03
Guide 03 of 08 · Compliance
AvailableSMSEmailWhatsApp

GDPR & Greek HDPA: consent for marketing SMS, email and WhatsApp

The Hellenic Data Protection Authority (HDPA / ΑΠΔΠΧ) has issued fines up to €9.25M on Greek companies for marketing rule breaches. The framework is clear: Article 11 of Law 3471/2006 requires consent before any marketing communication; exception is soft opt-in for existing customers on related products. GDPR adds the obligation to prove consent and the right to withdraw at any time.

Problem

"We have a general checkbox at signup" is not enough. HDPA has ruled repeatedly that the checkbox must be channel-specific (SMS / email / call), name the precise purpose, and be paired with a visible privacy-policy link. Recording that the user clicked is also not enough — you need a timestamp + IP + the exact text that was shown.

Legal framework
GDPR άρθρο 7 (απόδειξη συναίνεσης)

The controller must be able to prove consent. In practice: log with timestamp, IP, user agent and shown text.

Ν. 4624/2019 (ελληνική GDPR υλοποίηση)

Implements GDPR with Greek specifics for electronic communications; confirms HDPA enforcement role.

Ν. 3471/2006 άρθρο 11 — soft opt-in

Existing customers may receive marketing for related products without explicit consent, provided each message includes easy unsubscribe.

Μητρώο 11888 (Συνήγορος Καταναλωτή)

Numbers on the register are excluded from commercial calls/SMS. Mandatory screening for cold outreach.

Architecture
01

Per-channel double checkbox

On the signup form, separate checkboxes for „SMS communication", „email newsletter", „WhatsApp". Each checkbox keeps its own record.

02

Consent ledger

Each opt-in is stored with timestamp, IP, user agent, hash of the displayed text and reference to the privacy policy in effect.

03

Automatic unsubscribe link

Every marketing email embeds one-click List-Unsubscribe per RFC 8058. Every marketing SMS includes the „STOP" keyword. Withdrawal in under 30 seconds.

04

11888 register screening

Before each cold campaign, the recipient list is cross-checked against the 11888 register (API or daily dump). Listed numbers are dropped.

Code
json
{
  "event": "consent.recorded",
  "subject_id": "user_8821",
  "channel": "sms",
  "purpose": "marketing.product_launches",
  "scope": "category:apparel",
  "captured_at": "2026-05-25T09:14:22Z",
  "ip": "85.74.12.221",
  "ua_hash": "9c2…d44",
  "text_hash": "sha256:6f1…a02",
  "policy_version": "v3.4-2026-04",
  "withdrawal_endpoint": "https://4notify.net/consent/withdraw/eyJ…"
}
Sample message
EmailConsent confirmation — YourBrand Newsletter

Welcome to the YourBrand Newsletter! We recorded your consent on 25/05/2026 at 09:14. You can withdraw it at any time: [unsubscribe one-click].

Before launch
  • Split checkboxes per channel on the signup form
  • Log timestamp + IP + UA + text hash on every opt-in
  • Embed RFC 8058 one-click unsubscribe in marketing emails
  • Publish privacy policy with date and version
  • Cross-check the 11888 register before every cold campaign
  • Appoint a DPO or controller contact
What 4notify does differently

Consent ledger built into the platform: every opt-in carries cryptographic proof, exportable to HDPA-ready CSV/PDF in one click.

FAQ
What fines does HDPA levy on SMS spam?

From €5,000 for an isolated incident up to €9.25M for repeated systemic breach (decision 26/2021). The size depends on volume and prior warnings.

How long is consent valid?

GDPR sets no specific duration. In practice, HDPA recommends review every 24 months or on material change of processing purposes.

Does soft opt-in apply to WhatsApp?

HDPA has not issued an explicit ruling. Conservative approach: explicit consent for WhatsApp marketing, soft opt-in restricted to transactional messages.

Start free

14 days, no card. Greek-language support.

Other guides