Decentralized DPP Data: What Is the Brand's Responsibility?

There Is No Central Database Coming to Save You

One of the most consequential — and frequently misunderstood — features of the EU's Digital Product Passport framework is how data storage is structured. Many brands assume, reasonably but incorrectly, that DPP compliance will involve uploading product data to some form of centralized EU registry or Commission-managed database, which will then handle distribution to consumers, regulators, and recyclers.

This assumption is wrong. And acting on it will lead brands to significantly underestimate what DPP compliance actually demands of their own systems and operations.

The Ecodesign for Sustainable Products Regulation (ESPR) explicitly requires that DPP data be stored in a decentralized manner — held and managed by the entity that created it, not aggregated in a single centralized location. The responsibility for storing, maintaining, securing, and making DPP data accessible rests with the Responsible Economic Operator (REO): the brand or retailer that places the product on the EU market.

What Decentralized Storage Actually Means

Decentralized DPP data storage means that each brand (or a certified third-party service provider acting on the brand's behalf) holds its own product data in its own infrastructure. There is no single authoritative database that aggregates DPP records from across the industry.

This has several direct consequences:

Your Data Must Be Actively Accessible

Because there is no central repository to push data to, your DPP data must be accessible via a live, standards-compliant API that can respond to requests from the resolver infrastructure. Data that exists in a spreadsheet, a PLM system, or a document management folder is not DPP-ready — it cannot be queried in real time by consumers, regulators, or circular economy operators scanning a product in the field.

You Are the Data Custodian for the Product's Full Lifecycle

A product placed on the EU market in 2028 may still be in active use in 2040. Its DPP data must remain accessible for that entire period. This is not a one-time publishing exercise — it is an ongoing operational commitment to data availability that outlasts individual product seasons, platform migrations, and in some cases, the commercial relationships with the suppliers who originally provided the data.

You Are Accountable for Data Accuracy

Under ESPR, the REO retains ultimate accountability for the accuracy of the DPP, even when data was provided by suppliers or updated by third parties such as repair operators. If a supplier provides incorrect material composition data and that data is published in a DPP, the enforcement liability rests with the brand that placed the product on market — not the supplier.

Decentralized storage distributes responsibility to where data originates. It does not distribute accountability. The brand that places a product on the EU market is responsible for what the DPP says — regardless of where the underlying data came from.

What Brands Must Manage Directly

Under the decentralized model, brands must have operational ownership of the following:

A Structured, Queryable Data Store

Product data must be held in a format that can be retrieved, filtered, and served via API — not just stored. This typically means a database or data platform (either built internally or provided by a certified DPP service provider) that holds structured records for each product unit, indexed by the product's unique serialized identifier.

An Active API Endpoint

The data store must expose an API endpoint that the resolver can route requests to. This endpoint must be available continuously, respond within acceptable latency thresholds, and serve the correct data layer based on the authenticated identity of the requesting party (consumer, regulator, CEOP).

Access Control and Authentication

Not all DPP data is public. The brand's data infrastructure must implement access controls that differentiate between:

• Public data — served without authentication to any consumer scanning the product
• Restricted regulatory data — served only to authenticated authorities with defined access rights
• Circular economy operator data — served to authenticated repairers, recyclers, and remanufacturers

Implementing these access tiers is an IT architecture requirement, not a content question. It requires authentication infrastructure, role-based access management, and integration with whatever authorization mechanism the ESPR ecosystem ultimately standardizes.

Version Control and Audit Trails

Because DPP data can be updated — by the brand, by repair operators, by circularity events — the data system must maintain a version history and audit trail. If a DPP record is updated and later disputed, the brand must be able to demonstrate what the record contained at any given point in time and who made each change.

Data Retention Beyond Product Commercialization

Brands routinely retire product data from internal systems after a product leaves active commercial assortment. Under DPP obligations, this practice must change. Data associated with a product that has been placed on the EU market must be retained and accessible for the full expected lifecycle of that product — which for many textile categories means many years beyond the end of commercial sale.

Using a Certified Third-Party Provider

ESPR allows brands to delegate data hosting and management to a certified third-party DPP service provider, rather than building and operating their own infrastructure. For most brands, this will be the more practical and cost-effective path.

However, delegation does not mean abdication. Even when using a third-party provider, the brand:

• Remains the legally accountable REO for data accuracy
• Must ensure the provider's infrastructure meets ESPR technical requirements
• Must have contractual arrangements that ensure data access continuity — including what happens to the data if the provider ceases to operate
• Must ensure the provider maintains the backup copy required by ESPR Article 9

Selecting a DPP service provider is therefore a due diligence exercise, not just a procurement decision. The provider's technical certifications, data governance practices, backup arrangements, and standards alignment all have direct compliance implications for the brands they serve.

The Mandatory Backup Obligation

ESPR Article 9(3a) requires that a backup copy of all DPP data be maintained by a certified independent third-party provider. This obligation exists to ensure that DPP data remains accessible even if the primary data holder — the brand or its service provider — ceases to operate.

The backup requirement applies regardless of whether a brand hosts its own data or uses a service provider. It means:

• A second, independent copy of all DPP data must exist at all times
• The backup holder must be certified under criteria that ESPR and its Delegated Acts will specify
• The backup must be accessible to the resolver if the primary data source becomes unavailable

For brands evaluating DPP platforms, whether a provider has a certified backup arrangement — and with whom — is a non-negotiable due diligence question.

Data Sovereignty Considerations

Decentralized storage also raises questions of data sovereignty that are particularly relevant for brands with global operations or non-EU headquarters.

ESPR does not specify that DPP data must be stored on servers physically located within the EU, but it does require that data be accessible in accordance with EU law — including GDPR where personal data is involved, and the data access and portability requirements of the ESPR framework itself.

Brands storing DPP data with cloud providers should verify that their data storage and processing arrangements are compatible with EU regulatory requirements. This is particularly relevant for restricted data layers that may contain information subject to GDPR, trade secret protections, or cross-border data transfer restrictions.

The Supplier Data Problem

A core challenge of decentralized DPP data management is that much of the data brands need does not originate with the brand. It comes from suppliers — the factories, mills, dye houses, and material processors that make up the upstream supply chain.

In a decentralized model, there are two broad approaches to managing supplier-originated data:

Brand-Centralized Supplier Data Collection

The brand collects data from suppliers through its own data collection processes — supplier questionnaires, portal submissions, direct integrations with supplier systems — and consolidates it into the brand's own DPP data store. The brand is then the single holder of the consolidated record.

This approach gives the brand maximum control and visibility over its data, but places the burden of supplier outreach and data validation entirely on the brand's team.

Federated Supplier Data Contributions

In more advanced architectures, suppliers contribute data directly to the DPP system — each holding and serving their own tier of supply chain data, which the brand's DPP references rather than duplicates. This model is closer to the decentralized ideal envisioned by ESPR, but requires significantly more sophisticated interoperability between supplier and brand systems.

For most brands in 2026, a brand-centralized collection approach is more practical. The federated model becomes more achievable as industry data standards mature and supplier digital capabilities improve.

Regardless of approach, brands need a structured, systematic process for requesting, validating, and updating supplier data — and clear contractual obligations requiring suppliers to provide accurate, complete data in a timely manner. Gaps in supplier data are ultimately the brand's compliance problem, not the supplier's.

What to Do Now

Brands that understand the decentralized model will approach DPP preparation differently from those that are waiting for a central registry to appear. The practical actions follow from the responsibilities described above:

• Audit your current data infrastructure. Where does your product data currently live? Is it queryable via API? Is it structured at the product-unit level? How long is it retained after a product leaves commercial assortment? The gap between your current state and DPP requirements is your starting point.
• Evaluate DPP service providers on data governance. Don't just assess features — assess data governance: backup arrangements, access control capabilities, certifiability under CEN/CENELEC standards, and contractual data portability in case you need to change provider.
• Build supplier data collection into your compliance workflow. Start requesting and structuring supply chain data now, using the objective datapoints that are already collectable. The sooner you establish supplier data-sharing relationships and processes, the more complete your DPP records will be at enforcement.
• Plan for long-term data retention. Begin reviewing your data lifecycle policies and identifying what changes are needed to ensure DPP data remains accessible beyond the commercial lifecycle of each product.

Frequently Asked Questions

Can the European Commission access DPP data directly?

Market surveillance authorities and customs bodies have defined access rights to restricted DPP data layers under ESPR. However, the Commission does not operate a centralized database containing all DPP records — data remains with the REO or its certified service provider. Regulatory access is mediated through the authenticated access control system built into the DPP infrastructure.

What happens to DPP data if the brand ceases to operate?

This is precisely the scenario the mandatory backup requirement addresses. A certified independent third-party backup holder maintains a copy of all DPP data that remains accessible even if the primary data holder (brand or its provider) ceases to function. The resolver infrastructure can be updated to route requests to the backup if the primary endpoint becomes permanently unavailable.

Do brands need to build their own DPP platform?

No. Brands can — and most likely will — use certified third-party DPP service providers to host and manage their data infrastructure. However, the brand remains the accountable REO regardless of which provider manages the infrastructure. Choosing a provider means taking on accountability for that provider's compliance with ESPR technical requirements.