ECP European Compliance Platform

Privacy Policy

This Privacy Policy explains how personal data is processed in connection with the European Compliance Platform ("ECP", "Platform").

Effective date: 2026-02-18

1. Data Controller / Contact

The data controller for personal data processed in connection with the Platform is:
Legal entity name: AFINA s.r.o.
Registered address: Kaprova 42/14, 110 00 Praha, Czechia
Company registration number: 25056557
VAT number (if applicable): CZ25056557
Data protection / GDPR contact:
General support:

2. Categories of personal data

3. Purposes of processing

4. Legal bases (EU/EEA)

Depending on context, we process personal data based on one or more of: (i) performance of a contract, (ii) legitimate interests, (iii) consent (where applicable), and (iv) compliance with legal obligations.

5. B2B Provider outreach — lawful basis and data practices

The Platform sends email notifications to organisations and professionals that appear to offer services relevant to Applications submitted by Applicants (e.g. conformity assessment, certification, laboratory testing, regulatory representation, consulting services in the EU).

Lawful basis: Legitimate interests (Article 6(1)(f) GDPR). Our legitimate interest is to facilitate B2B matching between Applicants seeking EU compliance services and Providers capable of delivering those services. We have conducted a balancing assessment and concluded that this interest is not overridden by Provider rights and freedoms, given that: (i) recipients are businesses or professionals, not private individuals; (ii) the communications are directly relevant to the professional activities of the recipient organisation; and (iii) each communication includes an opt-out mechanism.

Data sources: Provider contact data is obtained from one or more of the following sources: publicly accessible business registries and directories (e.g. NANDO database for Notified Bodies, national accreditation body registries, public company registers); provider-submitted profiles on the Platform; business directories and professional association lists; and data submitted directly by providers during registration or outreach responses.

What data is used: Organisation name, contact email address, and professional service category.

Right to object / unsubscribe: Recipients may opt out at any time by clicking the unsubscribe link included in each notification email. Upon opting out, the recipient is added to a suppression list and will not receive further outreach emails from the Platform. To exercise your right to object under Article 21 GDPR, contact: .

Suppression list: Organisations and individuals who opt out are recorded on a suppression list. We retain suppression records indefinitely to ensure that opt-out requests are honoured in all future communications.

Retention (B2B outreach data): Contact data used solely for B2B outreach is retained for as long as the organisation appears to be active and offering relevant services, and for a maximum of 3 years from last contact, unless the individual opts out earlier, at which point contact is suppressed immediately.

6. Recipients and sharing

7. Data retention

We retain personal data only as long as necessary for the purposes described above, unless a longer retention period is required by law. High-level retention periods by category:

8. Security

We implement appropriate technical and organizational measures to protect personal data. However, no system is completely secure.

9. Your rights

Depending on your location, you may have rights such as access, rectification, deletion, restriction, objection, portability, and withdrawal of consent. To exercise rights, contact us at the address above.

10. Cookies and similar technologies

The Platform uses the following storage technologies:

You can control cookies and localStorage through your browser settings. Clearing strictly necessary storage will log you out of the Platform.

11. Supervisory authority

If you are located in the EU/EEA and believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the competent data protection supervisory authority in your country of residence. The lead supervisory authority for the Platform operator is the data protection authority in Czech Data Protection Authority (ÚOOÚ).

12. Changes to this policy

We may update this policy from time to time. The "Effective date" above indicates when the latest version became effective.