Why Access Control Is Central to the DPP System
A digital product passport that exposes everything to everyone is not a compliance tool — it is a liability. A passport that exposes nothing is useless. The entire credibility of the DPP framework rests on getting this balance right, and the architects of the system know it.
The ESPR regulation and its implementing acts build a three-tier access model. Each tier corresponds to a defined class of actor: consumers and the general public, economic operators in the supply chain, and competent authorities. What each tier can see is not left to the discretion of the manufacturer — it is defined by the applicable delegated regulation for each product category, and enforced technically at the data layer.
Before diving into each tier, it is worth anchoring this in the broader compliance picture. Access control configuration is one of the requirements covered in the DPP compliance checklist. It is not optional, and getting it wrong — whether by over-exposing confidential data or by under-exposing data that regulators require to be public — creates legal exposure.
Tier One: Public Access — What Every Consumer Can See
Tier One is the foundation. Any person, anywhere, who scans the product's data carrier — a QR code on a garment label, an RFID chip in an electronic device, a data matrix on a battery — should be able to retrieve Tier One data without authentication of any kind.
The data that must be publicly accessible is defined per product category, but common elements include:
- Product identity (model, batch, series)
- Manufacturer's name and contact information
- Applicable regulation and conformity declaration reference
- Repairability index or score
- Recyclability and end-of-life handling instructions
- Presence or absence of substances of concern (yes/no flags, not precise concentrations)
- Recycled content percentage (ranges, not exact breakdown by supplier)
- Carbon footprint category (for products where this is required)
- Warranty information and spare parts availability
The reasoning is straightforward: consumers have a right to this information to make informed purchasing decisions. Waste operators need it to handle the product correctly at end of life. Researchers and NGOs scrutinising supply chain claims need access. None of these actors should need to create an account or prove their identity to get this data.
Technically, this means Tier One data must be accessible via an unauthenticated HTTPS request to the data location registered in the EU DPP registry. The response must be machine-readable (structured JSON-LD or equivalent) and human-readable (renderable by a browser or a consumer app). The full DPP explainer covers the underlying architecture in more detail.
Tier Two: Economic Operator Access — Supply Chain Visibility
Tier Two is where business-to-business data exchange happens. Verified economic operators — retailers, distributors, maintenance providers, recyclers, authorised repairers — can access additional data layers after authentication against the registry.
What does Tier Two add over Tier One? Typically:
- Detailed bill of materials (BOM) at sub-component level
- Precise substance concentrations and locations within the product
- Specific supplier identities (Tier 1 and sometimes Tier 2 suppliers)
- Disassembly instructions and technical repair documentation
- Test report references and third-party certification details
- Batch-level provenance data for critical materials
- Maintenance and service history records
The access gating is based on verified business identity, typically linked to an EORI number (Economic Operators Registration and Identification) or equivalent credentials established through the registry's identity layer. This is not self-declared — the registry performs verification against business registries.
There is a legitimate policy tension here. Detailed supplier data is commercially sensitive. A company that spent years building a sustainable supply chain does not want that network exposed to competitors via a DPP query. The regulation attempts to address this by allowing some Tier Two fields to be marked as "restricted-confidential," meaning they are accessible to authorities under Tier Three but not to other economic operators under Tier Two.
The practical implementation of this granularity is still being worked out in the delegated acts. What is clear is that your DPP platform — whether you build it internally or use a service like dpp-tool.com's features — must support field-level access controls, not just document-level controls.
Tier Three: Competent Authority Access — Full Regulatory Transparency
Market surveillance authorities, customs authorities, and other competent authorities operate under Tier Three access. They get the broadest read permissions the system allows.
Tier Three access typically covers everything in Tiers One and Two, plus:
- All restricted-confidential fields (including supplier identities protected from Tier Two)
- Full audit trails of data updates and modification history
- Cross-reference data linking the passport to conformity declarations, test labs and notified body reports
- Internal quality assurance records where regulators require disclosure
- Any active recalls, safety alerts or non-conformity notices
The authority access mechanism integrates directly with the EU DPP registry's market surveillance module. When a customs officer in Hamburg queries a product passport, they do so through an authenticated channel that logs the query, applies the Tier Three access policy, and returns a comprehensive data view. The same query from an unauthenticated consumer app returns only Tier One data.
This architecture is intentional. Authorities cannot claim ignorance of a product's full substance profile if it exists in the passport and is accessible to them. Conversely, manufacturers cannot claim they disclosed something to authorities by burying it in a public-tier field — authorities get access to everything, including what is withheld from the public.
For importers especially, understanding that authorities have full Tier Three access changes the risk calculus significantly. You cannot set an inaccurate public-tier value and assume no one will check the Tier Three detail. The DPP compliance checklist addresses exactly this kind of exposure.
Where GDPR and DPP Access Control Intersect
The GDPR intersection is real and underappreciated. The DPP regulation sits alongside GDPR, not above it. If passport data contains personal data — and in some contexts it can — GDPR rules apply in full.
The clearest case is the professional repair market. If a technician's name and business ID are recorded in the maintenance history of a product passport, that is personal data under GDPR. The data subject has rights: access, rectification, erasure under certain conditions. The DPP's update and archival obligations must accommodate these rights.
A less obvious case: if a product's serial number can be linked to an identified natural person — say, a consumer registration database — then queries against that serial number in the passport system could constitute processing of personal data. The legal basis for that processing must exist.
The Commission's approach has been to design the DPP system to be "privacy by default." Product-level data (applicable to a product model or batch) generally does not qualify as personal data. Individual serial-level data, when linkable to a person, is treated more carefully. Many delegated regulations will require DPPs at the model level, not the individual unit level, specifically to sidestep GDPR complexity — though batteries and some high-value electronics require unit-level passports.
For businesses, the practical step is to conduct a DPIA (Data Protection Impact Assessment) for your DPP implementation. This is especially important if you are collecting end-of-life data, repair histories, or anything that could create a chain linking a physical product to an identifiable person. The ESPR regulation overview discusses the privacy-by-design requirements in the regulatory framework.
Implementing Access Control: What Your System Must Actually Do
Policy intent is one thing. Technical implementation is another. Here is what your system needs to handle for access control to actually work.
Token-based authentication. Tier Two and Three access requires verified identity. Your DPP platform must integrate with the identity layer of the EU registry — whether that is EU Login (the Commission's SSO), EORI-linked tokens, or a sector-specific credential scheme. This is not a feature you can add later.
Field-level access tagging. Every data field in your passport must carry an access-level tag: public, economic-operator, authority-only, or restricted-confidential. Your API must enforce this at query time, not as a post-processing filter. If your system returns full data and then strips fields based on the requester's role, a misconfiguration or a software bug can leak restricted data. Enforce at the source.
Immutable audit logging. Every query against a passport — particularly Tier Two and Three queries — should be logged immutably. This serves two functions: it proves to regulators that access controls are working, and it creates accountability for who accessed what data when. Under some delegated acts, audit log retention requirements will be specified explicitly.
Update propagation. When a field changes — for example, a substance of concern is added to the SVHC list and your product contains it — the access control rules for that field may change too. Your system must handle rule updates without breaking existing authenticated sessions.
The guide to creating a digital product passport walks through the technical implementation steps. And if you want to see how these access tiers map to a practical platform, the features overview shows how this is handled in practice.
Frequently Asked Questions
- What is the three-tier access model in the EU Digital Product Passport?
- The three-tier model divides DPP access into public (Tier 1, accessible to anyone without authentication), economic operator (Tier 2, accessible to verified supply chain actors), and competent authority (Tier 3, accessible to market surveillance and customs authorities). Each tier grants access to progressively more detailed product information.
- Can competitors access my supplier information through the DPP?
- No. Detailed supplier identities are Tier 2 or restricted-confidential data, not accessible to unauthenticated queries or to other economic operators without specific entitlement. Only market surveillance authorities have Tier 3 access that includes restricted-confidential fields. The system is designed to prevent competitor intelligence gathering via DPP queries.
- Does the Digital Product Passport system comply with GDPR?
- The DPP framework is designed to be privacy by default, but GDPR obligations still apply where personal data is involved — for example, repair history records linking to identified technicians or serial-level passports linkable to a consumer. Businesses should conduct a DPIA as part of their DPP implementation.
- Who can access the full contents of a Digital Product Passport?
- Market surveillance authorities and customs authorities at Tier 3 level have the broadest read access, including restricted-confidential fields. Economic operators at Tier 2 get access to detailed supply chain and technical data. Consumers at Tier 1 access only the data fields mandated as public by the applicable delegated regulation.
- What happens if a company sets incorrect access levels on DPP data fields?
- Incorrect access levels — either too restrictive (blocking data that should be public) or too permissive (exposing data that should be restricted) — constitute non-compliance with the applicable delegated regulation. Both directions create enforcement risks, either market access denial or GDPR liability.