EU GDPR vs ePrivacy Directive

Is there processing of personal data in scope of the GDPR, and who is the controller, processor, or joint controller for that processing?

Is the activity connected to publicly available electronic communications services or public communications networks, communications confidentiality, traffic data, location data, terminal-equipment storage or access, or unsolicited communications?

Run both tests for cookies, SDKs, analytics, messaging, and marketing. ePrivacy may govern the communications or terminal-access step while GDPR governs any personal-data processing that follows.

GDPR Article 6 requires a lawful basis for personal-data processing. Consent is one basis, and Article 7 requires the controller to demonstrate consent and allow withdrawal.

ePrivacy Article 5(3) requires consent for storing information or gaining access to information in terminal equipment unless the directive's transmission or strictly necessary exception applies. Article 13 addresses consent and objection rules for direct marketing communications.

A consent banner or marketing opt-in may need to satisfy ePrivacy for the access or communication and GDPR for the later personal-data processing. Do not substitute a GDPR basis for an ePrivacy consent requirement.

GDPR applies when cookie, SDK, tag, device, or analytics data is personal data or is combined with other data to identify or single out a person for processing purposes.

ePrivacy Article 5(3) focuses on storing information or gaining access to information already stored in the subscriber's or user's terminal equipment.

Classify terminal access first, then classify the personal-data processing that follows. A cookie can be technically necessary for ePrivacy purposes yet still require a GDPR record for any personal data processed after access.

GDPR governs personal-data processing principles, transparency, security, rights, breach response, records, DPIAs, and transfers when communications data or location data relates to an identified or identifiable person.

ePrivacy contains specific rules for communications confidentiality, traffic data, and location data other than traffic data in the electronic communications context.

For messaging, network, telecom, or location features, do not rely only on a GDPR data map. Add the ePrivacy Article 5, 6, and 9 classification where the service and data type match the directive.

GDPR still requires a lawful basis, notice, rights handling, suppression controls, and accountability for personal data used in direct marketing.

ePrivacy Article 13 addresses unsolicited communications for direct marketing, including prior consent for automated calling systems, fax, and electronic mail, plus a limited own-similar-products electronic-mail scenario and national-law choices for other cases.

Keep the GDPR marketing-processing record and the ePrivacy channel rule together. If a rule turns on Member State implementation, flag it for local-law review rather than generalizing it.

GDPR Article 32 requires security appropriate to risk, and Article 33 requires controller notification to the competent supervisory authority where feasible within 72 hours unless the breach is unlikely to risk individuals' rights and freedoms.

ePrivacy Article 4 requires providers of publicly available electronic communications services to take security measures and notify personal data breaches to the competent national authority without undue delay, with subscriber or individual notice where likely adverse effects apply.

A communications-service breach may need both GDPR and ePrivacy routing. Record which authority route, threshold, clock, subscriber notice, and evidence inventory applies under each source.

GDPR creates supervisory authorities, corrective powers, and administrative fine tiers, including up to EUR 20 million or 4 percent of worldwide annual turnover for specified infringements.

ePrivacy requires Member States to lay down penalties for infringements of national provisions adopted under the directive, and those penalties must be effective, proportionate, and dissuasive.

Do not invent national ePrivacy fine amounts or authority procedures from a GDPR comparison. Use GDPR fine tiers for GDPR issues and check Member State ePrivacy implementation for the local penalty route.

When the same tool or workflow collects personal data and also touches terminal equipment, identify both the GDPR role and the ePrivacy trigger before you decide which records to keep.

When the same tool or workflow touches electronic communications, direct marketing, traffic data, or location data, decide whether the ePrivacy rule is the gatekeeper and then check whether any later processing also needs a GDPR basis.

One product step can trigger two analyses, but the evidence should be separated by legal test. That keeps the cookie, communications, and personal-data questions from collapsing into one generic privacy review.

First ask whether the step processes personal data and, if so, which GDPR role applies; then ask whether the same step also reaches terminal equipment or another ePrivacy trigger.

If ePrivacy is triggered, resolve the consent, confidentiality, or marketing channel rule first, and only then decide what additional GDPR processing record, notice, or lawful basis is needed.

The practical rule is sequential: identify the ePrivacy trigger, then check the GDPR follow-on processing. That avoids repeating the same scope question twice and gives teams a cleaner decision path.