keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 2 Art. 4 Processing of personal data
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- article 12
- pursuant 10
- data 8
- regulation 6
- personal 5
- shall 5
- measures 4
- processing 4
- cert-eu 4
- cybersecurity 4
- necessary 3
- union_entities 3
- obligations 3
- special 2
- tasks 2
- referred 2
- extent 2
- only 2
- sharing 2
- categories 2
- information 2
- the 2
- eu / 2
- established 2
- board 2
- interinstitutional 2
- rights 1
- acting 1
- reporting 1
- incident 1
- response 1
- coordination 1
- cooperation 1
- management 1
- major 1
- incidents 1
- common 1
- technical 1
- controllers 1
- apply 1
- fundamental 1
- prevent 1
- purposes 1
- provide 1
- suitable 1
- high 1
- chapter 1
- subjects 1
- safeguard 1
- interests 1
Article 4
Processing of personal data
1. The processing of personal data under this Regulation by CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 and Union_entities shall be carried out in accordance with Regulation (EU) 2018/1725.
2. Where they perform tasks or fulfil obligations pursuant to this Regulation, CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 and Union_entities shall process and exchange personal data only to the extent necessary and for the sole purpose of performing those tasks or fulfilling those obligations.
3. The processing of special categories of personal data as referred to in Article 10(1) of Regulation (EU) 2018/1725 shall be considered to be necessary for reasons of substantial public interest pursuant to Article 10(2), point (g), of that Regulation. Such data may be processed only to the extent necessary for the implementation of cybersecurity risk-management measures referred to in Articles 6 and 8, for the provision of services by CERT-EU pursuant to Article 13, for the sharing of incident-specific information pursuant to Article 17(3) and Article 18(3), for the sharing of information pursuant Article 20, for the reporting obligations pursuant to Article 21, for incident response coordination and cooperation pursuant to Article 22 and for the management of major incidents pursuant to Article 23 of this Regulation. The Union_entities and CERT-EU, when acting as data controllers, shall apply technical measures to prevent the processing of special categories of personal data for other purposes and shall provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
whereas