Notified Body Reporting and Notification Obligations
The content addresses specific reporting and notification obligations of notified bodies to authorities and other stakeholders, which is a distinct operational requirement deserving separate coverage.
reporting obligation notification obligation assessment report incident reporting authority notification finding notification non-compliance reporting serious incident reporting
Overview
Legal Framework
The reporting and notification obligations of notified bodies are governed by Article 44 of the Medical Devices Regulation (MDR) (EU) 2017/745 and Article 39 of the In Vitro Diagnostic Regulation (IVDR) (EU) 2017/746. These articles impose a mandatory duty on notified bodies to immediately inform their national designating authority (the 'competent authority') and, where applicable, other relevant national authorities of several critical events. These events include any refusal, restriction, suspension, or withdrawal of a certificate; any circumstances affecting the scope of or conditions for their notification; any request for information from which it becomes apparent that devices present an unacceptable risk to health and safety; and any suspected non-conformity of a device with legal requirements. The obligation is triggered upon the notified body's awareness of such an event, with notification required "without delay."
Practical Application
The authoritative T&C commentary clarifies that the rationale for these stringent obligations is to create a rapid and centralized information flow to market surveillance authorities, enabling swift regulatory intervention to protect public health. The requirement to notify "without delay" is interpreted as an immediate obligation upon confirmation of the facts, leaving no room for discretionary delay for internal investigations. The obligation extends to suspected non-conformities, meaning a notified body must act on a reasonable belief, not just on conclusive proof. Furthermore, the commentary synthesizes that the duty to inform other national authorities (e.g., where the manufacturer is located) ensures a coordinated EU-wide response, preventing a device deemed unsafe in one Member State from remaining on the market in another due to an information gap.
Key Considerations
- Establish a Defined Internal Escalation Protocol: Notified bodies must have a clear, documented procedure for staff to immediately escalate any of the triggering events (e.g., a finding during an audit suggesting a systemic safety issue) to a designated compliance officer empowered to execute the external notification without internal bureaucratic delay.
- Document the "Awareness" Timeline: Meticulously document the date and time when the organization became aware of a reportable event. This creates an audit trail to demonstrate compliance with the "without delay" requirement if questioned by a competent authority.
- Coordinate Multi-Authority Notifications: For events requiring notification to multiple national authorities, ensure notifications are synchronized in content and timing to avoid discrepancies that could undermine regulatory trust or lead to fragmented corrective actions.
Laws (29)
View all 29Case Law (4)
AF v Council of the European Union
General Court EU
AF, ambtenaar bij het Secretariaat-Generaal van de Raad, raadpleegde in april 2022 op eigen initiatief de rang (loonschaal) van een collega via het personeelsbeheersysteem Sysper, zonder functionele noodzaak. Dit leidde tot een administratief onderzoek, disciplinaire maatregelen en een waarschuwi...
Artikel :
Gerechtshof
Verklaring voor recht gevorderd dat Politie onrechtmatig heeft gehandeld door gegevens over verdachte te verzamelen en te delen met derden. Hof verklaart verklaart verdachte grotendeels niet-ontvankelijk omdat in verband met de tegen hem lopende strafzaak voor de burgerlijke rechter (nog) geen taak is weggelegd.
Maximillian Schrems v Data Protection Commissioner
C-362/14 (Schrems I)
Invalidated Safe Harbor adequacy decision. National supervisory authorities can examine adequacy decisions.
ECLI:NL:RVS:2006:AY0333 Raad van State , 05-07-2006 / 200508877/1
Raad van State
Bij besluit van 21 oktober 2004 heeft het college van burgemeester en wethouders van Rotterdam (hierna: het college) geweigerd appellant in te schrijven in de gemeentelijke basisadministratie persoonsgegevens van Rotterdam.
Guidance (7)
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Versiegeschiedenis
guidelines meldplicht datalekken
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Richtsnoeren 06/2020 inzake de wisselwerking tussen de tweede richtlijn betalingsdiensten en de AVG
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
Enforcement (54)
View all 54Gynecological Center: Insufficient fulfilment of data breach notification obligations
€9,450 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 9,450 on a Gynecological Center. The controller sufferd a data breach and failed to report this to the DPO.
Court Bailiff: Insufficient fulfilment of data breach notification obligations
€5,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 5,000 on a court bailiff. The controller forwarded a letter containing personal data to the wrong person, failing to inform either the affected data subjects or the DPA.
Company: Insufficient fulfilment of data breach notification obligations
€870 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA has imposed a fine of EUR 870 on a company. After being informed of a data breach, the controller took adequate measures to close it but failed to inform the DPA.
ADMINISTRACIONES BENIPON, S.L.: Insufficient fulfilment of data breach notification obligations
€1,100 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 1,100 on ADMINISTRACIONES BENIPON, S.L. The processor failed to notify the controller of a data breach and also used a sub-processor without prior consent and without an legal agreement.
Hospital: Insufficient fulfilment of data breach notification obligations
€6,900 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a district hospital in Września EUR 6,900 for failing to report a data breach to the DPA and data subjects in a timely manner. A patient had accidentally received another individual's medical records and was able to access their personal data.
mBank: Insufficient fulfilment of data breach notification obligations
€940,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller
Association: Insufficient fulfilment of data breach notification obligations
€210 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an association EUR 210 for failing to report a data breach to the DPA in a timely manner.
Azienda sanitaria locale Roma 3: Insufficient fulfilment of data breach notification obligations
€10,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Azienda sanitaria locale Roma 3 EUR 10,000 for failing to report a data breach to the DPA in a timely manner and to properly document the data breach.
Toyota Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€18,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Toyota Bank Polska S.A. EUR 18,000 for failing to report a data breach to the DPA in a timely manner.
Santander Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€326,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Santander Bank Polska S.A. EUR 326,000 for failing to report a data breach to the DPA and data subjects in a timely manner.
NTT Data Italia S.P.A: Insufficient fulfilment of data breach notification obligations
€800,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the
HISPAPOST, S.A.: Insufficient fulfilment of data breach notification obligations
€36,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment.
POLAND DPA: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
Online retailer: Insufficient fulfilment of data breach notification obligations
€6,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner.
District Court Krakow: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined the District Court in Krakow EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
AUSTRIA DPA: Insufficient fulfilment of data breach notification obligations
€5,900 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA fined a controller EUR 5,900 for failing to report a data breach in a timely manner and for not cooperating with the DPA.
Insurance company: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an insurance company EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Link4 Towarzystwo Ubezpieczeń S. A.: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Link4 Towarzystwo Ubezpieczeń S. A. EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Company: Insufficient fulfilment of data breach notification obligations
€2,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a company EUR 2,500 for failing to report a data breach to the DPA and data subjects.
Argon Medical Devices: Insufficient fulfilment of data breach notification obligations
€220,000 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours. ---UPDATE--- The controller appealed against the decision to the DPA, but the appeal was dismissed.
News (3)
ΔΔΚ - 1181/18
Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke). Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke).
ΔΔΚ - 1181/18
Feiten === Feiten ====== Feiten === Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit van Cyprus (de verantwoordelijke). Een universitair docent (de betrokkene) heeft toegang gevraagd tot de inhoud van beoordelingsrapporten van onafhankelijke beoordelaars en aanbevelingsbrieven die zijn opgesteld tijdens het promotieproces, bij de Universiteit.
“Social media profiles and phone contacts” used as proof of identity for deportations
> Thirteen non-EU countries sometimes accept “social media profiles and phone contacts” as evidence of identity for the purpose of deportations, according to an internal European Commission assessment of third country cooperation on readmission.