GDPR : Article 95 - Relationship with Directive 2002/58/EC

by Sneha Naskar

The General Data Protection Regulation (GDPR) has emerged as a pivotal legal framework in the world of data protection. Its primary objectives include harmonizing data privacy laws across the European Union (EU) and empowering individuals with greater control over their personal data. In this comprehensive blog post, we will delve deep into Article 95 of the GDPR, shedding light on its significance and exploring its implications within the context of Directive 2002/58/EC, widely known as the ePrivacy Directive.

Understanding Art. 95 GDPR

Article 95 of the GDPR plays a crucial role in addressing the intricate relationship between the GDPR and Directive 2002/58/EC. To fully grasp its implications, it is essential to break down the provisions and principles embedded within Article 95.

  • Legal Coherence

Article 95 GDPR is grounded in the fundamental principle of legal coherence. It underscores the imperative need for consistency and harmonization between the GDPR and Directive 2002/58/EC. This legal coherence ensures that data protection laws within the EU remain synchronized, thereby preventing any potential confusion or conflicts stemming from the simultaneous application of both regulations.

  • Transitory Provisions

One of the primary objectives of Art. 95 GDPR is to provide transitory provisions to facilitate a seamless transition from the ePrivacy Directive to the GDPR. It explicitly specifies that Directive 2002/58/EC will remain in force until replaced or repealed by new ePrivacy legislation.

  • Compatibility

Article 95 of GDPR establishes the foundation for the coexistence of both regulations. It stipulates that when processing personal data falls within the purview of both the GDPR and Directive 2002/58/EC, the stricter of the two provisions must be applied. This ensures that the more stringent data protection standards always prevail, effectively safeguarding individuals' privacy rights.

Implications of Art. 95 GDPR

Now that we have a comprehensive understanding of Article 95 GDPR let's delve into its implications, especially within the context of Directive 2002/58/EC, which primarily addresses electronic communications and privacy.

  • Data Protection in Electronic Communications

Directive 2002/58/EC, often referred to as the ePrivacy Directive focuses on the protection of privacy and personal data in electronic communications. It governs issues such as the use of cookies, consent for electronic marketing, and the confidentiality of communications.

Art. 95 GDPR reinforces these ePrivacy principles by ensuring that the GDPR's core tenets, such as the requirement for explicit consent for data processing and the right to be forgotten, take precedence over any conflicting provisions in the ePrivacy Directive. This means that even within the realm of electronic communications, the fundamental rights and principles of the GDPR must always be upheld.

  • Cookies and Consent

One of the most tangible implications of Art. 95 GDPR in the context of Directive 2002/58/EC relates to cookies and online tracking. The ePrivacy Directive addresses the use of cookies, mandating that website operators obtain informed consent from users before storing or accessing information on their devices.

Art. 95 GDPR bolsters these requirements by ensuring that consent under the GDPR's stringent standards must be actively sought. This makes it more challenging for companies to rely on implied or vague consent, significantly enhancing user privacy. Individuals gain more control over the data collected through cookies, aligning with the GDPR's overarching theme of transparency and individual control over personal data.

  • Marketing and Spam

The ePrivacy Directive imposes stringent regulations concerning unsolicited electronic communications (spam) and direct marketing. It mandates that individuals must explicitly opt-in to receive such communications, and they should have the option to opt-out easily.

Art. 95 GDPR further strengthens these provisions by emphasizing the importance of clear and unambiguous consent for marketing activities. This alignment with the GDPR's principles ensures that individuals have ultimate control over their data and can withdraw their consent at any time, thereby reinforcing their data protection rights.

  • Confidentiality of Communications

Directive 2002/58/EC also safeguards the confidentiality of electronic communications. It prohibits the interception and surveillance of communications without the explicit consent of the parties involved, except in limited circumstances.

Art. 95 GDPR reinforces these principles by ensuring that the GDPR's stringent rules regarding data security and breach notification apply to electronic communications as well. This enhanced protection of individual privacy and personal data in the digital realm is vital in today's interconnected world.

Challenges and Future Developments

While Art. 95 GDPR serves to harmonize data protection laws and reinforce privacy rights, it also presents certain challenges and prompts further developments:

  • Evolving Technology

As technology continues to advance at an unprecedented pace, the relationship between the GDPR and Directive 2002/58/EC may require further adjustments. Emerging forms of communication and data processing may necessitate amendments to ensure that both regulations remain effective in safeguarding privacy in the digital age.

  • Upcoming ePrivacy Regulation

The EU has been diligently working on a new ePrivacy Regulation intended to replace Directive 2002/58/EC. This new regulation is expected to provide a more contemporary and comprehensive framework for data protection in electronic communications. In this context, Article 95 of GDPR will likely play a crucial role in ensuring the coherence and compatibility of the ePrivacy Regulation with the GDPR.

  • Enforcement and Compliance

Enforcing the principles outlined in Article 95, GDPR can be challenging, especially for businesses operating across multiple EU member states. Ensuring compliance with both the GDPR and Directive 2002/58/EC requires a deep understanding of the overlapping provisions and a diligent commitment to robust data protection practices.


Article 95 of the GDPR stands as a vital bridge between the GDPR and Directive 2002/58/EC, promoting legal coherence and harmonization in the domain of data protection, particularly in electronic communications. Its implications are far-reaching, ensuring that the GDPR's stringent data protection standards always take precedence in cases of overlap with the ePrivacy Directive.

As technology continues to advance and legislative developments unfold, the role of Art. 95 GDPR remains pivotal in maintaining a robust framework for data protection in the European Union. Businesses, as well as individuals, must navigate these regulations conscientiously to uphold privacy rights and foster a secure and trustworthy digital environment. In doing so, we collectively work towards achieving the core objectives of the GDPR - safeguarding privacy and empowering individuals in the digital age.