Article 28
Notifying authorities
Notifying Authorities
This topic is needed to specifically address the procedures, requirements, timelines, and mechanisms for notifying authorities about AI systems, incidents, and compliance matters under the AI Act, which is a distinct regulatory obligation not fully captured by existing topics.
notifying authorities authority notification notification procedures notification requirements regulatory notification authority notification procedures serious incident notification anomaly notification
Overview
Legal Framework
The AI Act establishes specific notification obligations to national competent authorities, with key procedures detailed in Articles 16(3), 17(5), 19(2), 20(4), 26(3), 28(4), 50, and 73. These articles mandate that providers of high-risk AI systems notify the relevant market surveillance authority before placing such systems on the market or putting them into service. The notification must include detailed technical documentation and a declaration of conformity. Furthermore, providers are required to report any serious incident or any malfunction constituting a significant risk to Article 73 authorities without undue delay, and in any event, not later than 15 days after becoming aware of the incident.
Practical Application
The notification framework under the AI Act creates a proactive supervisory mechanism. While the authoritative T&C commentary on the GDPR outlines the general tasks and powers of supervisory authorities, the AI Act provisions are more prescriptive and sector-specific. The requirement to notify before placing a system on the market is a key distinction, shifting compliance from a reactive to a pre-emptive model. The technical documentation submitted must be sufficiently detailed to allow the authority to assess compliance with the Act's requirements. The incident reporting obligation under Article 73 is interpreted broadly; any malfunction that could lead to a serious risk to health, safety, or fundamental rights triggers the duty to notify, irrespective of whether the incident has already materialized into harm. The 15-day timeline is strict and begins from the moment the provider becomes aware of a potential issue.
Key Considerations
- Pre-Market Notification is Mandatory: For high-risk AI systems, you cannot launch your product or service without first notifying the competent authority and submitting the complete technical documentation and conformity declaration. Build this step into your product development and launch timeline.
- Incident Reporting is Time-Sensitive and Broad: Establish an internal rapid-response protocol to identify and assess "serious incidents" or "malfunctions." The 15-day reporting clock starts upon internal awareness, not upon full internal investigation. Err on the side of reporting if a significant risk is plausible.
- Identify the Correct National Authority: Notification obligations are to the "market surveillance authority" designated by each Member State. Before any market entry, you must confirm the exact identity and contact procedures for the competent authority in each country where you intend to operate.
Laws (8)
Guidance (6)
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Richtsnoeren 4/2019 inzake artikel 25 Gegevensbescherming door ontwerp en door standaardinstellingen
guidelines privacy by design en default
Enforcement (53)
View all 53Gynecological Center: Insufficient fulfilment of data breach notification obligations
€9,450 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 9,450 on a Gynecological Center. The controller sufferd a data breach and failed to report this to the DPO.
Court Bailiff: Insufficient fulfilment of data breach notification obligations
€5,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 5,000 on a court bailiff. The controller forwarded a letter containing personal data to the wrong person, failing to inform either the affected data subjects or the DPA.
Company: Insufficient fulfilment of data breach notification obligations
€870 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA has imposed a fine of EUR 870 on a company. After being informed of a data breach, the controller took adequate measures to close it but failed to inform the DPA.
ADMINISTRACIONES BENIPON, S.L.: Insufficient fulfilment of data breach notification obligations
€1,100 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 1,100 on ADMINISTRACIONES BENIPON, S.L. The processor failed to notify the controller of a data breach and also used a sub-processor without prior consent and without an legal agreement.
Hospital: Insufficient fulfilment of data breach notification obligations
€6,900 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a district hospital in Września EUR 6,900 for failing to report a data breach to the DPA and data subjects in a timely manner. A patient had accidentally received another individual's medical records and was able to access their personal data.
mBank: Insufficient fulfilment of data breach notification obligations
€940,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller
Association: Insufficient fulfilment of data breach notification obligations
€210 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an association EUR 210 for failing to report a data breach to the DPA in a timely manner.
Azienda sanitaria locale Roma 3: Insufficient fulfilment of data breach notification obligations
€10,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Azienda sanitaria locale Roma 3 EUR 10,000 for failing to report a data breach to the DPA in a timely manner and to properly document the data breach.
Toyota Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€18,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Toyota Bank Polska S.A. EUR 18,000 for failing to report a data breach to the DPA in a timely manner.
Santander Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€326,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Santander Bank Polska S.A. EUR 326,000 for failing to report a data breach to the DPA and data subjects in a timely manner.
NTT Data Italia S.P.A: Insufficient fulfilment of data breach notification obligations
€800,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the
HISPAPOST, S.A.: Insufficient fulfilment of data breach notification obligations
€36,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment.
POLAND DPA: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
Online retailer: Insufficient fulfilment of data breach notification obligations
€6,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner.
District Court Krakow: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined the District Court in Krakow EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
AUSTRIA DPA: Insufficient fulfilment of data breach notification obligations
€5,900 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA fined a controller EUR 5,900 for failing to report a data breach in a timely manner and for not cooperating with the DPA.
Insurance company: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an insurance company EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Link4 Towarzystwo Ubezpieczeń S. A.: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Link4 Towarzystwo Ubezpieczeń S. A. EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Company: Insufficient fulfilment of data breach notification obligations
€2,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a company EUR 2,500 for failing to report a data breach to the DPA and data subjects.
Argon Medical Devices: Insufficient fulfilment of data breach notification obligations
€220,000 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours. ---UPDATE--- The controller appealed against the decision to the DPA, but the appeal was dismissed.
News (2)
Decision to amend the "Decision on Notification Procedures and Data Processing in the Shipping Sector" in connection with the implementation of the Maritime National Single Window.
Legislation.
Decision to amend the "Decision on Notification Procedures and Data Processing in Shipping" in connection with the implementation of the Maritime National Single Window.
Europese Commissie presenteert nieuwe regels om seksueel misbruik van kinderen op internet te voorkomen en te bestrijden
The proposed rules would require online service providers to detect, report and remove child sexual abuse material on their services. Those providers must also assess the risk of their services being used to distribute child sexual abuse material. A new European Center on Child Sexual Abuse will provide support to providers, law enforcement and victims.