Not all passport data is public. Annex XIII assigns each data point to one of four audiences, and a compliant passport must enforce these distinctions in code — not by hoping nobody looks.
| Tier | Audience | Example data |
|---|---|---|
| Public | Anyone scanning the QR | Identity, chemistry, capacity, carbon class |
| Legitimate interest | Repairers, refurbishers, recyclers | Disassembly, hazardous substances |
| Authorities | Market surveillance, customs | Conformity, due-diligence records |
| Commission | European Commission | Reserved data |
The frequent failure mode is leaking restricted fields onto the public page. Tier enforcement must be server-side and field-level.