Amazon Made You Get an EU Responsible Person. It Never Mentioned the Other One.

December 13, 2024 was an expensive day to be a non-EU Amazon seller. That was the day the EU's General Product Safety Regulation became enforceable, and Amazon did exactly what Amazon does: it started blocking and removing listings from sellers who had not named an EU responsible person for product safety. Forums filled up overnight. Service providers sold responsible person packages like umbrellas in a rainstorm. Within weeks, most serious sellers had a name and an EU address printed on their listings and went back to business.

Here is the uncomfortable part. Most of those sellers now believe their "EU representative thing" is handled. It is not. They fixed the requirement that came with a listing block, and never heard about the one that comes with a fine.

The short version: the responsible person you appointed for GPSR covers product safety. The GDPR has its own, separate requirement: under Article 27, a non-EU company that processes the personal data of people in the EU must appoint an EU representative for data protection matters. Same idea, completely different law, completely different role. Amazon forced the first one because Amazon shares liability for unsafe products. Nobody forces the second one, and that is precisely why it is still open on hundreds of thousands of seller accounts.

Two representatives, one dangerous mix-up

The confusion is understandable, because the two roles sound like twins:

• The GPSR responsible person (sometimes called the EU authorised representative for product compliance) deals with product safety: technical documentation, labelling, recalls. Their name sits on your product listing. Amazon checks this field and blocks listings without it.
• The GDPR EU representative under Article 27 deals with personal data: they are the official EU contact point for your customers and for data protection authorities. Their name belongs in your privacy notice. Amazon has no field for this, checks nothing, and blocks nothing.

One regulation got a marketplace enforcement machine. The other got silence. If you measure your legal exposure by what Amazon nags you about, you will fix exactly half of your EU obligations and never notice the difference. Until someone else does.

Amazon enforces the rules that put Amazon at risk. The rules that put only you at risk are your job.

"But I just sell on Amazon, I don't process data"

This is the sentence sellers say right before learning what the GDPR considers processing. Selling on Amazon's EU marketplaces means you are touching EU personal data in more places than you think:

• Order data. Names, delivery addresses, order histories flow into your seller account. If you fulfil orders yourself, you print those addresses on labels. Receiving, storing and using that data is processing, full stop.
• Buyer-seller messaging. Every customer question lands in your inbox with a name attached. Your replies, your templates, your saved threads: processing.
• Invoicing and VAT. EU invoices carry customer data, and you are legally required to create and retain them. That retention is processing too.
• Reviews and disputes. Chasing a review removal or fighting an A-to-z claim means handling identifiable customer information.
• Anything off Amazon. A Shopify store, an email list, a warranty registration page, retargeting pixels. The moment your funnel leaves the marketplace, you are collecting EU data directly.

The GDPR applies to you through Article 3(2): you are offering goods to people in the EU. Whether the storefront belongs to Amazon is irrelevant. Amazon is responsible for the processing it controls, and you are responsible for yours. Amazon's own Data Protection Policy for sellers says exactly that, in the polite language of a company that wants the liability to sit with you.

And once the GDPR applies to a business with no establishment in the EU, Article 27 attaches: appoint an EU representative, name them in your privacy notice, give your EU customers and the authorities a real point of contact. The exemption for "occasional" processing does not stretch to cover a store that ships parcels to Munich every single day.

What it costs to skip, in actual numbers

Nobody has ever received a listing block for a missing GDPR representative. What exists instead is quieter and more expensive.

In 2021 the Dutch authority fined a Canadian website €525,000 for exactly one violation: no EU representative. Not a breach, not a hack, just the missing contact point, plus a penalty order of another €20,000 for every two weeks of continued delay. Article 27 violations sit in the penalty tier of up to €10 million or 2 percent of global turnover. We wrote about who actually gets fined and the pattern is consistent: enforcement starts with a complaint, and the missing representative is the first thing an investigator can prove with a single page view.

Now think about who complains. E-commerce generates more GDPR complaints than almost any other sector, because it generates the most data subjects: a customer who wants their address deleted after a dispute, a buyer angry about a marketing email, a competitor who knows exactly which boxes you have not ticked. Your EU customers have rights they can exercise for free. When the request lands and there is no EU representative to receive it, a ten-minute reply becomes a file at a supervisory authority.

There is also a commercial layer on top. Your seller name and business address are public on every Amazon listing. Privacy-savvy customers and competitors can check your privacy notice in thirty seconds. A missing EU representative is visible to anyone who knows what to look for, and in the EU, a lot of people know what to look for.

How the problem actually arrives: a fourteen-day timeline

No regulator wakes up wanting to audit a kitchen-gadget store in Ohio or Shenzhen. The sequence that reaches you looks far more ordinary, and it is worth playing through once, because every step is something that already happens to sellers every day.

Day one: a German customer returns a product after a dispute and sends a message through buyer-seller messaging asking you to delete their data. To you it reads like noise between refund requests. You send a template reply, or no reply.

Day ten: the customer, still annoyed, spends fifteen minutes on the website of their local data protection authority. Filing a GDPR complaint is free, available in their own language, and designed for consumers. E-commerce disputes are one of the most common triggers there is.

Day fourteen: a case officer opens your privacy notice, which is public, and checks the basics. Is the controller identifiable? Is an EU representative named, as Article 27 requires? For a non-EU seller without one, the officer has found a provable violation before lunch, before even looking at the original complaint. And there is a second, quieter consequence: with no representative, there is no EU address to receive the authority's letter. The process does not pause for you. It continues, with you absent from it.

Now run the same fourteen days with a representative in place. The deletion request lands at a monitored EU contact point, gets handled within the deadline, and the customer never reaches day ten. The whole storm dies as a single email. That is the entire value of Article 27 in one scene: it is not paperwork, it is the off-ramp.

The fix takes less time than reading this article

The honest good news: of all the EU compliance duties an Amazon seller carries, this is the cheapest and fastest one to close.

1. Check whether Article 27 applies to you. Selling to EU customers regularly from outside the EU, without an EU office? It almost certainly does. The free compliance checker gives you the answer in about a minute.
2. Appoint an EU representative. A proper one, with a named person, a real EU address and DSAR handling, not a mailbox. This is a subscription, not a project. Ours takes a few minutes to set up.
3. Update your privacy notice. Name the representative and their address, the same way your GPSR responsible person is named on your listings.
4. Route data requests through them. When an EU customer or authority writes, your representative receives it, and you respond with time to spare instead of silence.

That is the whole project. No certification, no audit, no shipping samples to a lab. Compared to what GPSR season cost you in December 2024, this is a rounding error, and unlike the responsible person, it protects the part of your business that holds customer data rather than product manuals.

Amazon taught every non-EU seller a memorable lesson in 2024: EU rules do get enforced, suddenly and all at once. The only difference with the GDPR is who does the enforcing. There is no compliance field in Seller Central for your data duties, no warning email, no 30-day grace banner. There is just the gap, sitting quietly in your privacy setup, waiting for the first customer who decides to test it. Close it before they do.