Article 30
Aanmeldingsprocedure
AI Act Notification
While 'notifying-authorities-procedures-ai' exists, a dedicated topic for the specific 'Notification Procedure' from the AI Act would provide more granular coverage of this particular procedural mechanism, including its specific requirements, timelines, and implementation within the AI Act framework.
notification procedure AI Act notification provider notification authority notification procedure incident notification procedure notification requirements notification timeline notification content
Overview
Legal Framework
The specific notification procedure for high-risk AI systems under the AI Act is governed by Article 51(1). This article mandates that before placing a high-risk AI system on the market or putting it into service, providers must register themselves and their system in the EU database established under Article 60. The notification is not a request for authorization but a mandatory registration that creates transparency for market surveillance authorities and the public. The core legal requirement is the submission of accurate information to a centralized EU portal prior to deployment.
Practical Application
The procedure is an administrative transparency measure, not a conformity assessment conducted by the authority. The primary authoritative interpretation, as synthesized from the commentary tradition, emphasizes that this notification shifts the enforcement paradigm from pre-market approval to post-market surveillance. Authorities use the database to target checks and verify compliance with requirements like risk management and data governance ex post. The practical burden is on the provider to ensure the information submitted—such as the system's intended purpose, its classification as high-risk, and the provider's details—is correct and complete at the time of registration. Failure to notify or submission of false information can trigger enforcement actions under the AI Act's penalty regime.
Key Considerations
- Proactive Registration: Providers must integrate the notification into their product launch timeline. Registration in the EU database is a prerequisite for lawful market placement, not a follow-up action.
- Information Accuracy and Maintenance: The responsibility for the veracity of the submitted data lies entirely with the provider. This includes updating the registration if significant changes are made to the system or its documentation.
- Interface with Conformity Assessment: For high-risk AI systems listed in Annex III, notification follows the successful completion of the required conformity assessment (e.g., internal control or involvement of a notified body). The registration should reference the relevant conformity assessment procedure and documentation.
Laws (10)
Case Law (2)
Geen onrechtmatige uiting
Rechtbank
Kort geding. Vorderingen tot gebod plaatsen rectificatie en verbod tot doen van uitlatingen worden afgewezen, omdat niet is vast komen te staan dat sprake is van onrechtmatige uitlatingen.
Rechtbank Zeeland-West-Brabant
Rechtbank Zeeland-West-Brabant
Kort geding. Vorderingen tot gebod plaatsen rectificatie en verbod tot doen van uitlatingen worden afgewezen, omdat niet is vast komen te staan dat sprake is van onrechtmatige uitlatingen.
Guidance (9)
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Richtsnoeren 4/2019 inzake artikel 25 Gegevensbescherming door ontwerp en door standaardinstellingen
guidelines privacy by design en default
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Versiegeschiedenis
guidelines meldplicht datalekken
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Enforcement (53)
View all 53Gynecological Center: Insufficient fulfilment of data breach notification obligations
€9,450 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 9,450 on a Gynecological Center. The controller sufferd a data breach and failed to report this to the DPO.
Court Bailiff: Insufficient fulfilment of data breach notification obligations
€5,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 5,000 on a court bailiff. The controller forwarded a letter containing personal data to the wrong person, failing to inform either the affected data subjects or the DPA.
Company: Insufficient fulfilment of data breach notification obligations
€870 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA has imposed a fine of EUR 870 on a company. After being informed of a data breach, the controller took adequate measures to close it but failed to inform the DPA.
ADMINISTRACIONES BENIPON, S.L.: Insufficient fulfilment of data breach notification obligations
€1,100 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 1,100 on ADMINISTRACIONES BENIPON, S.L. The processor failed to notify the controller of a data breach and also used a sub-processor without prior consent and without an legal agreement.
Hospital: Insufficient fulfilment of data breach notification obligations
€6,900 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a district hospital in Września EUR 6,900 for failing to report a data breach to the DPA and data subjects in a timely manner. A patient had accidentally received another individual's medical records and was able to access their personal data.
mBank: Insufficient fulfilment of data breach notification obligations
€940,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller
Association: Insufficient fulfilment of data breach notification obligations
€210 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an association EUR 210 for failing to report a data breach to the DPA in a timely manner.
Azienda sanitaria locale Roma 3: Insufficient fulfilment of data breach notification obligations
€10,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Azienda sanitaria locale Roma 3 EUR 10,000 for failing to report a data breach to the DPA in a timely manner and to properly document the data breach.
Toyota Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€18,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Toyota Bank Polska S.A. EUR 18,000 for failing to report a data breach to the DPA in a timely manner.
Santander Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€326,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Santander Bank Polska S.A. EUR 326,000 for failing to report a data breach to the DPA and data subjects in a timely manner.
NTT Data Italia S.P.A: Insufficient fulfilment of data breach notification obligations
€800,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the
HISPAPOST, S.A.: Insufficient fulfilment of data breach notification obligations
€36,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment.
POLAND DPA: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
Online retailer: Insufficient fulfilment of data breach notification obligations
€6,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner.
District Court Krakow: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined the District Court in Krakow EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
AUSTRIA DPA: Insufficient fulfilment of data breach notification obligations
€5,900 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA fined a controller EUR 5,900 for failing to report a data breach in a timely manner and for not cooperating with the DPA.
Insurance company: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an insurance company EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Link4 Towarzystwo Ubezpieczeń S. A.: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Link4 Towarzystwo Ubezpieczeń S. A. EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Company: Insufficient fulfilment of data breach notification obligations
€2,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a company EUR 2,500 for failing to report a data breach to the DPA and data subjects.
Argon Medical Devices: Insufficient fulfilment of data breach notification obligations
€220,000 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours. ---UPDATE--- The controller appealed against the decision to the DPA, but the appeal was dismissed.
News (2)
Decision to amend the "Decision on Notification Procedures and Data Processing in the Shipping Sector" in connection with the implementation of the Maritime National Single Window.
Legislation.
Decision to amend the "Decision on Notification Procedures and Data Processing in Shipping" in connection with the implementation of the Maritime National Single Window.
Europese Commissie presenteert nieuwe regels om seksueel misbruik van kinderen op internet te voorkomen en te bestrijden
The proposed rules would require online service providers to detect, report and remove child sexual abuse material on their services. Those providers must also assess the risk of their services being used to distribute child sexual abuse material. A new European Center on Child Sexual Abuse will provide support to providers, law enforcement and victims.