Legitimate Interest Access to Restricted Passport Data

Annex XIII of EU Battery Regulation 2023/1542 defines four tiers of access to passport data. Most data is publicly visible to anyone who scans the QR code. A subset of technically sensitive fields is restricted — accessible only to actors with a verified legitimate interest.

The four access tiers

DPP Cloud implements Tier 1 and Tier 3. Tier 2 is handled by the EU registry. Tier 4 is your authenticated dashboard.

Which fields are public (Tier 1)

Every visitor who scans the QR code can see:

• Battery category (EV, industrial, LMT)
• General chemistry type (e.g. "lithium-ion")
• Manufacturer name and economic operator details
• Manufacturing date
• Passport number and status
• EU registry status
• Carbon footprint performance class (A, B, C, or D)
• Rated capacity (Wh), voltage range, expected lifetime
• Separate collection symbol
• Hazardous substance presence indicator (yes/no)
• Declaration methodology and declaration date
• Public compliance documents

Which fields are restricted (Tier 3)

The following data is not shown to unauthenticated visitors. A placeholder in the public viewer explains that restricted data exists and invites eligible actors to request access:

• Detailed material composition percentages (cobalt, lithium, nickel, graphite exact %)
• Specific manufacturing facility address (commercially sensitive)
• Detailed hazardous substance concentrations (beyond presence indicator)
• Supply chain actor verification details, document types, and issuing body certificates
• Carbon footprint declared value (specific kg CO₂e/kWh figure)
• Carbon footprint lifecycle stages detail
• Carbon footprint verification body name and certificate reference

Who qualifies for legitimate interest access

Two actor types are eligible:

Second life battery operators — companies assessing or repurposing batteries for a second application (e.g. EV battery repurposed for grid storage). They need material composition data to determine battery suitability and meet their own DPP obligations under the regulation.

Recyclers and material recovery facilities — companies processing end-of-life batteries. They need detailed material data to plan safe disassembly, recover materials efficiently, and comply with hazardous substance reporting requirements.

How to request access as a legitimate interest actor

You do not need a DPP Cloud account. Access is granted on request via the public passport page.

[STEP: Scan or open the battery passport QR code]

The public viewer shows a placeholder for restricted sections: "Additional data available — request access to full data."

[STEP: Click "Request access to full data →"]

This opens the access request form at dppcloud.co.uk/p/[qr_token]/request-access.

[STEP: Complete the form]

Enter your full name, company name, company registration number, select your role (second life operator or recycler), and describe your specific purpose for access in at least 50 characters.

[STEP: Submit the attestation]

By submitting, you confirm that your stated role and purpose are accurate and that you have a legitimate interest under Annex XIII. This attestation is legally binding. False attestation may result in liability under EU Battery Regulation 2023/1542 and applicable national law.

[STEP: Check your email]

An access link is sent to the email address you provided. The link expires in 48 hours.

[STEP: Click the access link]

Opening the link opens the public viewer with all Tier 3 fields now visible. A banner confirms your access grant, the granted-to company name, and the expiry time. This access event is logged permanently.

What the access link contains

The access link is of the form:

`

dppcloud.co.uk/p/[qr_token]?access_token=[token]

`

Share it only within your organisation. If you need access again after 48 hours, submit a new request. There is no limit on the number of requests per passport.

Attestation and legal liability

DPP Cloud does not perform third-party identity verification of requestors. The legal basis for granting access is the attestation you make at the point of submission. If you claim a role or purpose you do not hold, you bear full legal liability for any misuse of restricted data accessed as a result. DPP Cloud's obligation is to maintain the access infrastructure and audit trail.

What passport owners can see

Passport owners can see all access requests made on their passports. In the dashboard, open a passport and click the Access tab. The table shows:

• Actor company name
• Role (second life operator or recycler)
• Stated purpose (truncated)
• Request date
• Token expiry date and status (Active / Expired / Used)
• When the token was actually used to view restricted data

You cannot revoke access within the 48-hour token period — legitimate interest access is a right under the regulation. To report suspected abuse, contact support@dppcloud.co.uk.

The access log

The Access Log page in the dashboard (Dashboard → Access Log) shows all access requests across all your passports. You can filter by passport, role, and date range. You can export the full log as CSV for regulatory submissions and service provider handover packages.

The access log is also available via the REST API (GET /api/v1/passports/[id]) and via the org data export endpoint.