Article 56, Data Protection, Digital Operational Resilience Act (DORA)

Overview

1. The ESAs and the competent authorities shall be allowed to process personal data only where necessary for the purpose of carrying out their respective obligations and duties pursuant to this Regulation, in particular for investigation, inspection, request for information, communication, publication, evaluation, verification, assessment and drafting of oversight plans. The personal data shall be processed in accordance with Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, whichever is applicable.

2. Except where otherwise provided in other sectoral acts, the personal data referred to in paragraph 1 shall be retained until the discharge of the applicable supervisory duties and in any case for a maximum period of 15 years, except in the event of pending court proceedings requiring further retention of such data.

Summary Of Article 56

Article 56 of the Digital Operational Resilience Act (DORA) establishes guidelines for the processing and retention of personal data by the European Supervisory Authorities (ESAs) and competent authorities. These authorities are permitted to process personal data only when necessary to carry out their responsibilities under DORA, including tasks like investigations, inspections, requests for information, communication, publication, evaluation, verification, and developing oversight plans. All personal data processing must adhere to the data protection rules outlined in Regulation (EU) 2016/679 (GDPR) or Regulation (EU) 2018/1725, depending on the applicable legal framework.

The article also sets clear retention requirements, stipulating that personal data should be kept only for as long as needed to fulfill supervisory duties, with a maximum retention period of 15 years. If there are pending legal proceedings, the data retention period can be extended until the case is resolved.

This article ensures that personal data is processed in a manner that complies with data protection laws while allowing competent authorities to effectively oversee and regulate digital operational resilience in the EU. It strikes a balance between regulatory oversight and privacy protection.