EDPB on the ePrivacy Directive and GDPR:

  • In situations where the ePrivacy Directive renders more specific the rules of the GDPR, the provisions of the ePrivacy Directive take precedence over the provisions of the GDPR. However, any processing of personal data which is not specifically governed by the ePrivacy Directive remains subject to the provisions of the GDPR.
  • Consent is the only legal basis for collecting and storing information of non-essential cookies in a user’s device if such cookie information contains personal data.
  • Electronic communications service providers who have notified a personal data breach in compliance with applicable national ePrivacy legislation are NOT required to separately notify data protection authorities of the same breach pursuant to Article 33 of the GDPR.
  • An infringement of the GDPR might also constitute an infringement of national ePrivacy rules. The data protection authority may take this factual finding as to an infringement of ePrivacy rules into consideration when applying the GDPR (e.g., when assessing compliance with the lawfulness or fairness principle under article 5(1)a GDPR)

Read the full opinion.