§ DORA · Article 56
DORA Article 56: Obligations, Deadlines & Penalties
At a glance
Article 56 of the DORA imposes 3 obligations on ESAs and competent authorities. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 56
Obligation 1
ESAs and competent authorities shall process personal data only where necessary for carrying out their obligations and duties under the Regulation, such as investigation, inspection, and assessment.
Regulation (EU) 2022/2554, Article 56, Article 56
- Obligated entity
-
ESAs and competent authorities
- Action required
-
process
- Deadline
-
—
- Penalty
-
—
Obligation 2
Personal data processed by ESAs and competent authorities shall be processed in accordance with Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, whichever is applicable.
Regulation (EU) 2022/2554, Article 56, Article 56
- Obligated entity
-
ESAs and competent authorities
- Action required
-
comply
- Deadline
-
—
- Penalty
-
—
Obligation 3
Personal data referred to in paragraph 1 shall be retained until the discharge of the applicable supervisory duties and in any case for a maximum period of 15 years, except in the event of pending court proceedings.
Regulation (EU) 2022/2554, Article 56, Article 56
- Obligated entity
-
ESAs and competent authorities
- Action required
-
retain
- Deadline
-
maximum period of 15 years
- Penalty
-
—
- Exemptions
- pending court proceedings requiring further retention
§ Frequently asked
Questions about Article 56
Who must comply with Article 56 of the DORA?
+
ESAs and competent authorities.
What does Article 56 of the DORA require?
+
process comply retain
What is the compliance deadline for DORA Article 56?
+
maximum period of 15 years