Article 56

Data Protection

TL;DR This article outlines the processing and retention of personal data in accordance with the Digital Operations Resilience Act from the EU. The ESAs and competent authorities are allowed to process personal data only when necessary for carrying out their respective duties or obligations. This data must be processed in accordance with either Regulation (EU) 2016/679 or Regulation (EU) 2018/1725. In most cases, the data must be retained for no more than 15 years, unless court proceedings require otherwise.
  1. The ESAsEuropean Supervisory Authority and the competent authoritiesas defined in Article 46 shall be allowed to process personal data only where necessary for the purpose of carrying out their respective obligations and duties pursuant to this Regulation, in particular for investigation, inspection, request for information, communication, publication, evaluation, verification, assessment and drafting of oversight plans. The personal data shall be processed in accordance with Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, whichever is applicable.

  2. Except where otherwise provided in other sectoral acts, the personal data referred to in paragraph 1 shall be retained until the discharge of the applicable supervisory duties and in any case for a maximum period of 15 years, except in the event of pending court proceedings requiring further retention of such data.