Skip to main content
  1. Home
  3. Blog
  5. DPP and GDPR: Balancing Transparency with Privacy
Compliance 5 min read

DPP and GDPR: Balancing Transparency with Privacy

Digital Product Passports are designed for transparency — they're publicly scannable records. But the data they contain can sometimes include personal information (e.g., the name of an individual craftsperson, a small-batch producer's personal details). And the platform that generates DPPs certainly processes personal data (user accounts, supplier contacts). Here's how to navigate the intersection of DPP and GDPR.

What DPP Data Can Be Personal?

  • Named individual craftspeople or designers attributed to a product
  • Small-scale farmer names as "country of origin" for agricultural inputs
  • Repair history that might identify a specific repair technician
  • Supply chain contact persons at small supplier companies where the individual is identifiable

DPP publication is required by EU law — this gives manufacturers a legal obligation basis (Art. 6(1)(c) GDPR) for processing the data needed to comply. For any personal data not required by law (e.g., voluntarily including a craftsperson's name), you need either consent or legitimate interests as your legal basis.

Using Tiered Access to Protect Privacy

The DPP's tiered access system is your primary privacy tool. Personal data should be placed in the authorized or regulatory tier — not the public tier. Market surveillance authorities get full supply chain data; consumers only see what they need. D-Pass allows field-level access tier assignment in your DPP template.

Data Minimisation Principle

GDPR Article 5(1)(c) requires that personal data be adequate, relevant and limited to what is necessary. For DPPs: if company-level data suffices (e.g., "supplier: Acme GmbH, Germany"), do not include individual names. If a product category number identifies the supplier without revealing a person, use that.

Retention and Deletion

The Battery Regulation requires DPP accessibility for 10 years after market placement. This creates a tension with GDPR erasure rights (Art. 17). Legal advice: where data is legally required to be retained for compliance purposes, erasure rights are overridden by the legal obligation. Document this in your Record of Processing Activities (ROPA).

Data Processing Agreements

Your DPP platform provider (e.g., D-Pass) processes data on your behalf — this requires a Data Processing Agreement (DPA). Verify your provider: is data hosted in the EU? Do they have ISO 27001 or equivalent? Do they sub-process with EU-based sub-processors only? D-Pass is hosted in Frankfurt, Germany with full EU data residency.

Related Reading

More from the blog

Guide 5 min read

What Is a Digital Product Passport (DPP)?

A complete explainer of DPPs — what data they carry, who can read them, and why the EU is mandating them.
Regulation 8 min read

EU Battery Regulation 2023/1542: The Complete Guide

Everything manufacturers, importers and distributors need to know about the EU Battery Regulation — obligations, timelines, and DPP requirements.
Regulation 6 min read

ESPR Explained: Ecodesign for Sustainable Products Regulation

How the ESPR replaces the old Ecodesign Directive and uses DPPs to enforce sustainability across dozens of product categories.
Back to Blog