| Scope boundary | Has someone stored information on, or gained access to information already stored in, a subscriber or user terminal, or interfered with electronic-communications confidentiality? | Is there processing of personal data about an identified or identifiable natural person, and who is the controller, processor, joint controller, recipient, or data subject? | Start separate issue records. A tracker can trigger ePrivacy before any personal-data analysis, while a CRM import can trigger GDPR without Article 5(3) device access. |
|---|
| Covered actors | Confidentiality of electronic communications, related traffic data, terminal equipment, and information stored on or accessed from that equipment, including information that is not personal data. | Personal data and the rights and freedoms of natural persons, including fairness, transparency, purpose limitation, data minimisation, security, rights, and accountability. | Do not dismiss Article 5(3) because a value is non-personal; do not open a GDPR record unless there is personal-data processing. |
|---|
| Trigger | Article 5(3) governs the storage/access step and applies through criteria for information, terminal equipment, public communications context, and gaining access or storage. | GDPR governs subsequent personal-data processing such as user identification, analytics reporting, behavioural advertising, profiling, enrichment, disclosure, and retention. | Evidence should split placement or reading from follow-on processing: tracker classification, purpose, exemption or consent decision, then GDPR lawful basis and processing record where personal data is used. |
|---|
| Core obligations | Article 5 requires national-law protection against listening, tapping, storage, interception, or surveillance of communications and related traffic data by persons other than users, subject to consent, necessary technical storage, or legal authorisation. | GDPR applies to personal data in communications and related processing, but it does not supersede the ePrivacy confidentiality rule for the communications operation itself. | For messaging, calling, email, logging, monitoring, or recording features, keep an ePrivacy confidentiality analysis and a separate GDPR processing analysis when personal data is handled. |
|---|
| Evidence record | Tracker and SDK inventory, Article 5(3) classification, consent or exemption rationale, CMP screenshots and configuration, communications-recording analysis, traffic/location-data decision, marketing consent or soft-opt-in record, suppression list, and national-law check. | ROPA entry, lawful-basis record, privacy notice, DPIA or risk assessment where needed, processor terms, retention schedule, DSAR workflow, breach assessment, transfer file, consent proof where consent is used, and accountability approvals. | One evidence repository is fine if every item is labelled by law, operation, source, owner, date, system, user-facing copy, and unresolved national-law caveat. |
|---|
| Timing and deadlines | Article 13 requires prior consent for automated calling systems, fax, and electronic mail direct marketing, includes a customer soft opt-in for own similar products or services, and leaves some choices to national legislation. | GDPR still governs personal-data processing for marketing lists, profiling, segmentation, CRM records, transparency, rights, retention, and processors. | Do not rely on GDPR legitimate interests to bypass Article 13 where ePrivacy requires consent or an opt-out structure under national law. |
|---|
| Enforcement | The Directive is implemented through national law; Member States set penalties and designate competent authorities for national ePrivacy rules, so country-specific enforcement and penalty claims require a national source. | GDPR has EU-level supervisory-authority powers and administrative-fine provisions, but those powers do not automatically become ePrivacy powers unless national ePrivacy law confers them. | Escalate to country counsel or a national regulator source before stating an ePrivacy penalty amount, competent authority, soft-opt-in variant, or cookie exemption beyond the EU-level rule. |
|---|
| Overlap and reuse | When ePrivacy requires consent, the current standard is read through GDPR consent conditions: freely given, specific, informed, unambiguous, based on a clear affirmative action, demonstrable, and easy to withdraw. | Consent is one GDPR lawful basis and carries Article 7 proof and withdrawal duties; if GDPR processing uses another lawful basis, that does not remove an ePrivacy consent requirement for the storage/access or marketing operation. | Keep proof of the user-facing choice, purpose granularity, affirmative action, default state, refusal path, withdrawal path, and evidence that refusal did not create detriment. |
|---|
| Practical decision rule | Where ePrivacy specifically regulates an operation, its special rule takes precedence for that operation and may limit the GDPR lawful-basis menu for that operation. | GDPR remains applicable to personal-data processing not specifically governed by ePrivacy, including prior or subsequent processing and GDPR rights or controller obligations not displaced by a special ePrivacy rule. | Mark the exact operation covered by ePrivacy. Do not label the entire product journey ePrivacy-only just because one tracker, communication, or marketing message is covered. |
|---|