Summary statistics
Overlaps: 7 · Conflicts: 0 · Gaps: 2
9 article-level crossrefs catalogued between ePrivacy Directive and GDPR from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| GDPR Art 6 | ePrivacy Directive Art 5 | overlap | high | [entity affected: controller / provider of publicly available electronic communications service] Both regulations require a legal basis for processing, with ePrivacy specifically mandating consent for |
| GDPR Art 7 | ePrivacy Directive Art 9 | overlap | high | [entity affected: controller / service provider] Both regulations require that consent be freely given and can be withdrawn at any time, with ePrivacy adding specific requirements for location data pr |
| GDPR Art 5 | ePrivacy Directive Art 6 | overlap | high | [entity affected: controller / provider of public communications network] Both regulations impose data minimization and storage limitation principles, requiring data to be erased or anonymized when no |
| GDPR Art 24 | ePrivacy Directive Art 4 | overlap | high | [entity affected: controller / provider of publicly available electronic communications service] Both regulations require the implementation of appropriate technical and organizational measures to ens |
| GDPR Art 12 | ePrivacy Directive Art 9 | overlap | medium | [entity affected: controller / service provider] Both regulations require providing clear information to data subjects before obtaining consent, including the purposes and nature of the processing. |
| GDPR Art 17 | ePrivacy Directive Art 6 | overlap | high | [entity affected: controller / provider of public communications network] Both regulations mandate the erasure of data when it is no longer necessary for the purpose for which it was collected, such a |
| GDPR Art 21 | ePrivacy Directive Art 13 | overlap | high | [entity affected: controller / sender of electronic mail] Both regulations provide mechanisms for individuals to object to processing for direct marketing purposes, with ePrivacy requiring prior conse |
| GDPR Art ? | ePrivacy Directive Art ? | gap | medium | [entity affected: IoT device manufacturers] Neither regulation explicitly addresses the security obligations of IoT devices that do not provide electronic communications services but process personal |
| GDPR Art ? | ePrivacy Directive Art ? | gap | high | [entity affected: social media platforms] There is ambiguity regarding whether social media platforms acting as intermediaries for user-generated content fall under ePrivacy's 'electronic communicatio |
Overlaps explained
No conflict-type crossrefs were catalogued for this pair, but the 7 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:
- GDPR Art 6 vs ePrivacy Directive Art 5 (high severity) — [entity affected: controller / provider of publicly available electronic communications service] Both regulations require a legal basis for processing, with ePrivacy specifically mandating consent for storing or accessing information on terminal equipment, which aligns with GDPR's consent requirement.
- GDPR Art 7 vs ePrivacy Directive Art 9 (high severity) — [entity affected: controller / service provider] Both regulations require that consent be freely given and can be withdrawn at any time, with ePrivacy adding specific requirements for location data processing.
- GDPR Art 5 vs ePrivacy Directive Art 6 (high severity) — [entity affected: controller / provider of public communications network] Both regulations impose data minimization and storage limitation principles, requiring data to be erased or anonymized when no longer necessary for the specified purpose.
- GDPR Art 24 vs ePrivacy Directive Art 4 (high severity) — [entity affected: controller / provider of publicly available electronic communications service] Both regulations require the implementation of appropriate technical and organizational measures to ensure security and protect against unauthorized processing or breaches.
- GDPR Art 17 vs ePrivacy Directive Art 6 (high severity) — [entity affected: controller / provider of public communications network] Both regulations mandate the erasure of data when it is no longer necessary for the purpose for which it was collected, such as after transmission or billing periods.
- GDPR Art 21 vs ePrivacy Directive Art 13 (high severity) — [entity affected: controller / sender of electronic mail] Both regulations provide mechanisms for individuals to object to processing for direct marketing purposes, with ePrivacy requiring prior consent or an opt-out opportunity.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between ePrivacy Directive and GDPR. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 7 overlaps as design opportunities — one control, two regulatory anchors. Treat the 0 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- eprivacy vs nis2 comparison
- ai act art 17 provider obligations
- ai act art 70 commission obligations
- ai act authorized representative
Check your full compliance exposure with the 5-minute Fontvera diagnostic →