Why Data Quality Is the Core DPP Problem
A digital product passport is only as useful as the data inside it. This sounds obvious, but the implications are less obvious than they appear. A passport that is technically compliant — correct format, correct registry registration, correct data carrier — but contains inaccurate data about material composition or carbon footprint is not just a missed compliance tick. It is a legal liability and, in some respects, a more serious problem than having no passport at all, because it provides false assurance.
The EU DPP framework treats data quality as a substantive compliance requirement, not an administrative detail. The applicable delegated regulations under ESPR will specify not just what data must be included, but the verification standard required to support each data point. Self-declaration is permitted for some fields. Others require test reports, third-party verification, or in high-stakes cases, notified body certification.
Working through data quality obligations is part of the broader compliance exercise mapped in the DPP requirements checklist. This article focuses specifically on the verification tiers and what they mean operationally — for manufacturers, and for importers who inherit verification obligations when their non-EU suppliers fall short.
What Data Accuracy Actually Means in the DPP Context
Accuracy is not the same as completeness. A passport can contain every required field and still be inaccurate. In the DPP context, accuracy has several dimensions that are worth distinguishing:
Factual accuracy: The stated values correspond to measured reality. A textile product stating 40% recycled polyester content should actually contain 40% recycled polyester, within the measurement tolerance defined by the applicable standard. A battery stating 85 kWh capacity should reflect actual tested capacity at defined conditions.
Temporal accuracy: The data reflects the current state of the product, not a historical state. A product reformulated to remove a substance of concern must have its passport updated before the reformulated version enters the market. Stale data that was accurate when first entered but no longer reflects the product as currently manufactured is a compliance failure.
Methodological accuracy: The calculation or measurement method used to generate the data point matches the method specified in the applicable standard or delegated regulation. A carbon footprint calculated using a regional electricity grid emission factor when the regulation requires a supplier-specific factor is methodologically inaccurate, even if the arithmetic is correct.
Traceability: The data point can be traced back to a specific source — a test report, a supplier declaration, a measurement record — held by the responsible economic operator. Data that exists in the passport but cannot be substantiated by documentary evidence is legally indefensible in a market surveillance investigation.
All four dimensions matter. The ESPR regulation's emphasis on the "accuracy and reliability" of passport data reflects exactly this multi-dimensional understanding.
The Four Verification Tiers: From Self-Declaration to Notified Body
The ESPR framework, aligned with the New Legislative Framework (NLF), uses a graduated verification system. The appropriate tier for a given data field is determined by the risk level associated with that field — environmental risk, consumer safety risk, and market distortion risk all factor in.
Tier 1: Self-Declaration
Self-declaration means the economic operator states a value based on their own knowledge and internal records, without external verification. This is the lowest verification tier and is only appropriate for lower-risk data fields.
Typical self-declaration fields include: product dimensions and weight, product category and model name, warranty terms, spare parts availability statements, and in some frameworks, basic material composition categories (e.g., "predominantly cotton" rather than a precise percentage).
Self-declaration does not mean unchecked. The economic operator is still legally responsible for the accuracy of the declared data and must be able to substantiate it with internal records if challenged. The distinction from higher tiers is that no external party has reviewed or validated the data before it enters the passport.
Market surveillance authorities can and do investigate self-declared data. If a physical product test contradicts a self-declared value in the passport, the burden of proof shifts heavily onto the economic operator to explain the discrepancy.
Tier 2: Internal Test Reports
Tier 2 requires that a stated data point be supported by test results, typically from testing performed in the manufacturer's own laboratory or testing facility. The test must follow a standardised methodology — typically a harmonised EN standard or an ISO equivalent referenced in the applicable delegated regulation.
Internal testing is common for: energy efficiency ratings, durability measurements, repairability assessments, and some substance concentration measurements where the thresholds are not at legally critical levels.
The key requirement at this tier is that the test methodology is documented, the test records are retained for the period specified in the regulation, and the test conditions are correctly stated in or referenced from the passport. A test performed under conditions that do not reflect the product's real-world use profile may be technically conducted but methodologically inappropriate.
Internal test reports provide a higher verification standard than self-declaration but are still subject to the inherent conflict of interest that the testing entity and the economic operator are the same. This is why higher-risk fields require external verification.
Tier 3: Third-Party Verification
Tier 3 requires that an independent third party — a testing laboratory, an auditor, a certification body — has reviewed and validated the data. The third party must be genuinely independent: no financial relationship with the manufacturer that could create bias, and typically accredited under ISO/IEC 17025 (for testing laboratories) or ISO/IEC 17021 (for management system certification).
Third-party verification is required for data fields with significant environmental or commercial weight: precise recycled content percentages in sectors where "greenwashing" is a known risk, carbon footprint declarations for products where the figure materially affects purchasing decisions, and substance concentration measurements near regulatory threshold values.
The scope of third-party review can be a specific data point (verify this carbon footprint calculation), a class of data (verify all substance declarations for this product line), or a system-level audit (verify that the quality management system generating DPP data is functioning correctly). For companies with large product portfolios, system-level audits are more cost-efficient than point-by-point verification.
Third-party reports must be referenced in or linked from the passport — the claim that third-party verification was performed must be substantiable by pointing to the actual report.
Tier 4: Notified Body Certification
Tier 4 is the highest verification standard and applies to the most consequential data fields — principally in product categories where incorrect data could cause serious consumer safety or environmental harm.
Notified bodies are conformity assessment bodies officially designated by EU Member States under the New Legislative Framework. They operate under strict competence and independence requirements and are publicly listed in the NANDO database. Their involvement is not optional when the applicable delegated regulation requires it — using a non-notified body does not satisfy a notified body requirement.
For the DPP context, notified body involvement is most clearly required in the battery sector. The battery passport framework requires notified body assessment for certain conformity declarations, and by extension, for the battery-specific DPP data that supports those declarations.
In other product categories, notified body requirements for DPP-specific data verification are still being specified in draft delegated acts. The general expectation is that notified bodies will be required for health and safety-critical substance data, and for carbon footprint declarations where the stakes justify the cost.
Update Obligations: When and How Passport Data Must Change
A compliant DPP at product launch is not necessarily a compliant DPP six months later. The ESPR framework imposes ongoing update obligations that are often underestimated in implementation planning.
Update triggers include:
Product reformulation. If the physical product changes — different material, different supplier for a component, different manufacturing process — the passport must be updated before the reformulated product is placed on the market. This seems obvious, but in practice, the internal process for triggering a passport update at the point of a product change requires explicit design. It cannot be an afterthought.
Regulatory list changes. Substances are periodically added to the REACH SVHC (Substances of Very High Concern) list, the persistent organic pollutants list, and other regulatory registers. If a substance present in your product gets listed, your passport must be updated even if the physical product has not changed. This requires a monitoring system — you cannot track this manually across a large product portfolio.
Supplier changes. A material that was sourced from a specific origin with a specific sustainability profile may change origin when you switch suppliers. If the passport states specific provenance data that is now inaccurate due to a supplier change, it must be updated.
Lifecycle events. For products where the passport tracks lifecycle events — repair records, refurbishment, component replacement — each event triggers a data update obligation. This is particularly relevant for high-value electronics and machinery categories.
Corrections. If an error is identified in existing passport data — whether through internal audit, supplier feedback, or a market surveillance query — the correction must be made promptly, and in some frameworks, the correction must be logged in the audit trail alongside the original erroneous entry.
The guide to creating a digital product passport addresses the technical architecture needed to support these update flows. Managing updates manually across product lines of any meaningful size is not realistic — it is a systems problem, not a documentation problem.
Building a DPP Data Quality Management System
Given the verification requirements and update obligations above, the DPP is effectively mandating a data quality management system for product sustainability information. Companies that already have ISO 9001 or similar quality management infrastructure have a head start, but they still need to extend their QMS scope to cover DPP-specific data processes.
A DPP data quality management system minimally includes:
- A data inventory mapping every DPP-required field to its source (internal system, supplier declaration, test report, third-party audit) and its applicable verification tier
- A supplier data collection process with defined templates, timelines and escalation paths for non-response
- Internal testing schedules aligned with verification tier requirements
- A change management process that identifies product or supply chain changes that trigger passport updates
- A regulatory monitoring process that tracks changes to relevant substance lists and standards
- Document retention procedures that align with the passport data retention period (product lifetime plus the period specified in the delegated regulation)
- Audit trail management that captures the history of each data field over the product's commercial life
This is not a small undertaking for companies with complex product portfolios. The platform features at dpp-tool.com are designed to operationalise exactly these workflows — data collection, verification tracking, update management and audit trail maintenance. And if you are scoping the effort from scratch, working through the DPP requirements checklist field by field will give you a realistic picture of the data quality gaps between where you are and where compliance requires you to be. Pricing for different implementation scales is covered at /en/pricing/.
Greenwashing Risk and DPP Data Quality: The Enforcement Angle
The EU Green Claims Directive, which runs in parallel with ESPR, makes unsubstantiated environmental claims illegal across the EU. DPP data — which will increasingly be cited in marketing, on labels, and in retailer data systems — is subject to this prohibition.
If your DPP states a carbon footprint or recycled content figure that cannot be substantiated to the verification standard required by the applicable regulation, that data is not just non-compliant under ESPR. It may also constitute a misleading environmental claim under the Green Claims Directive. The interaction between these two regulatory frameworks significantly raises the stakes of data quality failures.
Market surveillance authorities are not the only enforcement vector. National consumer protection authorities can act on DPP-derived green claims. NGOs and competitors have standing to challenge claims through national advertising standards bodies. Retailers who rely on your DPP data for their own sustainability reporting may seek recourse if that data turns out to be wrong.
Data quality, in this regulatory environment, is not a compliance checkbox. It is a risk management imperative.
Frequently Asked Questions
- What verification is required for carbon footprint data in a Digital Product Passport?
- Carbon footprint data generally requires at minimum third-party verification (Tier 3), meaning an accredited independent body must review the calculation methodology and underlying data. For high-stakes product categories, notified body involvement may be required. The exact standard is specified in each product category's delegated regulation.
- How often must DPP data be updated?
- DPP data must be updated whenever the information it contains becomes inaccurate. This includes product reformulations, supplier changes, changes to regulatory substance lists affecting the product, lifecycle events like repair or refurbishment, and correction of identified errors. The obligation is to maintain accuracy continuously, not on a fixed schedule.
- Is self-declaration sufficient for DPP material composition data?
- It depends on the product category and the specific data field. Basic material category information may be self-declarable. Precise recycled content percentages, substance concentrations near regulatory thresholds, and composition data for products in categories with known greenwashing risks typically require third-party verification. The applicable delegated regulation specifies the tier for each field.
- What happens if a market surveillance authority finds a discrepancy between DPP data and physical product testing?
- A discrepancy is treated as evidence of non-compliance. The burden shifts to the economic operator to explain it — for example, demonstrating that the tested unit is from a different production batch with a documented change. Without a credible explanation, enforcement action follows.
- Do SMEs have reduced verification requirements under the DPP?
- The ESPR framework allows for proportionality provisions for SMEs, and some delegated regulations may permit reduced documentation or longer implementation timelines. However, verification tier requirements for specific data fields are not generally reduced based on company size — the environmental and safety rationale for a given tier applies regardless of who produces the product.