What makes a product passport a passport is that it is tied to one specific physical product. That link is created by the data carrier: a QR code or other marking on the product that leads to the digital passport in a single scan. This article walks through the types of DPP data carrier that exist, when to choose which, and how the GS1 Digital Link lets a single QR code serve several purposes at once.
The three technical layers of a DPP
Under the surface, a product passport is always built from the same three elements. Once you understand this trio, the rest of the details fall into place.
- A physical data carrier on the product (QR code, Data Matrix, RFID or NFC) — the one thing a consumer, an authority or a recycler actually holds in their hands.
- A unique product identifier encoded by the carrier — this is what distinguishes the product (or batch, or individual item) from everything else.
- The passport data, held in a web-accessible, human- and machine-readable location and stored decentrally at the manufacturer (or its DPP provider).
The key point: the carrier does not store the passport itself. It leads to a persistent identifier, and that identifier points to an updatable data location. If you are not sure what a product passport is and why it is needed, first read our introductory guide to the DPP.
Data carrier types: when to use which
There is no single "best" carrier, only a purpose-driven choice. The four relevant technologies have different strengths, and a single product may even carry more than one at the same time.
| Data carrier | Read method | Data capacity | Typical use | DPP status |
|---|---|---|---|---|
| QR code | Consumer smartphone, free app; needs line of sight | Medium (URL) | Consumer passport access | Approved GS1 Digital Link carrier |
| Data Matrix | Industrial scanner and phone; fits in very small spaces | Medium | Small parts, electronics, pharmaceuticals | Approved GS1 Digital Link carrier |
| RAIN RFID (UHF) | Radio, bulk, no line of sight | Large | Warehouse, production line, supply chain automation | Complementary; GS1 approval in progress |
| NFC | Phone tap, native decoding | Small–medium | Premium consumer experience, authenticity verification | Not yet GS1-approved as a carrier |
The practical logic of the choice is simple. The QR code and Data Matrix are the only currently approved carriers for open, consumer-facing mobile use of the GS1 Digital Link URI — which is why they are the default format for the consumer QR code product passport. RAIN RFID, thanks to its large data capacity and automated, line-of-sight-free bulk reading, is better suited to enterprise and supply-chain applications (an entire pallet of products can be scanned at once). NFC can be decoded natively by a phone, delivers an excellent consumer experience and can also carry a GS1 Digital Link URI — but it is not yet GS1-approved as a carrier, so today it is best used only as a complement, not as the sole data carrier.
GS1 Digital Link: one QR code, several purposes
The old barcode could do one thing: read out the item number at the checkout. The GS1 Digital Link can do far more, and that is exactly what makes it the ideal carrier for a product passport. The trick is that it encodes the product identifier into a standard web address (URI) in this form:
https://yourdomain.com/01/{GTIN}
When you put this URL into a QR code, the symbol does two jobs at once. The shopper's phone opens the product passport in a browser — showing care instructions, composition, repairability and recyclability. The same code returns the embedded GTIN to a POS system or a warehouse scanner, even without an internet connection. No more separate "checkout barcode" and separate "info QR": a single, multi-purpose 2D symbol carries both.
On top of that, the GS1 Digital Link is dynamic and updatable: the same physical QR can point to different data across the product's entire lifecycle and enable role-based access. Proprietary, closed QR codes, by contrast, create an isolated system that poses a compliance risk — one that future product-group rules could easily shut out.
The unique product identifier
A data carrier is only worth as much as the unique product identifier it carries. The ESPR framework regulation requires this identifier to comply with the ISO/IEC 15459 standard (or an equivalent). In practice, the most widely accepted candidate is the GTIN (Global Trade Item Number), often combined with a serial and batch number when item- or batch-level traceability is needed.
The newly published European standard EN 18219 (unique identifiers) allows five schemes for product and operator identifiers — including GS1 URIs, decentralized identifiers (DIDs) and DOIs. The choice may differ by product group: for a cotton T-shirt a model-level GTIN may be enough, whereas an EV battery needs a unique, item-level identifier because the battery's State of Health and life history are individual. Our article on the battery passport explains how much more data this category demands.
Human- and machine-readable at the same time
The ESPR is not satisfied with a passport that a human can read. The data has to be usable by both human and machine at once: structured, searchable, based on open standards, and accessible through a scannable data carrier. The passport must not only open in a browser but also be queryable via an API, so that market surveillance systems, recyclers or trading partners can process it automatically.
This is why it is mandatory to provide a free option that can be read with a smartphone — precisely what the data-carrier standard EN 18220 sets out, which, alongside the encoding of 2D symbols (QR code, Data Matrix) and RFID (HF/NFC/UHF), also specifies the placement, quality and printing requirements of the marking.
Access levels: not everyone sees everything
The product passport is not a single dataset open to everyone. Access is role-based and layered: a consumer sees something different from an authority or a recycler. This separation is defined by the EN 18239 (access and security) standard, aligned with eIDAS — but it is important to note that, as of mid-2026, this standard has not yet been published; it is in draft status (FprEN 18239) and is expected to be published around September 2026.
| Access level | Who has access | Example data |
|---|---|---|
| Public | Consumer (QR scan) | Environmental information, care/handling instructions, repairability, recyclability |
| Restricted (B2B) | Business partners | Full material composition, Scope 3 data, certificates |
| Authority / customs | Market surveillance, customs authority | Full access, SVHC substances, REACH/CBAM data |
| Recycler | Dismantler, waste handler | Disassembly instructions, composition, hazardous substances |
The battery passport is a good example: identification, type and main characteristics are public, but the State of Health and dynamic data are typically visible only to the current owner or authorized parties, while due diligence status is shown without revealing supplier identity. For textiles, the public layer typically contains the composition and the care instructions — you can read more about this in our DPP in the textile industry article and on our textile solution page.
The role of the EU central DPP registry
Many people misunderstand this: the central DPP registry operated by the European Commission is not a data store but an index — a kind of directory. Under Article 13 of the ESPR, the registry holds the unique product and passport identifiers, references to the economic operator, the product category, the timestamp and the registration confirmation. It does not hold the passport content itself, the confidential business data or the lifecycle history.
This decentralized model means data sovereignty stays with the manufacturer: the passport content sits with you (or your DPP provider), and for a given identifier the registry merely returns where the data is located. The responsible economic operator runs a redirect service (resolver) that maps the persistent identifier to the passport's current location — so identification stays constant while the data location can change freely.
The legislative text sets a target of roughly mid-2026 for establishing the registry; the exact go-live date and full functionality are still taking shape as planned, and the Commission's implementing acts may refine them. Our ESPR/DPP deadlines article gives an up-to-date overview of the mandatory deadlines by category.
Harmonized standards: where CEN/CENELEC stands
On 27 May 2026, the joint CEN/CENELEC JTC 24 committee published the first six European standards supporting the DPP (EN 18216, 18219, 18220, 18221, 18222, 18223). The remaining two — EN 18239 (access and security) and EN 18246 (authenticity and integrity) — were still in draft (FprEN) as of mid-2026, with formal voting running until 16 July 2026 as planned and publication expected around September 2026. This is a milestone — but there is a critical subtlety every manufacturer needs to understand.
| Standard | Subject | Status |
|---|---|---|
| EN 18216 | Data exchange protocols (REST/HTTPS/TLS) | Published (2026-05-27) |
| EN 18219 | Unique identifiers | Published (2026-05-27) |
| EN 18220 | Data carriers (QR, Data Matrix, RFID HF/NFC/UHF) | Published (2026-05-27) |
| EN 18221 | Storage, archiving, data retention | Published (2026-05-27) |
| EN 18222 | Lifecycle APIs and searchability | Published (2026-05-27) |
| EN 18223 | System interoperability, semantic data model | Published (2026-05-27) |
| EN 18239 | Access and security | Draft (FprEN); publication ~September 2026 |
| EN 18246 | Authenticity and integrity (electronic signature, verifiable credentials, digital seal) | Draft (FprEN); publication ~September 2026 |
The critical distinction: "available" is not the same as "harmonized". The six standards already published can be implemented today, but they only confer a presumption of conformity once the Commission harmonizes them and references them in the Official Journal of the EU (OJEU). As of mid-2026, that step was still pending. In other words, it is worth building to these now — since this is the de facto direction — but you should be aware that the formal conformity reference is still in progress, and the access-security and authenticity standards (EN 18239, EN 18246) are also still to be published.
At the global level, ISO/IEC JTC 5 (established in April 2026) is working on international DPP standardization, with substantive results expected from 2028. The EU-level technical reference comes from the CIRPASS-2 project funded by the Digital Europe Programme: it produced the EU DPP Core Ontology (March 2025) and the reference architecture (June 2026). These are not binding legislation but preparatory, advisory work.
Where and how to place the data carrier
Correct marking placement is not an aesthetic question but a compliance one. A few practical guidelines, framed by EN 18220 and sectoral rules:
- As close to the product as possible. Wherever feasible, the marking should be on the product itself; if that is not durable or does not fit, on the packaging or accompanying documentation — the product group's delegated act determines what is acceptable.
- Durability for the product's lifetime. On an EV battery, the QR code must physically be on the battery and survive its entire lifetime, because the passport has to be read years later, during the second life or recycling.
- Free, device-independent readability. There must be an option that can be scanned with any smartphone, without special hardware or a paid app.
- Print quality and size. EN 18220 sets the quality and placement requirements for the symbol — a poorly printed, fragile or too-small QR is unreadable and therefore non-compliant.
- One product, multiple carriers allowed. Feel free to put a QR for the consumer and RAIN RFID for logistics on the same product — just make sure they point to the same identifier.
How Veridyn helps
Veridyn takes exactly this technical layer off your shoulders. The platform generates a GS1 Digital Link-compatible QR code for every product or batch, serves the passport data in human- and machine-readable form, and manages layered, role-based access — so the consumer, the authority and the recycler each see the data layer intended for them. The content stays with you, remains updatable, and is ready to connect to the future central registry.
When you are ready to assess what data carrier and passport structure you need, start with our preparation checklist, take a look at our battery solution, or start a free account and try it live. If you have questions, get in touch with our team — we will help you pick the right DPP data carrier combination for your product.