Notified Body Competence Challenges and Dispute Resolution
This new topic is needed because the content specifically addresses challenges to the competence of notified bodies, which is a distinct regulatory mechanism not adequately covered by existing topics. It encompasses dispute resolution procedures, grounds for challenges, and remedial actions related to notified body competence.
competence challenge notified body challenge competence dispute challenge procedure competence verification challenge mechanism dispute resolution competence assessment
Overview
Legal Framework
Recital 61 of the AI Act establishes the principle that AI systems intended for use in the administration of justice and democratic processes are to be classified as high-risk. This classification is based on their potential for significant impact on fundamental rights and legal principles, including the right to an effective remedy and a fair trial. The legal rationale is to mandate strict ex-ante conformity assessment for such systems to mitigate inherent risks of bias, error, and opacity that could undermine judicial integrity and democratic safeguards.
Practical Application
The authoritative commentary on the Dutch General Data Protection Regulation Implementation Act (UAVG) clarifies the underlying governance principle: the framework for independent supervisory bodies aims to create sufficient oversight and control instruments to guarantee democratic accountability and harmonize their functioning. Applied to the AI Act's context for notified bodies, this underscores that their competence and independent task execution are not self-certifying but are subject to structured oversight. The ruling in Data Protection Commissioner v. Schrems reinforces that procedural mechanisms for compliance and dispute resolution must constitute "effective legal protection." Consequently, a challenge to a notified body's competence is not merely a contractual dispute; it engages a regulatory mechanism to ensure the body's assessments are reliable and its operations are subject to democratic and judicial oversight, safeguarding the high-risk AI conformity assessment regime.
Key Considerations
- Grounds for challenging a notified body's competence should be framed around its failure to meet the stringent independence, expertise, and procedural requirements set by the AI Act and overseeing national authority, potentially jeopardizing the validity of its conformity assessments.
- Dispute resolution procedures must go beyond private arbitration; effective challenges should engage the national supervisory authority designated under the AI Act and ensure a pathway for judicial review that meets the standard of effective legal protection.
- Providers of high-risk AI systems for judicial use should proactively verify their chosen notified body's specific competence and authorization for this sensitive category, as a successful competence challenge could invalidate the system's CE marking and market access.
Laws (8)
Case Law (5)
ECLI:NL:RBAMS:2026:1465 Rechtbank Amsterdam , 20-01-2026 / 13/283218-25 (EAB I)
Rechtbank Amsterdam
EAB Polen; overlevering geweigerd o.g.v. artikel 12 OLW
Meta Platforms v noyb
C-252/21 (Meta Platforms (noyb))
GDPR consent requirements and lead supervisory authority mechanism.
Google LLC v CNIL
C-507/17 (Google Territorial Scope)
Right to delisting does not require global de-referencing under EU law.
Maximillian Schrems v Data Protection Commissioner
C-362/14 (Schrems I)
Invalidated Safe Harbor adequacy decision. National supervisory authorities can examine adequacy decisions.
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Necessity/proportionality: The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organizations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that if
Guidance (11)
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Richtsnoeren 03/2021 voor de toepassing van artikel 65, lid 1, punt a), AVG
guidelines voor de toepassing van artikel 60 AVG
Guidelines 03/2021 on the application of Article 65(1)(a) GDPR
Guidelines on the application of Article 60 GDPR
Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Versiegeschiedenis
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 06/2022 on the practical implementation of amicable settlements
Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
Enforcement (5)
Meta Platforms Ireland Limited: Insufficient legal basis for data processing
€1,200,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 1.2 billion. This is the highest fine imposed to date under the GDPR. In its decision, the DPC found that Meta had violated Art. 46 GDPR by continuing to transfer personal data to the U.S. after the Schrems II ruling of the CJEU. According to the Schrems II ruling, U.S. law does not provide a level of protection for personal data substantially equivalent to that provided by EU law and that the standard contractual clauses (SCCs) al
WhatsApp Ireland Ltd.: Insufficient legal basis for data processing
€5,500,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual. WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the ac
Meta Platforms Ireland Limited: Non-compliance with general data processing principles
€390,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of servi
Meta Platforms, Inc.: Non-compliance with general data processing principles
€405,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 405,000,000 on Meta Platforms, Inc. (Instagram). Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The initial draft proposed a fine of EUR 30-50 million. The DPC subsequently received objections from six supervisory authorities, which led to a dispute resolution procedure at the European Data Protection Board (EDPB) in Brussels. In its decision, the EDPB requested
WhatsApp Ireland Ltd.: Insufficient fulfilment of information obligations
€225,000,000 fine - Data Protection Authority of Ireland
The Irish DPA (DPC) has imposed a fine of EUR 225,000,000 on WhatsApp Ireland Ltd. The DPA had started extensive investigations into the messaging service's compliance with transparency obligations back in December 2018. In this context, the DPC investigated whether WhatsApp complied with its obligations under the GDPR regarding the provision of information and the transparency of this information to users and non-users of WhatsApp. In the course of the investigation, the DPC found that WhatsApp
News (5)
Article 65 GDPR
(a) No consensus on relevant and reasoned objections On 9 November 2020, the EDPB adopted its first decision under the dispute resolution mechanism laid down by Article 65 GDPR.<ref>EDPB, 9 November 2020, Twitter International Company, Decision 01/2020 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_bindingdecision01_2020_en.pdf here]).</ref> The binding decision seeks to address the dispute which arose following a draft decision issued by the Irish SA as LSA
Record fine for Instagram following EDPB intervention
> Following the EDPB’s binding dispute resolution decision of July 28th, the Irish Data Protection Authority (DPA) has adopted its decision regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and has issued a record GDPR fine of €405 million.
Recordboete voor Instagram na ingrijpen van de EDPB.
Na de bindende beslissing van het Europees Comité voor de Bescherming van Persoonsgegevens (EDPB) van 28 juli, heeft de Ierse Autoriteit voor de Bescherming van Persoonsgegevens (DPA) haar beslissing met betrekking tot Instagram (Meta Platforms Ireland Limited, ook bekend als Meta IE) aangenomen en een recordboete van 405 miljoen euro opgelegd op grond van de AVG.
EDPB: Lack of resources puts enforcement of individuals’ data protection rights at risk
> “We are deeply concerned that the 2023 budget, if not substantially increased, will be significantly too small to allow the EDPB and the EDPS to fulfil their tasks appropriately,” Andrea Jelinek, Chair of the European Data Protection Board (EDPB), and Wojciech Wiewiórowski, European Data Protection Supervisor (EDPS), write in an Open Letter to the European Parliament and the European Council.
EDPB: Gebrek aan middelen brengt de handhaving van de rechten van individuen met betrekking tot de bescherming van hun persoonsgegevens in gevaar.
"Wij maken ons ernstig zorgen dat het budget voor 2023, indien het niet aanzienlijk wordt verhoogd, veel te klein zal zijn om het EDPB en de EDPS in staat te stellen hun taken op een adequate manier uit te voeren," schrijven Andrea Jelinek, voorzitter van het Europees Comité voor gegevensbescherming (EDPB), en Wojciech Wiewiórowski, Europees Supervisor voor gegevensbescherming (EDPS), in een open brief aan het Europees Parlement en de Europese Raad.