Persons of Legitimate Interest — DPP Data Access Explained

What “Persons of Legitimate Interest” Means

The Ecodesign for Sustainable Products Regulation (ESPR) — Regulation (EU) 2024/1781 — introduces a structured data access framework for Digital Product Passports. Not all DPP data is public. Some information is restricted to a defined group the regulation calls “persons of legitimate interest.”

Article 10 of the ESPR establishes who may access which categories of DPP data. The intent is straightforward: enable the circular economy by sharing data with those who need it, while protecting commercially sensitive information from unrestricted disclosure.

This concept is not new to EU product regulation. The Battery Regulation (Regulation (EU) 2023/1542) adopted a similar approach in its Annex XIII, distinguishing between data available to the general public and data reserved for authorised actors. The ESPR generalises this model and extends it across all product categories that will carry a Digital Product Passport.

The Three-Tier Access Model

The ESPR defines three distinct levels of access to DPP data. Each tier serves a different purpose and carries different authentication requirements.

Tier 1: Public Access

The broadest tier. Any person — consumer, journalist, investor, competitor — can scan a product’s QR code or enter its unique identifier and retrieve this data without authentication. Public data typically includes the product name, manufacturer identity, energy class, sustainability scores, and general environmental information. The purpose is consumer empowerment and market transparency.

Tier 2: Persons of Legitimate Interest

The middle tier. Access requires identity verification and proof that the requester has a recognised purpose aligned with circular economy objectives. This tier contains the operational data needed for repair, refurbishment, recycling, and research. It includes detailed material composition, dismantling sequences, component-level specifications, and hazardous substance locations.

Tier 3: Market Surveillance Authorities

The most privileged tier. National market surveillance authorities and the European Commission can access all DPP data, including trade secrets and proprietary manufacturing information, for the purposes of enforcement and compliance verification. This access is governed by Regulation (EU) 2019/1020 on market surveillance and existing confidentiality obligations binding public authorities.

Article 10(1) of the ESPR makes clear that the level of access must be “commensurate with the legitimate interests” of the person requesting data. The regulation does not grant blanket access to anyone who asks — each request must be proportionate to the requester’s role and purpose.

Who Qualifies as a Person of Legitimate Interest

The ESPR does not provide an exhaustive list. Instead, Article 10 identifies categories of actors whose activities support the circular economy, environmental protection, or regulatory compliance. The Commission may further specify these categories through delegated acts under Article 10(2).

Based on the regulation text and the Commission’s preparatory documents, the following actors are expected to qualify:

• Professional repairers — independent repair shops and authorised service providers who need repair manuals, spare part lists, and diagnostic information to service products.
• Refurbishers and remanufacturers — companies that restore used products to a functional state, requiring detailed component specifications and disassembly instructions.
• Recyclers and waste treatment operators — facilities processing end-of-life products that need material composition data and hazardous substance locations to handle materials safely and efficiently.
• Researchers and academic institutions — those conducting studies on product sustainability, material flows, or circular economy performance, subject to defined research purposes.
• Customs authorities — in contexts where they verify product compliance at EU borders, customs officers may need access to restricted DPP data to confirm regulatory conformity.
• Notified bodies and conformity assessment bodies — organisations designated under EU harmonisation legislation to verify that products meet applicable requirements.
• Second-hand dealers and resale platforms — actors in the secondary market who may need product history and condition data to facilitate informed resale.

The Commission’s delegated acts for each product category will define precisely which actors qualify and what data they may access. This means the list of persons of legitimate interest may vary from product to product. A recycler’s access rights for batteries may differ from their access rights for textiles.

What Data Persons of Legitimate Interest Can Access

The distinction between public and restricted data is commercially significant. Restricted data often represents the detailed engineering and material knowledge that manufacturers consider proprietary. Persons of legitimate interest may access data the general public cannot, including:

• Detailed material composition — exact percentages of materials, alloy specifications, polymer grades, and additive formulations that go beyond the general composition data available publicly.
• Dismantling instructions — step-by-step procedures for non-destructive disassembly, including tool specifications, fastener types, and sequence-critical operations.
• Repair manuals and diagnostic data — technical documentation required to identify faults, replace components, and restore product functionality.
• Component-level data — specifications for individual components within complex products, including supplier information, material grades, and performance characteristics.
• Hazardous substance locations — precise identification of where substances of concern are located within a product, essential for safe recycling and waste treatment.
• Supply chain traceability data — information about the origin of critical raw materials, due diligence documentation, and chain of custody records.

The Battery Regulation provides a concrete precedent. Annex XIII distinguishes between Category A data (general battery information, publicly accessible), Category B data (carbon footprint and supply chain due diligence, publicly accessible), and Categories C and D (performance data and material composition at a granularity accessible only to notified bodies, market surveillance authorities, and the Commission). The ESPR will follow a similar but broader model.

Why Restricted Access Exists

The three-tier model exists because of a fundamental tension in product transparency regulation. The circular economy requires data sharing — repairers cannot repair without manuals, recyclers cannot recycle without knowing what is inside a product. But unrestricted disclosure of all product data would expose trade secrets and commercially sensitive information to competitors.

Article 10 of the ESPR resolves this tension by applying the principle of proportionality. Each actor receives only the data they need for their specific purpose. A repairer gets repair manuals but not the manufacturer’s full bill of materials. A recycler gets material composition but not proprietary formulation details.

The protection of trade secrets is explicitly recognised. Recital 37 of the ESPR acknowledges that “the protection of commercially confidential information” must be ensured while still enabling the circular economy. The Directive (EU) 2016/943 on trade secrets applies alongside the ESPR, meaning that persons of legitimate interest who access restricted data remain bound by trade secret obligations.

This is not theoretical. Manufacturers have expressed legitimate concern that full public disclosure of detailed material compositions could allow competitors to reverse-engineer products. The three-tier model addresses this by limiting detailed data to actors who have a demonstrated need and a legal obligation to protect what they receive.

Legal Basis in the ESPR

The legal framework for persons of legitimate interest is primarily found in Article 10 of Regulation (EU) 2024/1781.

Article 10(1) establishes the principle: access to information in the DPP shall be granted based on the access rights specified in the applicable delegated act. The economic operator responsible for the DPP must ensure that the correct access controls are in place.

Article 10(2) empowers the Commission to adopt delegated acts specifying which data elements are public, which are restricted to persons of legitimate interest, and which are reserved for market surveillance authorities. This means the access tiers will be defined on a product-by-product basis as delegated acts are adopted.

Article 10(3) addresses the technical infrastructure. The Commission shall ensure that the DPP system includes the necessary technical means for authentication and authorisation of persons of legitimate interest. This obligation extends to the EU Central DPP Registry, which must support role-based access.

Article 12 complements Article 10 by establishing the requirements for the DPP data carrier — the QR code or other machine-readable identifier on the product. The data carrier must link to the DPP system in a way that supports differentiated access.

Article 14 establishes the EU Central DPP Registry itself, which will serve as the authoritative index linking product identifiers to their DPP data locations, and will play a role in managing access credentials for persons of legitimate interest.

The Battery Regulation Approach

The Battery Regulation (Regulation (EU) 2023/1542) is the first EU regulation to implement a Digital Product Passport with tiered access. Its approach serves as a template for how the ESPR will handle persons of legitimate interest.

Annex XIII of the Battery Regulation specifies the data requirements for the battery passport. It organises data into categories with explicit access designations. General battery information (manufacturer name, battery type, weight, capacity) is publicly accessible. Performance and durability data (state of health, charging cycles, energy throughput) has differentiated access depending on the specific data point.

Notably, the Battery Regulation uses slightly different terminology. Rather than “persons of legitimate interest,” it refers to data accessible to “notified bodies, market surveillance authorities and the Commission.” However, Article 77 of the Battery Regulation also references access for “any natural or legal person with a legitimate interest,” broadening the concept beyond authorities.

The practical lesson from the Battery Regulation is that manufacturers must be prepared to implement granular access controls from the outset. It is not sufficient to create a single data set and publish everything. Each data point must be tagged with its access tier, and the DPP system must enforce these tiers at the point of data retrieval.

Authentication Requirements

Persons of legitimate interest cannot access restricted data anonymously. The ESPR requires that they authenticate their identity and demonstrate their legitimate purpose before accessing restricted data tiers.

The regulation does not prescribe a specific authentication mechanism. The Commission is expected to establish technical standards through implementing acts under Article 10(3). However, based on existing EU digital identity frameworks, the authentication model is likely to involve:

• Identity verification — the requester must prove they are who they claim to be, potentially using eIDAS (Regulation (EU) 910/2014) electronic identification or the forthcoming European Digital Identity Wallet under eIDAS 2.0 (Regulation (EU) 2024/1183).
• Role attestation — the requester must demonstrate their professional role (e.g., registered repairer, licensed recycler, accredited researcher) through verifiable credentials.
• Purpose declaration — the requester must state the specific purpose for which they need the restricted data, and this purpose must align with the categories defined in the applicable delegated act.
• Audit trail — every access request and data retrieval must be logged for accountability and enforcement purposes.

The EU Central DPP Registry established under Article 14 is expected to play a central role in managing these credentials. It may maintain a registry of verified persons of legitimate interest, issue access tokens, or delegate credential verification to national authorities.

Technical Implementation

For manufacturers and DPP solution providers, implementing the three-tier access model requires a robust technical architecture. The following components are essential.

Role-Based Access Control (RBAC)

The DPP system must implement RBAC at the data element level. Each data point in the passport must carry an access tier designation. The system must evaluate the requester’s role against the data point’s access tier before returning any restricted information. This is not optional — Article 10(1) places the obligation on the economic operator to enforce correct access controls.

Credential Verification

The system must verify that a requester’s credentials are current and valid. A repair shop that loses its registration should lose its access rights in real time. This requires integration with the EU Central DPP Registry or with national registries that maintain the authoritative list of qualified persons of legitimate interest.

API Authentication

Programmatic access to DPP data — which will be the primary access method for business-to-business use cases — must use secure API authentication. OAuth 2.0 with scoped tokens aligned to access tiers is the expected standard. Each API call must include a valid access token that encodes the requester’s role and the data tiers they are authorised to access.

Audit Logging

Every access to restricted data must be logged with the requester’s identity, the data accessed, the timestamp, and the stated purpose. These logs serve dual purposes: regulatory compliance (demonstrating that the economic operator enforced access controls) and misuse detection (identifying unauthorised or anomalous access patterns).

Traceable implements all four components natively. The platform’s DPP infrastructure includes element-level access tier tagging, credential verification against the EU Central Registry, OAuth 2.0 API authentication with role-scoped tokens, and immutable audit logs — ensuring manufacturers meet their Article 10 obligations without building custom access control systems.

Data Protection and GDPR Intersection

Implementing the persons of legitimate interest framework requires processing personal data. When a repairer requests access, their name, professional registration number, and purpose statement must be collected and verified. This processing falls squarely within the scope of the General Data Protection Regulation (Regulation (EU) 2016/679).

The legal basis for processing this personal data is most likely Article 6(1)(c) of the GDPR — processing necessary for compliance with a legal obligation. The ESPR imposes a legal obligation on economic operators to verify the identity and legitimacy of persons requesting restricted data. Fulfilling that obligation requires processing personal data.

However, the data minimisation principle (Article 5(1)(c) GDPR) still applies. Manufacturers should collect only the data strictly necessary for authentication and authorisation. They should not retain personal data beyond the period needed for audit purposes. Privacy-by-design principles must be embedded in the DPP access control system from the start.

A data protection impact assessment (DPIA) under Article 35 of the GDPR may be required, particularly if the DPP system processes personal data on a large scale or uses automated decision-making to grant or deny access.

Challenges in Implementation

The persons of legitimate interest concept is legally sound but practically complex. Several challenges will emerge as the framework moves from regulation to reality.

Cross-Border Recognition

A repairer registered in Germany must be able to access restricted DPP data for a product placed on the market in France. This requires mutual recognition of credentials across 27 Member States. The EU Central DPP Registry is intended to facilitate this, but the technical and administrative infrastructure for cross-border credential recognition is still under development.

Defining “Legitimate” Across Sectors

What constitutes a legitimate interest differs across product categories. A recycler’s interest in textile composition data is different from their interest in battery chemistry data. Each delegated act must define the access tiers specifically for its product category, and manufacturers of products that span multiple categories may face overlapping or inconsistent access requirements.

Preventing Misuse

Restricted data shared with persons of legitimate interest could be leaked, resold, or used for purposes beyond the stated legitimate interest. The regulation addresses this partly through trade secret protections under Directive (EU) 2016/943 and through audit logging requirements. But enforcement will depend on Member State capacity and willingness to investigate misuse.

Scalability

A manufacturer placing millions of products on the EU market may receive thousands of access requests from persons of legitimate interest. The verification process must be automated, fast, and reliable. Manual verification is not feasible at scale. This places a premium on standardised, machine-readable credentials and automated verification workflows.

Expected Commission Guidance

The Commission has signalled that implementing acts and guidance documents on access tiers will accompany the first delegated acts under the ESPR. These are expected to address:

• Standardised categories of persons of legitimate interest, harmonised across product groups where possible.
• Technical standards for authentication and authorisation, likely referencing eIDAS 2.0 and the European Digital Identity Wallet.
• Interoperability requirements for DPP systems to ensure that any compliant DPP platform can process access requests from any authorised person of legitimate interest.
• Guidelines on the boundary between public data and restricted data, including worked examples for specific product categories.
• Transitional provisions for the period between the ESPR entering into force and the full deployment of the EU Central DPP Registry.

The first delegated acts are expected in 2025-2026, with the Commission prioritising product categories already covered by existing ecodesign measures. Manufacturers should monitor the Commission’s DPP consultations and preparatory documents for early signals on how access tiers will be defined for their products.

How Traceable Implements Three-Tier Access

Traceable’s DPP platform is built around the three-tier access model defined in Article 10. Every data element in a product passport is tagged with its access tier at the point of entry. When a data request is received — whether via QR code scan, web interface, or API call — the platform evaluates the requester’s credentials against the data’s access designation before returning any information.

For public data, no authentication is required. The product’s QR code resolves to a public-facing page displaying all Tier 1 information. For restricted data, the platform initiates an authentication flow that verifies the requester’s identity, confirms their registered role, and logs the access event. For market surveillance authorities, a dedicated secure channel provides full data access with enhanced audit controls.

This architecture means manufacturers do not need to build or maintain their own access control infrastructure. They define which data belongs in which tier — guided by the applicable delegated act — and the platform enforces those designations automatically.

Practical Steps for Manufacturers

Manufacturers should begin preparing for the persons of legitimate interest framework now, even before the delegated acts for their product categories are finalised. The following steps are recommended.

Step 1: Audit your product data. Identify every data element that will appear in your Digital Product Passport. Classify each element as public, restricted (persons of legitimate interest), or confidential (market surveillance only). Use the Battery Regulation’s Annex XIII as a reference model if your product category’s delegated act has not yet been adopted.

Step 2: Identify sensitive data. Determine which data elements contain trade secrets or commercially sensitive information. Engage your legal team to assess whether specific data points qualify for trade secret protection under Directive (EU) 2016/943. Document your reasoning — market surveillance authorities may challenge over-broad claims of confidentiality.

Step 3: Prepare access control procedures. Define how your DPP system will verify the identity and legitimacy of access requesters. If you are using a DPP platform such as Traceable, confirm that it supports role-based access control at the data element level and integrates with the EU Central DPP Registry for credential verification.

Step 4: Implement audit logging. Ensure that every access to restricted data is logged with sufficient detail for regulatory compliance. Logs should capture the requester’s identity, the data accessed, the timestamp, and the verification method used. Retain logs for the duration required by the applicable delegated act.

Step 5: Train your teams. Compliance, legal, and IT teams must understand the three-tier model and their respective responsibilities. Compliance teams define the access tiers. Legal teams assess trade secret boundaries. IT teams implement and maintain the technical infrastructure.

Step 6: Monitor regulatory developments. The Commission’s delegated acts will define the specific access tiers for each product category. Subscribe to the Commission’s consultation notifications and monitor ECHA and CEN-CENELEC publications for technical standards on DPP access control.

This guide reflects the regulatory position as of March 2026. The ESPR delegated acts are still being adopted, and the Commission’s implementing guidance on access tiers is evolving. Subscribe to Traceable’s Regulatory Radar for real-time updates as new delegated acts, technical standards, and access tier specifications are published.