Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 56 Data Protection
Summary What does Article 56 of the DORA regulation say?
This article governs how the ESAs and competent authorities may handle personal data in the context of their supervisory work under this regulation.
It sets clear boundaries on when personal data processing is permitted and establishes the rules for how long that data may be kept.
It connects directly to the broader supervisory and oversight framework established elsewhere in the regulation, acting as the data protection guardrail for those activities.
Important points:
- The ESAs and competent authorities may only process personal data when necessary to carry out their duties under this regulation, such as investigations, inspections, or drafting oversight plans.
- All personal data processing must comply with either Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, depending on which applies.
- Personal data must be retained only until supervisory duties are discharged, with an absolute maximum retention period of 15 years, unless court proceedings require otherwise.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The ESAs and the competent authorities shall be allowed to process personal data only where necessary for the purpose of carrying out their respective obligations and duties pursuant to this Regulation, in particular for investigation, inspection, request for information, communication, publication, evaluation, verification, assessment and drafting of oversight plans. The personal data shall be processed in accordance with Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, whichever is applicable.
Except where otherwise provided in other sectoral acts, the personal data referred to in paragraph 1 shall be retained until the discharge of the applicable supervisory duties and in any case for a maximum period of 15 years, except in the event of pending court proceedings requiring further retention of such data.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.