Digital Product Passport GDPR compliance sits at the intersection of two EU regulatory frameworks — the ESPR's mandate to share product data and the GDPR's mandate to protect personal data. The critical insight: most DPP data (material composition, environmental metrics, certifications) is product data, not personal data, and falls entirely outside GDPR scope. But three specific touchpoints — consumer scan metadata (IP addresses, confirmed as personal data by CJEU Case C-582/14), sole proprietor manufacturer details, and named supply chain contacts — do trigger GDPR obligations that the ESPR's own Article 10 explicitly acknowledges by requiring consent for customer personal data in DPPs.
Why Does GDPR Matter for Digital Product Passports?
A Digital Product Passport involves data flows across multiple parties: brands submit product data, DPP platforms host it, consumers scan QR codes to access it, supply chain partners contribute to it, and market surveillance authorities audit it. Any data flow that involves personal data triggers GDPR obligations — regardless of whether the primary purpose of that data flow is product transparency.
Most DPP data is product-level information: material composition, carbon footprint, recycling instructions, certification references. None of this identifies an individual. But several touchpoints in the DPP ecosystem can involve personal data, and brands need to know exactly where those touchpoints are.
The risk is not hypothetical. Since GDPR took effect in May 2018, EU data protection authorities have imposed over €4.5 billion in total fines across more than 2,000 enforcement actions (GDPR Enforcement Tracker, 2025). While GDPR penalties can reach €20 million or 4% of global annual turnover, the ESPR penalty framework — Regulation (EU) 2024/1781, Article 77 — requires each member state to set its own penalties that are "effective, proportionate and dissuasive." A brand that violates both faces compounding exposure from two independent enforcement regimes.
What DPP Data Could Be Personal Data?
Economic Operator Contact Details
The ESPR requires DPPs to include manufacturer identification: company name, address, and a responsible person's contact information. For companies, business contact details are generally not personal data. But for sole proprietors — common among small brands — the manufacturer's name and address identify a natural person and therefore constitute personal data under GDPR Article 4(1).
Consumer Scan Data
When a consumer scans a DPP QR code, the hosting platform can capture metadata: IP address, device type, operating system, approximate location, and timestamp. Under GDPR, IP addresses are personal data — the Court of Justice of the EU confirmed this in Case C-582/14, Breyer v. Germany (CJEU, 2016). This means consumer scan analytics require a legal basis, whether legitimate interest or explicit consent.
If your DPP platform tracks consumer scans for analytics, you need a GDPR-compliant cookie/tracking consent mechanism — the same obligations that apply to any website tracking visitors apply to your DPP hosting platform. Do not assume that because the ESPR mandates the DPP, GDPR consent requirements disappear.
Supply Chain Individuals
Factory contact persons, quality inspectors, and certification auditors named in supply chain documentation can also trigger GDPR obligations. If their names or contact details flow into the DPP system — even behind the restricted access tier — GDPR applies to that data. Data processing agreements with supply chain partners must cover this.
What Is Explicitly NOT Personal Data
The majority of DPP content falls outside GDPR scope entirely:
- Product material composition (e.g., 95.2% organic cotton, 4.8% elastane)
- Environmental metrics (e.g., 7.2 kg CO₂e carbon footprint)
- Certification references (e.g., OEKO-TEX Standard 100, GOTS)
- Manufacturing location (factory address, not individual contact)
- Recycling and end-of-life instructions
- Product identifiers (GTIN, batch numbers, serial numbers)
DPP Data Categories: Personal vs. Non-Personal
| Data Category | Personal Data? | GDPR Applies? |
|---|---|---|
| Material composition | No | No |
| Environmental impact metrics | No | No |
| Product identifiers (GTIN, batch) | No | No |
| Manufacturer company details | Usually no | Only if sole proprietor |
| Responsible person name/email | Yes (if natural person) | Yes |
| Consumer scan metadata (IP, location) | Yes | Yes |
| Factory contact person | Yes (if named) | Yes |
| Certifications and standards | No | No |
| Recycling instructions | No | No |
For most small brands, the personal data surface area in a DPP is small — but it is not zero.
What the ESPR Says About Personal Data
The ESPR does not ignore data privacy. The regulation directly addresses the relationship between DPPs and personal data in several provisions:
- Customer data exclusion: Personal data relating to customers may not be stored in the DPP without their explicit consent. This is a stronger standard than GDPR's general "legal basis" requirement — the ESPR specifically demands consent, not legitimate interest.
- Service provider restrictions: DPP service providers cannot sell, reuse, or process passport data beyond what is strictly necessary for hosting and processing services. This mirrors GDPR's purpose limitation principle and is written directly into the ESPR.
- Access credential verification: The Commission will adopt implementing acts for procedures to issue and verify digital credentials of authorized users — ensuring that restricted-tier data is only accessible to parties with a legitimate reason.
- Data accuracy obligations: Economic operators must ensure DPP data is accurate, complete, and up to date — aligning with GDPR's accuracy principle.
These provisions mean the ESPR — Regulation (EU) 2024/1781 — was designed with GDPR compatibility in mind. All 27 EU member states have active Data Protection Authorities enforcing GDPR, and every one of them has the authority to investigate DPP-related personal data processing. The two regulations are complementary, not contradictory.
The 7 GDPR Principles Applied to DPPs
GDPR's seven core principles (Regulation (EU) 2016/679, Article 5) all apply when personal data enters the DPP ecosystem. Here is how each principle maps to the DPP context:
| GDPR Principle | What It Means for DPPs |
|---|---|
| 1. Lawfulness, fairness, transparency | Identify a legal basis for any personal data processing. Legitimate interest may cover operator contacts; consumer scan tracking typically requires consent. |
| 2. Purpose limitation | DPP data collected for regulatory compliance cannot be repurposed for marketing without separate consent. A brand cannot use consumer scan data to build customer profiles. |
| 3. Data minimization | Only collect personal data that is strictly necessary. The three-tier access system supports this by limiting who sees what data. |
| 4. Accuracy | DPP data must be kept up to date. Outdated personal data (e.g., a former responsible person's contact) must be corrected or erased. |
| 5. Storage limitation | Personal data in a DPP context may need longer retention (aligned to product lifetime), but this must be justified and documented. |
| 6. Integrity and confidentiality | Access controls, encryption, and secure hosting are required for any personal data within the DPP system. |
| 7. Accountability | Document your GDPR compliance measures. Maintain records of processing activities (GDPR Article 30) covering all personal data flows in your DPP implementation. |
The DPP three-tier access system (public / supply chain / regulatory) is well-aligned with GDPR's data minimization principle. Each tier exposes only the data relevant to that user's role — consumers do not see supplier contact details, and the public does not see proprietary formulations. This built-in access control simplifies GDPR compliance significantly.
DPP Access Tiers and Data Minimization
The ESPR's three-tier access system maps directly to GDPR requirements:
Public tier: Contains only non-personal product data — material composition, environmental metrics, care instructions, certifications. No GDPR issue for the viewed data itself. However, the act of scanning the QR code may generate personal metadata (IP address, device data), which does require a legal basis.
Supply chain tier: May include supplier contact details that constitute personal data. Requires data processing agreements (DPAs) between the brand, the DPP platform, and supply chain partners. Access is limited to verified parties with a legitimate need — recyclers, repairers, distributors. For real-world examples of how these access tiers work in practice, see our annotated DPP walkthrough.
Regulatory tier: Full access for market surveillance authorities. Legal basis is established directly by the ESPR — authorities have explicit statutory authority to access all DPP data, including any personal data within it.
This tiered structure means brands do not need to apply the same level of GDPR protection to all DPP data. Focus privacy controls on the data categories that actually contain personal data, and let the access tier system handle the rest.
How Can You Ensure GDPR Compliance in Your DPP?
Five concrete steps to ensure your DPP implementation satisfies GDPR requirements:
1. Conduct a Data Protection Impact Assessment (DPIA)
Map all personal data flows in your DPP system. Identify every point where personal data is collected, processed, or stored — from responsible person details to consumer scan analytics. A DPIA is legally required if your processing involves systematic monitoring or large-scale personal data processing, and recommended as good practice in all cases.
2. Implement consent mechanisms for consumer tracking
If your DPP platform tracks consumer scans (most do, for analytics), add a GDPR-compliant consent mechanism. This is identical to the cookie consent requirement on any website. If your platform does not track individual scans — only aggregate page views — your consent obligations are significantly reduced.
3. Execute Data Processing Agreements (DPAs)
Sign DPAs with your DPP service provider and any supply chain partners whose personal data flows into the system. The DPA must specify: what personal data is processed, the purpose and duration of processing, the processor's security obligations, and data subject rights procedures.
4. Define data retention policies
The ESPR requires DPP data to persist for the product's expected lifetime — which can be years or decades. Align product data retention with ESPR requirements, but build in separate review schedules for personal data. A responsible person's contact details from 2027 should not sit untouched in the system until 2040.
5. Document everything
Maintain records of processing activities as required by GDPR Article 30. This includes: categories of personal data processed, purposes of processing, categories of recipients, planned retention periods, and a description of security measures. This documentation also supports your ESPR accountability obligations.
Most small brands' DPPs will contain very little personal data. If you use a DPP platform that does not track individual consumer scans and your product data only references company names (not individuals), your GDPR exposure is minimal. Focus your compliance effort proportionally — do not over-engineer privacy controls on data that is not personal data.
DPP GDPR Compliance Checklist
Use this checklist to systematically verify GDPR compliance across your DPP implementation. Each item maps to a specific GDPR obligation. For most small brands, the majority of these items will be quick confirmations — the personal data surface area in a typical DPP is small.
Data Mapping
- Identify all personal data in your DPP system — List every data field that could identify a natural person (responsible person name/email, sole proprietor details, factory contact persons)
- Map consumer scan data collection — Document what metadata your DPP hosting platform captures when someone scans a QR code (IP address, device type, location, timestamp)
- Classify each data field by ESPR access tier — Confirm that personal data is restricted to the appropriate tier (supply chain or regulatory) and not exposed in the public tier without consent
Legal Basis
- Establish legal basis for each personal data category — Legitimate interest may cover economic operator contacts; consumer scan tracking typically requires consent
- Implement consent mechanism for consumer tracking — If your platform logs individual scan data, add a GDPR-compliant consent banner (identical to website cookie consent requirements)
- Review sole proprietor exposure — If you are a sole proprietor, your name and address in the DPP constitute personal data — confirm you have a legal basis for this publication
Agreements and Documentation
- Execute Data Processing Agreements (DPAs) with your DPP service provider — Covering: what personal data is processed, purpose, duration, processor security obligations, data subject rights procedures
- Execute DPAs with supply chain partners whose personal data flows into the system — Factory contacts, quality inspectors, certification auditors named in DPP data
- Maintain Records of Processing Activities (ROPA) per GDPR Article 30 — Categories of personal data, purposes, recipients, retention periods, security measures
Data Subject Rights
- Establish a process for data subject access requests — Named individuals in your DPP (responsible persons, supplier contacts) have the right to access, correct, and request deletion of their personal data
- Define data retention schedules for personal data — Separate from product data retention (which follows ESPR product lifetime requirements). Review personal data annually; update when individuals change roles.
Security
- Confirm DPP platform security measures — Encryption, access controls, EU data residency (if applicable)
- Verify ESPR Article 10 compliance — Customer personal data may not be stored in the DPP without explicit consent. Confirm your system enforces this.
For brands already GDPR-compliant for their website and customer data, most of these items are extensions of existing processes, not new capabilities. The incremental GDPR effort for DPP is proportional to the amount of personal data in your system — which, for most small brands, is minimal.
What Does This Mean for Your Brand?
The overlap between DPP and GDPR obligations is narrower than it first appears. The vast majority of DPP data — material composition, environmental metrics, certifications, recycling instructions — is product data, not personal data, and falls outside GDPR scope entirely.
Where GDPR does apply — consumer scan analytics, responsible person contacts, named supply chain individuals — the obligations are manageable and well-defined. Brands that are already GDPR-compliant for their websites and customer data have the processes and infrastructure to handle DPP-related personal data without building anything new.
The key is to not conflate product transparency with personal data. A DPP telling consumers that a t-shirt is 95% organic cotton and was manufactured in Portugal is not a privacy issue. A DPP platform silently logging every consumer's IP address and location when they scan a QR code is — and with GDPR fines averaging €1.5 million per enforcement action across the EU (GDPR Enforcement Tracker, 2025), the cost of getting this wrong is real.
Know the difference, and build your DPP implementation accordingly. If cost or operational complexity is a concern, our DPP challenges guide covers the 7 biggest obstacles small brands face — including data quality. Use our DPP Readiness Checker to assess where your brand stands on both product data and compliance readiness.
Frequently Asked Questions
What are the 7 GDPR requirements?
The 7 GDPR principles are: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. In a DPP context, these primarily apply to consumer scan data (IP addresses, device information), economic operator contact details (when they identify a natural person), and any supply chain individuals named in the system. Most DPP product data — material composition, environmental metrics, certifications — is not personal data and falls outside these principles.
Does scanning a DPP QR code collect personal data?
It can, depending on the hosting platform's implementation. When a consumer scans a QR code, the hosting platform may capture the IP address, device type, operating system, and approximate location — all of which are personal data under GDPR per the CJEU's Breyer ruling (C-582/14). If the platform only serves the DPP page without logging individual visitor data, no personal data is collected. Check your DPP provider's privacy documentation to understand what they capture.
Can my suppliers' personal data end up in a DPP?
Yes, if your DPP system includes named individuals from supplier organizations — factory contact persons, quality inspectors, certification auditors. If it only references company names and facility addresses without identifying specific people, no personal data is involved. Where individual names do flow into the system, you need data processing agreements with those supply chain partners, and the data should be limited to the supply chain or regulatory access tiers — never visible in the public tier.
How long must DPP data be retained under GDPR?
The ESPR requires DPP data to persist for the product's expected lifetime, which can span years or decades. This can create tension with GDPR's storage limitation principle. The solution is to separate product data (retain for the full product lifecycle as required by ESPR) from personal data (review and minimize regularly). A responsible person's contact details should be updated when the person changes roles; consumer scan data should have a defined retention period, typically no longer than necessary for analytics purposes.
Do I need a DPIA for my DPP?
If your DPP system processes personal data on a large scale or involves systematic monitoring — such as tracking consumer scans across multiple products or regions — a Data Protection Impact Assessment is legally required under GDPR Article 35. For a small brand with a straightforward DPP that contains only product data and company-level information, a DPIA may not be legally required but is still recommended as good practice. It forces you to map data flows and identify risks before they become problems.
What are 5 examples of personal data in a DPP?
Five examples of personal data that could appear in a DPP context are: (1) the responsible person's name and email address listed as the product contact, (2) a consumer's IP address captured when they scan the QR code, (3) a factory quality inspector's name recorded in supply chain documentation, (4) a sole proprietor's home address used as the manufacturer address, and (5) device geolocation data from consumer scan analytics. Of these, only the first and fourth are stored in the DPP itself — the others are generated by the hosting platform during interactions.
