Article 49 Digital Operational Resilience Act (DORA), Professional Secrecy

Jul 25, 2024by Sneha Naskar

Article 49 of the Digital Operational Resilience Act (DORA) addresses professional secrecy. It mandates that competent authorities and other involved parties maintain confidentiality regarding information obtained during investigations and enforcement actions. This provision ensures that sensitive data is protected, preserving the integrity of regulatory processes and safeguarding involved entities' privacy.

Article 49 Digital Operational Resilience Act (DORA), Professional Secrecy

Handling And Disclosure Of Private Information Under Professional Secrecy

  • Handling Private Information: Any private information obtained, shared, or transmitted under this regulation must be handled with utmost care and in accordance with the principles of professional secrecy. This ensures the confidentiality and security of sensitive information exchanged between competent authorities and other relevant parties.
  • Obligations of Professional Confidentiality: All individuals currently or previously engaged by the relevant authorities under this Regulation are bound by professional confidentiality. This obligation extends to any market organization, authority, or person to whom these competent authorities have delegated tasks, including hired experts and auditors. The commitment to confidentiality persists even after the individual's engagement with the authority has ended, ensuring continuous protection of private information.
  • Conditions for Disclosure: Confidential information may only be disclosed under conditions specified by national or Union legislation. This provision ensures that the release of private information is tightly regulated and only occurs when legally permissible and necessary. The legal framework governing such disclosures provides a clear guideline for authorities on how to handle requests for confidential information, maintaining a balance between transparency and privacy.
  • Classification of Confidential Data: All data shared between competent authorities under this Regulation, including details about business operations, financial conditions, and personal matters, is considered confidential and protected by professional secrecy laws. The classification of this information as secret underscores the importance of maintaining confidentiality to protect the interests of the entities and individuals involved.

DORA Compliance Framework

  • Exceptions to Confidentiality: While the general rule is to maintain confidentiality, there are exceptions where disclosure may be necessary. These exceptions include:
    • Judicial Proceedings: Confidential information may be disclosed if required for judicial proceedings. This ensures that relevant information can be used in legal contexts to uphold justice and regulatory compliance.
    • Approval by Relevant Authority: Disclosure may also occur if specifically approved by the relevant authority at the time of communication. This provision allows for flexibility in situations where the authority deems it necessary and appropriate to share certain information, ensuring that such decisions are made judiciously and with proper oversight.

Implementation And Compliance

  • Procedural Safeguards: Competent authorities must implement robust procedural safeguards to ensure that private information is handled in accordance with professional secrecy requirements. These safeguards include secure data storage, restricted access to confidential information, and comprehensive training for staff on confidentiality protocols.
  • Monitoring and Enforcement: Authorities must actively monitor compliance with professional secrecy obligations and enforce these rules through regular audits and inspections. Any breaches of confidentiality should be promptly addressed with appropriate remedial actions, including disciplinary measures for individuals found to have violated confidentiality provisions.
  • Cross-Border Cooperation: In the context of cross-border cooperation, competent authorities must ensure that any shared information is handled with the same level of confidentiality and protection as it would be within their own jurisdiction. This includes ensuring that foreign authorities and entities are aware of and adhere to the professional secrecy obligations outlined in this Regulation.
  • Data Protection Legislation: The handling of private information must also comply with applicable data protection legislation. This includes ensuring that data processing activities are lawful, transparent, and respect the privacy rights of individuals. Authorities must ensure that personal data is processed in a manner that is fair, secure, and in accordance with the principles of data protection.

The professional secrecy obligations under this Regulation are essential for protecting the confidentiality and integrity of private information exchanged between competent authorities and other relevant parties. By adhering to these obligations, authorities can foster a trusted environment for regulatory cooperation, ensuring that sensitive information is handled with the highest standards of confidentiality and security. The provisions for handling and disclosing private information are designed to balance the need for transparency and accountability with the imperative to protect the privacy and interests of entities and individuals. Robust procedural safeguards, active monitoring, and compliance with data protection laws are crucial for maintaining the integrity of the professional secrecy framework and ensuring that the regulatory objectives of this Regulation are achieved effectively and responsibly.

DORA Compliance Framework