Can my Responsible Person share my confidential product information with others?

A GPSR responsible person should not share your confidential product information with others unless it is necessary to meet legal obligations or you have agreed to it contractually. Under the General Product Safety Regulation (EU) 2023/988 (GPSR), the responsible person is an EU-based economic operator that holds and can provide certain product safety and traceability information, mainly to competent authorities upon request. The key is to set clear confidentiality terms and controlled disclosure procedures upfront.

Can a GPSR Responsible Person legally share my confidential product information?

In general, a GPSR responsible person should disclose your confidential product information only when disclosure is required to perform its legal tasks or when your contract allows it. The role exists to support compliance and cooperation with authorities, not to distribute your know-how to third parties.

In practice, the responsible person may need access to information such as:

• Technical documentation demonstrating product safety (often held electronically).
• Manufacturer identification and contact details, plus the responsible person’s contact details that appear on the product or packaging.
• Traceability data such as product identifiers (type, batch, serial number, or equivalent).
• Instructions and safety information supplied with the product.

The GPSR sets compliance duties, but it does not replace contractual confidentiality. Your agreement should define what is confidential, who can access it, and how authority requests are handled.

Who can request my technical documentation, and when must it be disclosed?

Your technical documentation is primarily disclosed to competent national market surveillance authorities when they request it as part of checks, investigations, or follow-up actions. The responsible person must be able to make the documentation available and provide information demonstrating that the product meets applicable safety requirements, typically in a language the authority can understand.

Other situations in which documentation may be requested or checked include:

• Market surveillance actions coordinated under the Market Surveillance Regulation (EU) 2019/1020 (MSR).
• Customs-related controls in which authorities verify that required EU economic operator details and product information are present.
• Online marketplace compliance checks in which platforms ask for a curated evidence set (for example, labeling photos, instructions, and confirmation of the responsible person) to keep listings active.

Disclosure is normally to authorities, not to competitors or the public. A responsible person should keep records of what was shared, with whom, and why, and be ready to respond promptly when a request arrives, without assuming that a fixed deadline applies in every case.

How can I protect trade secrets when appointing a Responsible Person?

You can protect trade secrets by combining strong contract terms with practical information controls. A responsible person needs enough access to perform GPSR tasks, but you can still limit exposure by defining the scope, minimizing the data shared, and controlling how documents are stored and released.

Practical safeguards to put in place

1. Confidentiality and NDA clauses that cover technical files, supplier data, test reports, and design details, including limits on onward sharing.
2. Data minimization: share what is necessary for compliance, and keep purely commercial or unrelated IP out of the compliance package.
3. Controlled access: role-based permissions, named users, and two-factor authentication for document systems.
4. Secure storage: encrypted repositories, backups, and clear retention rules.
5. Authority request procedure: define who validates requests, what is released, and how you are informed before disclosure, or immediately after disclosure where legally possible.
6. Disclosure logging: maintain an audit trail of every document shared and the legal basis for sharing.

If personal data is included (for example, consumer complaint records or contact details), align handling with GDPR principles such as purpose limitation, access controls, and appropriate retention.

How does EARP help with GPSR Responsible Person confidentiality and document control?

We help you meet GPSR responsible person requirements while keeping confidential information tightly controlled through defined processes and secure handling.

• Secure document storage for technical documentation, with controlled access and structured organization.
• Clear disclosure procedures for authority requests, including validation steps and documented handover.
• Confidentiality commitments built into our engagement terms, supporting the protection of trade secrets.
• Authority liaison process to ensure communications and document submissions remain consistent and traceable.
• Audit trails that record what was shared, when, and on what basis.

To see how we work, visit our services page, or contact us to discuss your product and the right confidentiality and document control setup.

Related Articles

• What are the day-to-day responsibilities of an EU Responsible Person?
• What happens to my Amazon EU listings if they are not GPSR compliant?
• Is the GPSR data the same per SKU regardless of which seller lists the product?
• Does GPSR apply to print-on-demand products?
• When does the USB-C mandate apply to my electronic devices in EU?