Recently, Amazon Seller Central has officially updated its "EU Data Act" policy page (see image below), clarifying that connected devices (IoT products) failing to meet the new requirements will face removal from the platform. As a professional institution with 15 years of expertise in testing and certification, GTG Testing Group has found that over 90% of connected products exported to the EU have not yet initiated compliance preparations—time is limited, requirements are detailed, and penalties are severe. This critical compliance guide before the "deadline" is a must-read!

Key Point! Core of Amazon’s New Rule:

Connected Products Must Include a "Data Transparency Document"

According to Amazon’s newly released Requirements for Selling Products on Amazon (see image below), all connected device listings must embed a multilingual PDF file as a "transparency document" to help users understand data processing. This PDF is not a simple statement but a "compliance checklist" covering eight core elements.

Eight Mandatory Elements (with Pitfall Avoidance Guides)

1. Full Disclosure of Data Nature

• Distinguish between personal data (e.g., user identification information) and non-personal data (e.g., device operating parameters).
• Clarify four data categories: product status data (configuration/diagnostic messages), buyer usage data (activity time/geolocation), general environmental data (weather-related data), and other derived data.GTG Tip: We once assisted a smart camera enterprise in identifying 12 types of hidden data, avoiding rejection due to "incomplete data classification" during review .

2. Quantitative Description of Estimated Data Volume

• Specify by scenario: data generated by active user interaction (e.g., APP control commands) and passive data generated when the device is on standby/off (e.g., heartbeat packets).Case: An industrial sensor was removed because its unestimated "standby data volume" exceeded limits, leading to inconsistencies between the PDF and actual performance.

3. Data Format & Real-Time Performance

• Explain data format (JSON/XML, etc.) and whether continuous real-time generation is supported (e.g., live broadcast devices must indicate "24/7 streaming transmission").

4. Storage Location & Retention Period

• Clearly state data storage location (on-device/local storage, EU-based servers, third-party cloud) and retention period (e.g., "automatically deleted 30 days after user account cancellation"), complying with the EU Data Act’s "data minimization" principle .

5. Three-Step Process for Users to Access/Retrieve/Erase Data

• Access: Specify direct access (on-device), API interface, or portal website path.
• Retrieval: List technical steps (e.g., "Log in → Enter 'My Data' → Select time range to export").
• Erase: Provide self-service deletion process (e.g., "Settings → Privacy Center → One-click deletion of historical data") and note the enterprise backend support mechanism .

6. Link to Terms of Service

• Embed a clickable link to the full terms of service on the official website (in the official languages of the EU markets where the product is sold).

7. Service Quality Commitments

• Include stability indicators for APIs/SDKs (e.g., "99.9% availability") and maximum data latency (e.g., "real-time data ≤ 500ms").

8. Multilingual Coverage

• The PDF must be provided in all relevant languages of the European markets where the product is sold (e.g., German, French, and Italian for sales in Germany, France, and Italy).

Three Major Compliance Challenges for Enterprises

GTG Cybersecurity Laboratory Offers Solutions

While the new rules seem clear, practical implementation is fraught with "hidden risks":

• Technical Blind Spots: Data classification and API interface design require balancing functionality and security, but SMEs lack professional teams.
• Multilingual Costs: Small-language translations are prone to errors (e.g., grammatical differences in Polish causing ambiguity), and manual review is time-consuming.
• Long Review Cycles: Amazon’s strict compliance review of PDFs may delay market launch if rejected once.

As one of China’s first institutions with EU Data Act compliance testing capabilities, GTG has provided "testing + rectification + certification" one-stop services for over 200 enterprises. Our core advantages include:

1. Itemized Alignment with Eight Elements: 90% PDF Compliance Rate

• Independently developed EU Data Act PDF Compliance Checklist, covering 32 detailed items such as data classification, storage location, and user operation paths.
• Supports semantic accuracy review of PDFs in 12 European languages (English, German, French, Italian, etc.) to avoid machine translation ambiguities.

2. Practical Cybersecurity Experience

• Covers international certifications such as EN 18031 and GDPR data protection, with cumulative penetration testing and vulnerability management services for over 200 enterprises .
• One of China’s first laboratories with dual CNAS and A2LA cybersecurity accreditations .

3. Authority Backing by Data Security Experts

• Hardy, the laboratory director, is a drafter of national standards Data Classification and Grading Guidelines and Data Security Risk Assessment, bringing rich practical experience in data security compliance to help pass Amazon’s review in one go.

Limited-Time Offer! GTG Helps Enterprises "Race Ahead" in Compliance

From now until December 31, 2025, GTG launches the "EU Data Act Compliance Escort Program":Purchase one set of EN 18031 certification, get EU Data Act compliance service for free (only report fee applies)

Act Now! Secure Your "Lifeline" to the EU Market

The "compliance exam" on September 12, 2025, is counting down—early preparation = fewer losses = market opportunities. GTG Cybersecurity Laboratory is fully equipped with "technology + experience + resources" to help you quickly cross the compliance threshold.