---
title: "EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications"
canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy"
source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy"
author: "Sorena AI"
description: "Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU GDPR"
  - "ePrivacy Directive"
  - "GDPR vs ePrivacy"
  - "cookie consent"
  - "electronic communications"
  - "personal data processing"
  - "personal data"
  - "lawful basis"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications

Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.

*Comparison Guide* *EU*

## EU GDPR vs ePrivacy Directive

Use this comparison to separate GDPR personal-data processing duties from ePrivacy rules for electronic communications, terminal-equipment access, traffic data, location data, and direct marketing.

The page is source-limited to the GDPR and the consolidated ePrivacy Directive texts available in the grounding set, so national implementation details are flagged as local-law follow-up rather than stated as universal rules.

The GDPR and the ePrivacy Directive often apply to the same product journey, but they answer different questions. GDPR starts with whether personal data is processed by a controller or processor and then asks for principles, lawful basis, transparency, rights, security, breach, DPIA, transfer, and accountability controls. The ePrivacy Directive starts with electronic communications, public communications networks or services, traffic and location data, terminal-equipment storage or access, and unsolicited communications. Treat consent, cookies, analytics, messaging, and marketing as parallel compliance work when both fact patterns are present.

## EU GDPR vs ePrivacy Directive: where each workstream starts

Use the rows to decide whether a fact pattern needs GDPR work, ePrivacy work, or both. The ePrivacy column stays limited to facts grounded in the consolidated directive text.

- **EU GDPR**: Starts with processing of personal data by controllers, processors, or joint controllers and requires a lawful basis, transparent processing, rights handling, security, accountability, and other GDPR controls.
- **ePrivacy Directive**: Starts with electronic communications and related privacy rules, including public communications services, communications confidentiality, terminal-equipment storage or access, traffic data, location data, and unsolicited communications.

| Dimension | EU GDPR | ePrivacy Directive | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | Is there processing of personal data in scope of the GDPR, and who is the controller, processor, or joint controller for that processing? | Is the activity connected to publicly available electronic communications services or public communications networks, communications confidentiality, traffic data, location data, terminal-equipment storage or access, or unsolicited communications? | Run both tests for cookies, SDKs, analytics, messaging, and marketing. ePrivacy may govern the communications or terminal-access step while GDPR governs any personal-data processing that follows. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the personal-data processing side of a parallel GDPR and ePrivacy assessment.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports the communications and terminal-access side of a parallel GDPR and ePrivacy assessment. |
| Covered actors | GDPR Article 6 requires a lawful basis for personal-data processing. Consent is one basis, and Article 7 requires the controller to demonstrate consent and allow withdrawal. | ePrivacy Article 5(3) requires consent for storing information or gaining access to information in terminal equipment unless the directive's transmission or strictly necessary exception applies. Article 13 addresses consent and objection rules for direct marketing communications. | A consent banner or marketing opt-in may need to satisfy ePrivacy for the access or communication and GDPR for the later personal-data processing. Do not substitute a GDPR basis for an ePrivacy consent requirement. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6 supports separate GDPR lawful-basis analysis.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Article 5(3) supports separate ePrivacy terminal-access analysis. |
| Trigger | GDPR applies when cookie, SDK, tag, device, or analytics data is personal data or is combined with other data to identify or single out a person for processing purposes. | ePrivacy Article 5(3) focuses on storing information or gaining access to information already stored in the subscriber's or user's terminal equipment. | Classify terminal access first, then classify the personal-data processing that follows. A cookie can be technically necessary for ePrivacy purposes yet still require a GDPR record for any personal data processed after access. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports treating downstream personal-data processing as a GDPR record even where the same tool is reviewed under ePrivacy.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports separate ePrivacy classification of storage or access in terminal equipment. |
| Core obligations | GDPR governs personal-data processing principles, transparency, security, rights, breach response, records, DPIAs, and transfers when communications data or location data relates to an identified or identifiable person. | ePrivacy contains specific rules for communications confidentiality, traffic data, and location data other than traffic data in the electronic communications context. | For messaging, network, telecom, or location features, do not rely only on a GDPR data map. Add the ePrivacy Article 5, 6, and 9 classification where the service and data type match the directive. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR side of communications-data processing where the data is personal data.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports the ePrivacy-specific communications-data classification. |
| Evidence record | GDPR still requires a lawful basis, notice, rights handling, suppression controls, and accountability for personal data used in direct marketing. | ePrivacy Article 13 addresses unsolicited communications for direct marketing, including prior consent for automated calling systems, fax, and electronic mail, plus a limited own-similar-products electronic-mail scenario and national-law choices for other cases. | Keep the GDPR marketing-processing record and the ePrivacy channel rule together. If a rule turns on Member State implementation, flag it for local-law review rather than generalizing it. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports separate GDPR accountability for marketing data processing.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports separate ePrivacy channel and consent checks for direct marketing communications. |
| Timing and deadlines | GDPR Article 32 requires security appropriate to risk, and Article 33 requires controller notification to the competent supervisory authority where feasible within 72 hours unless the breach is unlikely to risk individuals' rights and freedoms. | ePrivacy Article 4 requires providers of publicly available electronic communications services to take security measures and notify personal data breaches to the competent national authority without undue delay, with subscriber or individual notice where likely adverse effects apply. | A communications-service breach may need both GDPR and ePrivacy routing. Record which authority route, threshold, clock, subscriber notice, and evidence inventory applies under each source. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports retaining a distinct GDPR breach assessment and timing record.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports retaining a distinct ePrivacy breach inventory and competent-national-authority route where Article 4 applies. |
| Enforcement | GDPR creates supervisory authorities, corrective powers, and administrative fine tiers, including up to EUR 20 million or 4 percent of worldwide annual turnover for specified infringements. | ePrivacy requires Member States to lay down penalties for infringements of national provisions adopted under the directive, and those penalties must be effective, proportionate, and dissuasive. | Do not invent national ePrivacy fine amounts or authority procedures from a GDPR comparison. Use GDPR fine tiers for GDPR issues and check Member State ePrivacy implementation for the local penalty route. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports using GDPR enforcement powers and fine tiers only for GDPR-side issues.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports flagging national ePrivacy penalty details as Member State implementation checks. |
| Overlap and reuse | When the same tool or workflow collects personal data and also touches terminal equipment, identify both the GDPR role and the ePrivacy trigger before you decide which records to keep. | When the same tool or workflow touches electronic communications, direct marketing, traffic data, or location data, decide whether the ePrivacy rule is the gatekeeper and then check whether any later processing also needs a GDPR basis. | One product step can trigger two analyses, but the evidence should be separated by legal test. That keeps the cookie, communications, and personal-data questions from collapsing into one generic privacy review. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the personal-data processing side of a parallel GDPR and ePrivacy assessment.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports the communications and terminal-access side of a parallel GDPR and ePrivacy assessment. |
| Practical decision rule | First ask whether the step processes personal data and, if so, which GDPR role applies; then ask whether the same step also reaches terminal equipment or another ePrivacy trigger. | If ePrivacy is triggered, resolve the consent, confidentiality, or marketing channel rule first, and only then decide what additional GDPR processing record, notice, or lawful basis is needed. | The practical rule is sequential: identify the ePrivacy trigger, then check the GDPR follow-on processing. That avoids repeating the same scope question twice and gives teams a cleaner decision path. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports a GDPR follow-on assessment after the ePrivacy trigger is classified.<br>[Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports applying the ePrivacy rule before the downstream GDPR analysis. |

Sources for Scope boundary - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 1 to 4 establish GDPR subject matter, material scope, territorial scope, and definitions for personal data, processing, controller, and processor.
  - Quote: "processing of personal data"

Sources for Scope boundary - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Articles 3, 5, 6, 9, and 13 establish the grounded ePrivacy scope areas used in this comparison.
  - Quote: "public communications networks"

Sources for Scope boundary - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the personal-data processing side of a parallel GDPR and ePrivacy assessment.
  - Quote: "processing of personal data"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports the communications and terminal-access side of a parallel GDPR and ePrivacy assessment.
  - Quote: "terminal equipment"

Sources for Covered actors - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 6 and 7 support the GDPR lawful-basis and consent statements.
  - Quote: "Processing shall be lawful only if"

Sources for Covered actors - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Articles 5(3) and 13 support terminal-access consent and direct-marketing consent or objection statements.
  - Quote: "has given his or her consent"

Sources for Covered actors - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6 supports separate GDPR lawful-basis analysis.
  - Quote: "one of the following applies"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Article 5(3) supports separate ePrivacy terminal-access analysis.
  - Quote: "strictly necessary"

Sources for Trigger - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 definitions and Article 5 principles support the GDPR processing classification for identifiers and related data.
  - Quote: "online identifier"

Sources for Trigger - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Article 5(3) supports the terminal-equipment access distinction.
  - Quote: "information already stored"

Sources for Trigger - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports treating downstream personal-data processing as a GDPR record even where the same tool is reviewed under ePrivacy.
  - Quote: "purposes for which"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports separate ePrivacy classification of storage or access in terminal equipment.
  - Quote: "terminal equipment"

Sources for Core obligations - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 4, 5, 12 to 22, 30, 32, 33, 35, and Chapter V support GDPR duties for personal data in communications-related processing.
  - Quote: "location data"

Sources for Core obligations - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Articles 5, 6, and 9 support the ePrivacy statements on confidentiality, traffic data, and location data.
  - Quote: "traffic data"

Sources for Core obligations - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR side of communications-data processing where the data is personal data.
  - Quote: "personal data"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports the ePrivacy-specific communications-data classification.
  - Quote: "Confidentiality of the communications"

Sources for Evidence record - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 5, 6, 12 to 14, 21, and 30 support GDPR marketing-processing evidence.
  - Quote: "Right to object"

Sources for Evidence record - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Article 13 supports the ePrivacy direct-marketing statements, including prior consent, own similar products, and national-law choice language.
  - Quote: "direct marketing"

Sources for Evidence record - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports separate GDPR accountability for marketing data processing.
  - Quote: "lawfulness, fairness and transparency"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports separate ePrivacy channel and consent checks for direct marketing communications.
  - Quote: "electronic mail"

Sources for Timing and deadlines - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 32 and 33 support the GDPR security and breach-notification statements.
  - Quote: "not later than 72 hours"

Sources for Timing and deadlines - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Article 4 supports ePrivacy security measures, breach notification, subscriber or individual notification, and breach-inventory evidence.
  - Quote: "without undue delay"

Sources for Timing and deadlines - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports retaining a distinct GDPR breach assessment and timing record.
  - Quote: "rights and freedoms"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports retaining a distinct ePrivacy breach inventory and competent-national-authority route where Article 4 applies.
  - Quote: "inventory of personal data breaches"

Sources for Enforcement - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 51, 58, and 83 support the GDPR supervisory-authority powers and administrative-fine statements.
  - Quote: "up to 20 000 000 EUR"

Sources for Enforcement - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Article 15a supports only the directive-level penalty statement; national penalty amounts and procedures are not stated here.
  - Quote: "effective, proportionate and dissuasive"

Sources for Enforcement - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports using GDPR enforcement powers and fine tiers only for GDPR-side issues.
  - Quote: "administrative fines"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports flagging national ePrivacy penalty details as Member State implementation checks.
  - Quote: "national provisions"

Sources for Overlap and reuse - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 4, 5, 6, and 24 support identifying the GDPR role and lawful-basis analysis for personal-data processing.
  - Quote: "processing of personal data"

Sources for Overlap and reuse - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Articles 3, 5, 6, 9, and 13 support the ePrivacy triggers for communications, terminal access, traffic data, location data, and direct marketing.
  - Quote: "terminal equipment"

Sources for Overlap and reuse - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the personal-data processing side of a parallel GDPR and ePrivacy assessment.
  - Quote: "be able to demonstrate compliance"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports the communications and terminal-access side of a parallel GDPR and ePrivacy assessment.
  - Quote: "public communications networks"

Sources for Practical decision rule - EU GDPR:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 4, 5, 6, and 24 support the initial GDPR classification step.
  - Quote: "processing of personal data"

Sources for Practical decision rule - ePrivacy Directive:

- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Articles 5, 6, 9, and 13 support the ePrivacy trigger and channel-rule step.
  - Quote: "storing information or to gain access to information"

Sources for Practical decision rule - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports a GDPR follow-on assessment after the ePrivacy trigger is classified.
  - Quote: "one of the following applies"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports applying the ePrivacy rule before the downstream GDPR analysis.
  - Quote: "prior consent"

### How should teams apply both regimes in one workflow?

- Classify the activity first: personal-data processing, terminal-equipment access, electronic communications service, traffic data, location data, direct marketing, or breach response.
- Assign a GDPR owner for personal-data processing and an ePrivacy owner for communications, terminal-access, and channel-specific rules; the same person can own both only if both records are explicit.
- Keep consent evidence separate enough to show which consent event supports ePrivacy access or marketing and which lawful basis supports GDPR processing.
- Flag national ePrivacy implementation checks for direct marketing choices, penalties, and competent authority routing instead of stating unsupported Member State details.

Sources for the practical decision rule:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR classification, lawful-basis, accountability, security, breach, DPIA, transfer, and enforcement steps in the workflow.
  - Quote: "be able to demonstrate compliance"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports ePrivacy classification for communications confidentiality, terminal-equipment access, traffic data, location data, direct marketing, security, breach, and national implementation checks.
  - Quote: "electronic communications sector"

## Start with the fact pattern, not the framework name

A GDPR assessment asks whether there is processing of personal data and who acts as controller, processor, or joint controller. If personal data is involved, Article 5 accountability and Article 6 lawfulness must still be satisfied even when an ePrivacy rule also applies.

An ePrivacy assessment asks whether the activity falls within electronic communications rules, such as public communications services, communications confidentiality, terminal-equipment storage or access, traffic data, location data, or direct marketing by electronic mail. The directive is source-limited here: details that depend on national transposition should be checked in the relevant Member State law.

- For a cookie or SDK, record both the ePrivacy terminal-access answer and the GDPR personal-data processing answer if the identifier or related data relates to an identifiable person.
- For email, SMS, or similar marketing, record the ePrivacy direct-marketing rule separately from the GDPR lawful basis and transparency record.
- For communications metadata or location features, check the ePrivacy traffic or location-data articles before reusing a general GDPR lawful-basis memo.
- For security and breach response, keep separate clocks and evidence where the GDPR and ePrivacy texts create different notification routes.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR side of the comparison: personal-data processing, principles, lawful bases, controller and processor obligations, records, security, breaches, DPIAs, transfers, supervisory authorities, and fines.
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports the ePrivacy side: electronic communications services, confidentiality, terminal-equipment storage or access, traffic data, location data, and unsolicited communications.

## Consent and lawful basis are related but not interchangeable

Under the GDPR, processing is lawful only when one Article 6 basis applies. Consent is one possible basis, but the GDPR also recognizes contract necessity, legal obligation, vital interests, public task, and legitimate interests, subject to the text's conditions.

Under the ePrivacy Directive, some communications-specific activities are framed around consent or specific opt-out rules. Article 5(3) requires consent for storing information or gaining access to information stored in a subscriber's or user's terminal equipment unless the activity is only for communication transmission or strictly necessary for a requested information society service. Article 13 separately addresses unsolicited communications for direct marketing, including prior consent and an own-similar-products exception for electronic mail.

- Do not use GDPR legitimate interests as a shortcut for ePrivacy terminal access where Article 5(3) requires consent.
- Do not stop at cookie-banner consent; identify the GDPR purpose, data categories, recipients, retention, and lawful basis for downstream processing.
- When relying on consent under either workstream, keep the notice, purpose, consent event, withdrawal path, and suppression logic together.
- Where Article 13 leaves choices to national legislation, mark the item as a Member State implementation check instead of stating a universal EU-wide marketing rule.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6 lists GDPR lawful bases and Article 7 sets conditions for consent, including demonstration and withdrawal.
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Article 5(3) covers terminal-equipment storage or access, and Article 13 covers unsolicited communications for direct marketing.

## Build one evidence pack with two labels

Parallel compliance does not mean duplicate work. A single data map, cookie inventory, consent log, marketing register, or incident file can serve both workstreams if each evidence item says which GDPR article and which ePrivacy article it supports.

The evidence should be specific enough for product, privacy, marketing, security, and vendor owners to act on it. A generic statement that a tool is compliant with privacy law is not enough; record the processing purpose, communications context, terminal access, consent or objection mechanism, security control, breach route, and reassessment trigger.

- For cookies, SDKs, tags, and device identifiers, keep the ePrivacy Article 5(3) classification and the GDPR Article 5 and Article 6 processing record side by side.
- For direct marketing, keep Article 13 consent or objection evidence next to the GDPR notice, lawful basis, suppression, and rights-handling evidence.
- For communications services, keep ePrivacy security, breach, traffic-data, and location-data records distinct from GDPR Article 30, 32, 33, and 35 records.
- For transfers or processors, do not assume ePrivacy evidence resolves GDPR Chapter V, Article 28, or accountability duties.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 5, 24, 28, 30, 32, 33, 35, and Chapter V support the GDPR records, accountability, security, breach, DPIA, processor, and transfer evidence described here.
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Articles 4, 5, 6, 9, and 13 support separate evidence for communications security, confidentiality, terminal access, traffic data, location data, and marketing communications.

*Recommended next step*

*Placement: before sources*

## Use this comparison to separate cookie, communications, and personal-data duties

Sorena can help convert the GDPR and ePrivacy distinctions on this page into cited scope decisions, consent records, cookie and marketing evidence, processor checks, and reassessment triggers.

- [Open Research Copilot for GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR personal-data processing, ePrivacy terminal-access rules, consent records, and parallel evidence.
- [Talk through implementation](/contact.md): Review your cookie, communications, marketing, and personal-data workflows against the cited GDPR and ePrivacy sources.

## Primary sources

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR classification, lawful-basis, accountability, security, breach, DPIA, transfer, and enforcement steps in the workflow.
  - Quote: "be able to demonstrate compliance"
- [Directive 2002/58/EC (ePrivacy Directive), consolidated text](https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19/eng?ref=sorena.io) - Supports ePrivacy classification for communications confidentiality, terminal-equipment access, traffic data, location data, direct marketing, security, breach, and national implementation checks.
  - Quote: "electronic communications sector"

## Related Topic Guides

- [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
- [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
- [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
- [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
- [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
- [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
- [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
- [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
- [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
- [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
- [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
- [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
- [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
- [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
- [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
- [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
- [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
- [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
- [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
- [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
- [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
- [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
- [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
- [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
- [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
- [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
- [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
- [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
- [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
- [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
- [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
- [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
- [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
- [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
- [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
- [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
- [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
- [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
- [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy