(1) If a person:
(a) while the person is an accredited person, collects CDR data from a CDR participant for the CDR data:
(i) purportedly under the consumer data rules; but
(ii) not as the result of seeking to collect that CDR data under the consumer data rules; and
(b) is not required to retain that CDR data by or under an Australian law or a court/tribunal order;
the person must destroy that CDR data as soon as practicable.
Note: This subsection is a civil penalty provision (see section 56EU).
(2) Subsection (1) applies whether the collection is directly from the CDR participant or indirectly from the CDR participant through a designated gateway for the CDR data.