Data Controller

SOPREMA SAS, as manufacturer, and 360SmartConnect SAS, as Digital Product Passport host (DPPSP), are joint data controllers.

Data Collected

• Authentication data: email, name, role (for authenticated users)
• Traceability data: EPCIS events (location, actor, date)
• Audit log: HTTP method, URL, IP address, user-agent

Processing Purposes

• Product traceability under ESPR regulation (EU) 2024/1781
• Access control for DPP information according to ACL matrix
• Audit logging for regulatory compliance

Legal Basis

Processing is based on legal obligation (ESPR regulation) and legitimate interest (product traceability, security). Consent is collected for voluntary access requests.

Data Retention

DPP data is retained for the product lifetime plus 10 years, in accordance with ESPR regulation. Audit logs are retained for 2 years. Access requests are retained for 1 year after processing.

Your Rights

Under GDPR, you have the right to access, rectify, erase, restrict processing, data portability, and object. To exercise these rights, use the form below or contact the DPO.