(1) If a data holder of CDR data is required or authorised under the consumer data rules to disclose the CDR data to a person, the data holder must:
(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the disclosure; and
(b) ensure that this notification:
(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and
(ii) covers the matters specified in those rules; and
(iii) is given at or before the time specified in those rules.
Note: This subsection is a civil penalty provision (see section 56EU).
(2) If an accredited data recipient of CDR data discloses the CDR data, the accredited data recipient must:
(a) take the steps specified in the consumer data rules to notify CDR consumers for the CDR data of the disclosure; and
(b) ensure that this notification:
(i) is given to those of the CDR consumers (if there are more than one) that the consumer data rules require to be notified; and
(ii) covers the matters specified in those rules; and
(iii) is given at or before the time specified in those rules.
Note: This subsection is a civil penalty provision (see section 56EU).
(3) To avoid doubt, subsection (1) or (2) applies even if the disclosure of the CDR data is to a designated gateway for the CDR data as required or authorised under the consumer data rules.
Note: The designated gateway may be subject to a similar notification
requirement under the consumer data rules (see paragraph 56BG(1)(c)).