Summary statistics
Overlaps: 7 · Conflicts: 2 · Gaps: 2
11 article-level crossrefs catalogued between ePrivacy Directive and GDPR from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| GDPR Art 6 | ePrivacy Directive Art 5 | overlap | high | [entity affected: controller / provider of publicly available electronic communications service] Both regulations require a legal basis for processing, with ePrivacy specifically mandating consent for |
| GDPR Art 7 | ePrivacy Directive Art 9 | overlap | high | [entity affected: controller / service provider] Both regulations require that consent be freely given and can be withdrawn at any time, with ePrivacy adding specific requirements for location data pr |
| GDPR Art 5 | ePrivacy Directive Art 6 | overlap | high | [entity affected: controller / provider of public communications network] Both regulations impose data minimization and storage limitation principles, requiring data to be erased or anonymized when no |
| GDPR Art 24 | ePrivacy Directive Art 4 | overlap | high | [entity affected: controller / provider of publicly available electronic communications service] Both regulations require the implementation of appropriate technical and organizational measures to ens |
| GDPR Art 12 | ePrivacy Directive Art 9 | overlap | medium | [entity affected: controller / service provider] Both regulations require providing clear information to data subjects before obtaining consent, including the purposes and nature of the processing. |
| GDPR Art 17 | ePrivacy Directive Art 6 | overlap | high | [entity affected: controller / provider of public communications network] Both regulations mandate the erasure of data when it is no longer necessary for the purpose for which it was collected, such a |
| GDPR Art 21 | ePrivacy Directive Art 13 | overlap | high | [entity affected: controller / sender of electronic mail] Both regulations provide mechanisms for individuals to object to processing for direct marketing purposes, with ePrivacy requiring prior conse |
| GDPR Art 6 | ePrivacy Directive Art 13 | conflict | high | [entity affected: controller / natural or legal person] GDPR allows processing based on legitimate interests, whereas ePrivacy Art 13 restricts direct marketing via electronic means to prior consent o |
| GDPR Art 11 | ePrivacy Directive Art 5 | conflict | medium | [entity affected: controller / provider of publicly available electronic communications service] GDPR Art 11 allows processing without identifying the data subject if not required, while ePrivacy Art |
| GDPR Art ? | ePrivacy Directive Art ? | gap | medium | [entity affected: IoT device manufacturers] Neither regulation explicitly addresses the security obligations of IoT devices that do not provide electronic communications services but process personal |
| GDPR Art ? | ePrivacy Directive Art ? | gap | high | [entity affected: social media platforms] There is ambiguity regarding whether social media platforms acting as intermediaries for user-generated content fall under ePrivacy's 'electronic communicatio |
Conflicts explained
The 2 article-level conflicts between ePrivacy Directive and GDPR mean a control that satisfies one can pull the wrong way on the other:
- GDPR Art 6 vs ePrivacy Directive Art 13 — [entity affected: controller / natural or legal person] GDPR allows processing based on legitimate interests, whereas ePrivacy Art 13 restricts direct marketing via electronic means to prior consent or a specific soft-opt-in exception, creating a stricter standard than general GDPR legitimate interests.
- GDPR Art 11 vs ePrivacy Directive Art 5 — [entity affected: controller / provider of publicly available electronic communications service] GDPR Art 11 allows processing without identifying the data subject if not required, while ePrivacy Art 5 requires specific consent for accessing terminal equipment, implying a need to identify the user to validate consent.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between ePrivacy Directive and GDPR. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 7 overlaps as design opportunities — one control, two regulatory anchors. Treat the 2 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- eprivacy obligations electronic communications
- eprivacy vs nis2 comparison
- ai act art 17 provider obligations
- ai act art 70 commission obligations
Check your full compliance exposure with the 5-minute Fontvera diagnostic →