The European Data Protection Board (EDPB) adopted an opinion on 12 March 2019 on the interplay between the ePrivacy Directive and the General Data Protection Regulation. The opinion seeks to provide an answer to the question whether the fact that the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, limits the competences, tasks and powers of data protection authorities under the GDPR. The EDPB opines that data protection authorities are competent to enforce the GDPR. The fact that a subset of the processing falls within the scope of the ePrivacy directive, does not limit the competence of data protection authorities under the GDPR.
An infringement of the GDPR may at the same time constitute an infringement of national ePrivacy rules. Supervisory authorities may take this into consideration when applying the GDPR (e.g. when assessing compliance with the lawfulness or fairness principles).
According to the opinion, a number of provisions of the ePrivacy Directive “particularise” (i.e. renders more specific) the provisions of the GDPR with respect to the processing of personal data in the electronic communication sector. In situations where the ePrivacy Directive “particularises” the rules of the GDPR, the (specific) provisions of the ePrivacy Directive must, as “lex specialis”, take precedence over the (more general) provisions of the GDPR. However, any processing of personal data which is not specifically governed by the ePrivacy Directive (or for which the ePrivacy Directive does not contain a special rule), remains subject to the provisions of the GDPR.