policy.
8. Access to required product data
We can share 'required product data' with any person or an Accredited Data Recipient on request.
Under the CDR Laws, required product data is public information about the lending products and services that we offer, including their eligibility criteria, terms and conditions, interest rates, fees and charges, and features.
Required product data is publicly available information and does not relate to any particular customer.
9. Voluntary data
We do not accept requests for voluntary consumer data or voluntary product data.
We will only share data that we are required to share under CDR Laws.
10. Correcting CDR Data
If a customer believes their CDR Data is incorrect, incomplete, or out of date, they can ask us to update or correct it by using any of the methods listed under section 11 (Contact us) below.
We will acknowledge receipt of the correction request as soon as practicable.
We will then notify customers in writing, within 10 business days of receiving the correction request, whether we have corrected the CDR Data, or if we found it to be correct, complete, and up to date. If we consider a correction or qualifying statement to be unnecessary or inappropriate, we will let the customer know this outcome, with an explanation and options available to escalate the matter.
If we have shared customer CDR Data with an Accredited Data Recipient with their authorisation, and later become aware that the CDR Data we shared was not accurate, up to date, or complete, we will notify the customer of this in writing within 5 business days. The corrected CDR Data will be shared at the customer's request. If a customer would like a copy of the corrected CDR Data shared with the Accredited Data Recipient, they can ask us to disclose it to the Accredited Data Recipient.
If a customer would like us to update their personal information, which is governed by our Privacy Policy, they can contact us or our Privacy Officer using the details provided in section 11 (Contact us) below.
In line with APP 13, we do not charge a fee for the correction of CDR Data.
11. Contact us
If a customer has any questions, concerns, or complaints about this CDR Policy, or our handling of CDR Data, they can contact us in one of the following ways:
Phone: 13 35 35
Online: www.athena.com.au
Email: hello@athena.com.au
Postal address: GPO Box 1624, Sydney NSW 2001
12. Making a complaint
To make a complaint, we ask customers to provide their full name, contact details, a description of the complaint, and their desired resolution.
Please refer to our Complaints Policy for further information about our complaints handling process.
We will acknowledge receipt of a complaint within 24 hours of receiving it, or as soon as practicable.
We aim to resolve complaints on the spot. If we are unable to resolve a complaint immediately, we will investigate the complaint and provide a final response within 30 days. If a customer is not satisfied with the response received, they may contact the external bodies listed below.
If a complaint has not been resolved to the customer's satisfaction, they can contact the OAIC, which is the primary complaints handler for privacy-related CDR matters.
We are also a member of AFCA, which handles complaints about financial services. OAIC's and AFCA's services are free to access.
OAIC
Post: GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992
Website: www.oaic.gov.au
Email: enquiries@oaic.gov.au
AFCA
Post: GPO Box 3, Melbourne VIC 3001
Phone: 1800 931 678 (free call)
Website: www.afca.org.au
Email: info@afca.org.au
The remedy for a complaint will depend entirely on the nature of the complaint and will be provided to best address the particulars of the complaint. Remedies could include but are not limited to:
- an apology;
- the correction or deletion of data;
- an explanation of the circumstances giving rise to the complaint;
- the provision of assistance or support; and
- providing an undertaking to put in place improvements to our systems, procedures or products.