GDPR Compliance for Manufacturers: A Practical Guide¶
In June 2026, the UK's Information Commissioner's Office announced a formal probe into how smart TV manufacturers use consumer data and published final guidance on IoT products, warning that most IoT data processing "is likely to result in a high risk." The same month, Italy's antitrust authority opened proceedings against Vorwerk over the shutdown of cloud services for Neato robot vacuums — a landmark case examining whether manufacturers can devalue connected products through service termination.
Product manufacturers consistently tell us GDPR is a "tech company problem." Then we show them the connected product they're shipping — the one collecting sensor data and communicating with a smartphone app — and it clicks.
If your company places products on the EU market, you are almost certainly processing personal data in ways that trigger the General Data Protection Regulation (GDPR). Connected devices, supplier records, employee data — all of it counts. On the Sustalium platform, we handle GDPR declarations for IoT manufacturers, industrial equipment makers, and consumer goods companies. Here is what actually applies to product businesses.
Why Product Companies Are Subject to GDPR¶
GDPR (Regulation [EU] 2016/679) applies to any organization that processes personal data of individuals in the European Economic Area, regardless of where the organization is based. For product manufacturers, personal data processing occurs in far more contexts than most realize:
1. Connected Products and IoT Devices¶
If your product connects to the internet, collects sensor data, or communicates with a smartphone app, you are likely a data controller under GDPR. Examples: - A smart thermostat that learns user temperature preferences and occupancy patterns. - An industrial sensor that transmits machine performance data linked to a specific factory. - A wearable device that tracks heart rate, sleep patterns, and location. - A connected kitchen appliance that records usage habits.
Each of these devices generates data that, when linked to an identifiable individual or even a device identifier, constitutes personal data under GDPR.
2. Customer, Supplier, and Employee Data¶
Even without connected products, basic business operations trigger GDPR: - Customer databases containing names, email addresses, and purchase histories. - Supplier contact records for procurement and quality management. - Employee records for any EU-based staff or remote workers. - Warranty registration databases linking product serial numbers to customer identities.
3. Compliance Documentation¶
Ironically, the very compliance documents you maintain — Declaration of Conformity signatories, supplier contact details in your REACH SCIP submissions, authorized representative information for GPSR — contain personal data. Sharing these documents across your supply chain or publishing them online without appropriate data protection measures can itself be a GDPR violation.
4. Website and E-Commerce¶
If you operate a website accessible in the EU that uses cookies, collects contact form submissions, or processes online orders, you are subject to GDPR. This includes the obligation to obtain informed consent for non-essential cookies and to maintain a clear, accessible privacy policy.
Core GDPR Obligations for Product Companies¶
1. Establish a Lawful Basis for Processing¶
Every instance of personal data processing must be grounded in one of six lawful bases defined by Article 6 of GDPR: - Consent: The individual has given clear permission for a specific purpose. - Contractual necessity: Processing is required to fulfill a contract (e.g., shipping a product to a customer's address). - Legal obligation: Processing is required by law (e.g., retaining warranty records for regulatory compliance). - Legitimate interest: Processing is necessary for your legitimate business interests, balanced against individual rights. - Vital interests: Processing is necessary to protect someone's life. - Public task: Processing is necessary for a task in the public interest.
For most product companies, contractual necessity and legitimate interest are the most commonly relied-upon bases. Consent, while often assumed to be the default, should only be used when no other basis applies and when the individual has a genuinely free choice.
2. Maintain a Record of Processing Activities (ROPA)¶
Article 30 requires you to maintain a written record of all personal data processing activities, including: - The purposes of processing. - The categories of personal data and data subjects. - The recipients to whom data is disclosed. - Data retention periods. - Technical and organizational security measures.
This is not optional — it is a legal requirement for all but the very smallest organizations, and it is the first document a supervisory authority will request during an audit.
3. Implement Data Protection by Design and by Default¶
Article 25 mandates that data protection must be embedded into your products and processes from the earliest design stage, not bolted on afterward. For product companies, this means: - Connected products should collect only the minimum data necessary for functionality. - Default privacy settings must be the most protective, not the most permissive. - Data retention should be minimized — if your IoT device is still storing user data five years after the product was discarded, you have a GDPR problem.
4. Appoint an EU Representative¶
If your company is established outside the EU but processes personal data of individuals in the EU, Article 27 requires you to appoint an EU-based representative. This representative acts as the contact point for supervisory authorities and data subjects. Note: this is a distinct role from the EU Authorized Representative required under GPSR, though the same entity can serve both functions.
5. Manage Data Breach Notification¶
If a personal data breach occurs (e.g., your customer database is compromised, or your IoT cloud platform is hacked), Article 33 requires you to notify the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach poses a high risk to individuals, you must also notify the affected data subjects without undue delay.
The 72-Hour Clock Starts at Discovery
The 72-hour notification window begins the moment your organization becomes aware of the breach — not when the IT team confirms it, not when legal reviews the situation. If an employee discovers a data exposure on a Friday evening, the clock is already running. Having a documented, tested breach response plan is essential.
GDPR and the UK¶
Since Brexit, the UK is no longer part of the EU GDPR regime. Instead, it operates under the UK GDPR, which is substantively identical but enforced by the UK Information Commissioner's Office (ICO) rather than EU supervisory authorities. If you process data of individuals in both the EU and the UK, you must comply with both regimes. Practically, this means: - Maintaining separate Records of Processing Activities if your processing differs between the two jurisdictions. - Designating both an EU Representative and a UK Representative if your company is based outside both regions. - Responding to both EU supervisory authorities and the ICO in the event of a breach.
How Sustalium Supports GDPR Documentation¶
While Sustalium is not a legal compliance tool, our platform helps product companies structure and maintain the documentation that GDPR demands — particularly at the intersection of physical product compliance and data privacy.
- GDPR Compliance Declaration Generator: Produce a structured, public-facing GDPR compliance statement documenting your lawful bases, data categories, retention policies, and security measures. This satisfies the transparency requirements of Articles 13 and 14 and serves as a clear reference for customers, suppliers, and auditors.
- Integrated EU/UK Representative Management: Link your appointed EU and UK Representatives to your product compliance profiles, ensuring consistency across your GDPR, GPSR, and CE Mark documentation.
- Data Mapping for Connected Products: Use Sustalium's structured product templates to document the personal data flows associated with each connected product SKU — what data is collected, why, where it is stored, and who has access.
Build Your GDPR Documentation Today
GDPR compliance for product companies is not optional. Document your data processing, protect your customers, and satisfy regulatory transparency requirements.
With Sustalium, you can generate a structured GDPR Compliance Declaration and maintain your data processing records for just €10 per document.
Frequently Asked Questions¶
Does GDPR apply to B2B data?
Yes. GDPR applies to any personal data, regardless of whether the individual is acting in a personal or professional capacity. A supplier's email address (firstname.lastname@company.com) is personal data under GDPR. B2B marketing and supplier management must comply.
Is my non-EU company subject to GDPR?
Yes, if you process personal data of individuals in the EU. GDPR applies extraterritorially under Article 3 — if you offer goods or services to individuals in the EU or monitor their behavior (which includes most IoT and connected products), GDPR applies regardless of your company's location.
What is the minimum I must do to comply?
At a minimum, you should: (1) document what personal data you collect and why, (2) establish a lawful basis for each processing activity, (3) publish a clear privacy policy, (4) implement basic security measures, and (5) have a plan for responding to data subject access requests. These five steps cover the most commonly enforced areas.
How is GDPR enforced against non-EU companies?
EU supervisory authorities can issue fines directly to non-EU companies. Enforcement against overseas entities is facilitated through cooperation with local data protection authorities and, increasingly, through mutual legal assistance treaties. Several non-EU companies (including US-based manufacturers) have received substantial GDPR fines for data processing violations involving EU individuals.
Related Articles¶
- EU General Product Safety Regulation (GPSR) Compliance: The 2026 E-Commerce Checklist — Understand how your product safety obligations intersect with data privacy requirements.
- Demystifying Compliance: Regulations, Directives, Norms & Frameworks — See where GDPR sits in the broader compliance hierarchy.
- Cybersecurity for Hardware & IoT SMEs: NIS2 and the Cyber Resilience Act (CRA) — Learn how cybersecurity obligations complement data protection requirements.
Last updated: June 18, 2026