Established under the EU's Circular Economy Action Plan and the Ecodesign for Sustainable Products Regulation, the digital product passport is a key tool in Europe's transition to a circular and climate-neutral economy.
The goal is to improve traceability and transparency throughout a product's life cycle, supporting more informed and responsible purchasing decisions by consumers.
But data collected through a DPP can inadvertently involve personal data, particularly in scenarios like product customization, ownership tracking, Internet of Things use and service records. This integration of personal information raises important privacy concerns, necessitating strict data protection measures to ensure compliance with regulations and safeguard user privacy.
A DPP enables stakeholders — businesses, public authorities and consumers — to access relevant information about materials, from manufacturing to final disposal. It is based on the principles of coherence and consistency, as it must align with European regulations; flexibility, seeking a decentralized approach to data storage; and transparency and accountability, as the information provided must be truthful and sufficient to facilitate decision-making, with implementation ideally involving trusted third parties.
However, even with a tool primarily focused on supply chains, it can't be overlooked that the final link is the end consumer.
As part of a DPP, consumers can access web applications on their phones via QR codes or near field communication, which redirect them to specific webpages that display detailed product information. Depending on the configuration, these applications can collect personal information that might include technical, browsing, analytical, contextual and user registration data.
The European Commission has identified priority categories that are among the first required to create DPPs, including textiles and iron and steel products, with an implementation timeline set to unfold from 2026 to 2030.
However, this tool is not new, as there are blockchain-based solutions in the market, such as IBM Food Trust and Everledger, that provide transparency throughout the supply chain.
Depending on the interoperability and decentralization of the platform, different actors in the supply chain — manufacturers, distributors and retailers — might share and access relevant information about products and processes, which would include interactions with consumers.
A DPP must, therefore, align with data protection regulations, focusing on the life cycle of data processing.
Purpose
It is crucial to clearly define the purpose for data collection. This could be, for example, to provide detailed information about a specific product or service for which data collection might not be strictly necessary.
However, in cases involving a personalized object linked to a specific individual, identity verification might be required, potentially through a code generated at the time of purchase.
Different purposes, and treatments, could include improving customer experience through personalized promotions based on data of user interaction with products.
Legal basis
Each data processing operation, from initial collection via QR codes to storage and processing on the web, must be backed by a specific legal basis.
For accessing information about products the user has already purchased, the legal basis is the execution of a contract, as providing this data is part of the purchased service.
For accessing information about products that have not yet been purchased, it is based on the company's legitimate interest in offering useful data for potential purchasing decisions, always balancing with the user's rights.
For marketing purposes, explicit user consent is required, as it involves sending personalized promotions or advertisements.
Finally, using data to improve user experience can rely on legitimate interest if it involves optimizing the platform, but requires consent if personalization is more detailed.
Data minimization
For accessing information about products the user has already purchased, only the data strictly necessary to identify the product and provide relevant information should be collected, which might include warranty information.
For offering access to information about products not yet purchased, there may be no need to identify the user, thus potentially moving beyond direct EU General Data Protection Regulation application, as data can be anonymous.
International transfers
It is important to note, if actors are allowed to access consumer data and such data is located outside the EU, this could involve international transfers of personal data.
Security
Focusing on the QR code, which is the key entry point for processing, it must be encrypted to prevent manipulation that could redirect the user to malicious sites. Additionally, when scanning the QR code, the connection should be secure to ensure data transmission is encrypted and protected against interception.
In this case, temporary tokens representing real data could also be generated, so even if tokens are intercepted, the real information cannot be accessed without the appropriate validation process.
DPP implementation must address data protection issues
The DPP represents a significant advancement in product traceability and transparency, supporting the transition to a circular economy.
However, its implementation must carefully address data protection issues, including the legal bases for data processing, data collection minimization, international data transfers and security measures.
Ensuring compliance with data protection regulations while leveraging the benefits of the DPP will be crucial for its success and acceptance by both consumers and stakeholders.
Alba Sánchez de la Calle is lead consultant at Devoteam.
