Regulation (EU) 2023/988 — General Product Safety Regulation (GPSR)

Privacy Policy

Home/Privacy Policy

Last updated: March 2026

1. Data Controller

The data controller for the processing of personal data on eugpsr.eu is:

For any questions regarding data protection or to exercise your rights, please contact us via the email address above.

2. Data Collected

We collect and process the following categories of personal data:

  • Business information: company name, business registration number, country of registration, business address
  • Contact details: email address, name of contact person, phone number (if provided)
  • Product information: product descriptions, categories, technical documentation, test reports, and certificates
  • Payment data: transaction references processed through PayPal (we do not store credit card numbers or full payment details)
  • Website usage data: anonymized analytics data collected via Google Analytics 4 (see our Cookie Policy for details)

We do not collect any special categories of personal data (sensitive data) as defined in Article 9 of the GDPR.

3. Purpose

Your personal data is processed for the following purposes:

  • Service delivery: to provide EU Authorized Representative services, including registration, documentation storage, and authority communications
  • Authority communication: to communicate with EU market surveillance authorities on your behalf as required by Regulation (EU) 2023/988
  • Documentation: to store and maintain technical documentation as required by GPSR
  • Payment processing: to process subscription payments and issue invoices
  • Service communication: to send you service-related notifications, updates about regulatory changes, and subscription renewal reminders
  • Website improvement: to analyze anonymized website usage statistics to improve our services and user experience

4. Legal Basis

We process your personal data on the following legal grounds under the GDPR:

  • Performance of a contract (Article 6(1)(b) GDPR) — processing is necessary to provide the EU Authorized Representative service you have contracted
  • Legitimate interest (Article 6(1)(f) GDPR) — processing is necessary for our legitimate business interests, including service improvement, fraud prevention, and website analytics, provided these interests are not overridden by your rights
  • Legal obligation (Article 6(1)(c) GDPR) — processing may be required to comply with EU or national regulatory obligations, including cooperation with market surveillance authorities

5. Data Retention

We retain your personal data for the following periods:

  • Active service period: all data is retained for the duration of the service agreement
  • Post-termination: data is retained for 10 years after the end of the service agreement, as required for regulatory compliance under GPSR and to respond to potential authority inquiries about products previously placed on the EU market
  • Financial records: invoices and payment records are retained for the period required by Polish tax law (currently 5 years from the end of the tax year)
  • Analytics data: Google Analytics data is retained for 14 months

After the applicable retention period, your data will be securely deleted or anonymized.

6. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15) — you can request a copy of all personal data we hold about you
  • Right to rectification (Article 16) — you can request correction of inaccurate or incomplete data
  • Right to erasure (Article 17) — you can request deletion of your data, subject to legal retention obligations
  • Right to restrict processing (Article 18) — you can request that we limit the processing of your data
  • Right to data portability (Article 20) — you can request your data in a structured, machine-readable format
  • Right to object (Article 21) — you can object to processing based on legitimate interest

To exercise any of these rights, please contact us at contact@eugpsr.eu. We will respond to your request within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority, in particular the Polish data protection authority (UODO — Urzad Ochrony Danych Osobowych).

7. Third Parties

We may share your personal data with the following third parties, only to the extent necessary for the stated purposes:

  • Google Analytics (Google LLC) — anonymized website usage statistics via Google Analytics 4 (GA4). Google processes data as a data processor on our behalf. No personally identifiable information is shared. Google's privacy policy: policies.google.com/privacy
  • PayPal (PayPal (Europe) S.a r.l. et Cie, S.C.A.) — secure payment processing. PayPal processes payment data as an independent data controller. PayPal's privacy policy: paypal.com/privacy
  • Cloudflare, Inc. — website hosting, CDN, and security services. Cloudflare processes data as a data processor. Cloudflare's privacy policy: cloudflare.com/privacypolicy
  • EU market surveillance authorities — we are legally required to cooperate with EU and national market surveillance authorities under GPSR. Product and manufacturer data may be disclosed upon lawful request from these authorities

We do not sell your personal data to any third party. We do not transfer data outside the EU/EEA except where adequate safeguards are in place (e.g., Standard Contractual Clauses for US-based processors such as Google and Cloudflare).