GDPR consent for marketing SMS: ÚOOÚ, ZoZOÚ and § 7 ZSO done right

Consent for commercial messages (Art. 6(1)(a) GDPR + § 7 of Act 480/2004) is the single most audited control point in the Czech Republic by the Office for Personal Data Protection (ÚOOÚ). Fines for insufficient records reach 10M CZK or 2% of turnover. 4notify keeps a structured trace per contact: when, what form, which IP, which wording version; an inspector-ready export is one click away.

Problem

“We had it in the registration terms” doesn't fly with ÚOOÚ. The inspector wants a timestamped log, the checkbox wording and proof the opt-out was pre-unchecked (Gmail-style). Without that log, you land in the top fine bracket automatically.

Legal framework

Nařízení (EU) 2016/679 (GDPR) čl. 7

Consent must be freely given, specific, informed and unambiguous. The burden of proof lies with the controller — 4notify shoulders it for you.

Zákon č. 110/2019 Sb. (ZpZOÚ)

Czech GDPR companion; § 11 sets the minor age for information-society consent at 15 (lower than GDPR's default 16).

§ 7 zákona č. 480/2004 Sb. (ZSO)

Prior consent required for commercial messages, except for existing business relationships (a contract for a similar product in the last 12 months).

§ 11 odst. 1 zákona č. 480/2004 Sb.

Up to 10,000,000 CZK fine for sending without consent; ÚOOÚ stacks it per recipient count.

Architecture

Structured consent record

Each record contains: hashed IP, user-agent, UTC timestamp, form identifier, wording version and checksum of the original text. The inspector gets a CSV export.

Opt-out via three channels

STOP via SMS, one-click List-Unsubscribe-Post for email and a button in the customer profile — all three immediately synced through our central preference center.

Retention and anonymisation

After 24 months from the last contact we automatically pseudonymise the address; after another 12 months we delete completely unless a legal reason exists (e.g. accounting records).

Breach reporting to ÚOOÚ within 72 hours

If an incident occurs, 4notify prepares a pre-filled form with all technical data and the data-box submission flow to ÚOOÚ.

Code

json
{
  "contact_id": "cust_2026_018473",
  "consent": {
    "channel": "sms",
    "given_at": "2026-05-08T14:32:11Z",
    "ip_hash": "sha256:b21a4...",
    "user_agent": "Mozilla/5.0 (...)",
    "form_id": "registration_v3",
    "wording_version": "cs-2026-04-01",
    "checksum": "sha256:c0ff33...",
    "method": "opt-in-double",
    "withdrawn_at": null
  }
}

Sample message

EmailPlease confirm your subscription to YourBrand updates

Hello, thanks for your interest. To confirm your newsletter subscription, please click the link below. If this request isn't from you, simply ignore — no message goes out without your click.

Before launch

Implement double opt-in for new contacts
Version the checkbox wording (every change = new version)
Activate the central preference center
Regular retention audit (90-day cycle)
Download the processor DPA template (4notify)
Enable notification for suspicious opt-out spikes (drift detection)

What 4notify does differently

ÚOOÚ inspection readiness in one click — structured export of consent records, wording versions, hashed IPs and checksums.

FAQ

Can we send transactional SMS without consent?

Yes. Transactional messages (order confirmations, OTP, delivery) rely on contract performance (Art. 6(1)(b) GDPR) and don't need marketing opt-in. STOP opt-out must still work.

What if consent has expired and we want to re-engage?

We recommend a re-engagement email asking to renew consent, not SMS. Re-engagement without consent is a breach and ÚOOÚ does fine for it in practice.

How long to keep opt-out records?

We recommend at least 4 years (statute of limitations on enforcement), but pseudonymised. You retain proof that a valid opt-out request was honoured.