20 March 2018
Factsheet on the key issues relating to the relationship between the proposed ePrivacy Regulation (ePR) and the General Data Protection Regulation (GDPR) 1.
Purpose & Introduction
As the ePrivacy Regulation aims to complement and particularise the GDPR, this factsheet outlines the GDPR provisions that are most likely to be relevant for the negotiations. It also contains an Annex with all the provisions referenced in this document. The GDPR will be applicable from 25 May 2018, replacing the existing Data Protection Directive (95/46/EC). In 99 Articles and 173 Recitals, it imposes detailed obligations on those that are processing personal data. 2. Definitions The GDPR applies to the processing of personal data. Personal data means any information relating to an identified or identifiable natural person (referred to as the ‘data subject’)—this is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data or an online identifier (Art. 4(1)). The GDPR states that such online identifiers may include IP addresses, cookie identifiers or other identifiers such as radio frequency identification tags, as all of these may leave traces which, particularly when combined with other information received by the servers, may be used to create profiles of the individuals and identify them (Recital 30). To work out whether a data subject is ‘identifiable’, account should be taken of ‘all the means reasonably likely to be used...either by the controller or by another person to identify the natural person directly or indirectly’, such as singling out. The GDPR does not apply to anonymous information, or to personal data which has been anonymised in such a way that the data subject is not or no longer identifiable (Recital 26). 1