Data Protection

Article 56 establishes the critical link between DORA and the EU data protection framework, ensuring that the operational resilience requirements do not override fundamental data protection rights. All processing of personal data under DORA — whether by financial entities implementing ICT risk management, competent authorities conducting supervision, or ESAs performing oversight — must comply with the GDPR.

This is particularly relevant for incident reporting, where reports to competent authorities may contain personal data about affected customers, staff involved in the incident, or individuals connected to cyber attacks. The data minimisation principle requires that only personal data strictly necessary for the regulatory purpose is collected and processed.

For the ESAs, which operate as EU institutions, the equivalent data protection framework under Regulation (EU) 2018/1725 applies. This ensures consistent data protection standards regardless of whether personal data is processed at the national or EU level.

The article provides an essential safeguard against the risk that DORA's extensive data collection and sharing requirements could inadvertently erode personal data protections. By explicitly subordinating DORA data processing to GDPR requirements, it ensures that the two regulatory frameworks operate in harmony.