Annála
4notify Ireland · Iris Oifigiúil
OF RECORD · Data Protection Commission
Annal No
ANN-IE-005
Recorded
2026-05-27
Status
In force
Category
Privacy

Data Protection Commission, GDPR and ePrivacy consent: a consent framework for transactional and marketing delivery to Irish consumers

The Data Protection Commission (DPC) enforces the GDPR and the ePrivacy Regulations (S.I. No. 336 of 2011) in Ireland — and is the EU lead authority for many of the world's largest technology companies. Marketing by SMS or email requires consent; transactional delivery rests on contract. 4notify records the lawful basis and consent state at the API edge on every delivery.

EmailSMSWebhook
Preamble

Item 5 — Pursuant to the Data Protection Act 2018 (giving effect to the GDPR) and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, this Annal is recorded concerning consent management for electronic delivery.

Statutory Basis
Data Protection Act 2018 / GDPR

Lawful bases for processing personal data; the Data Protection Commission as supervisory authority.

S.I. No. 336 of 2011 (ePrivacy Regulations)

Consent for electronic marketing; the existing-customer soft opt-in for similar products and services.

GDPR Article 33 (breach notification)

Notification to the DPC within 72 hours; notification to data subjects where high risk.

Implementation
01

Lawful basis recorded per delivery

Every delivery envelope carries a GDPR lawful basis (consent, contract, legal obligation, legitimate interest); fixed in the template record.

02

ePrivacy consent / soft opt-in check

Marketing messages are checked for consent or a valid soft opt-in at envelope level; non-consented sends are blocked at the API edge.

03

Erasure within 30 days

Article 17 erasure requests propagate within 24 hours through 4notify; the suppression list updates across three operators and the email gateway.

04

72-hour breach notification webhook

Any envelope-level incident raises a webhook to the controller's DPO within 1 hour, supporting the DPC's 72-hour clock.

Delivery Envelope
json
{
  "event": "delivery.consent_envelope",
  "controller_id": "IE-CTRL-12345",
  "lawful_basis": "consent",
  "eprivacy_consent": {
    "consent_id": "CONSENT-2026-001234",
    "captured_at": "2025-09-14",
    "opt_out_link_present": true
  },
  "delivery": { "channel": "email", "template": "promo_v2" },
  "suppression_check": "passed"
}
Sample Message
EmailSubject: Your marketing preferences have been updated

Dear customer, Your marketing consent has been withdrawn as of today. You will no longer receive marketing emails, but transactional notifications (order confirmations, delivery alerts) will continue. For your other rights under the GDPR: [email protected].

Compliance Checklist
  • Data Protection Commission registration / DPO details current
  • Lawful basis fixed per template
  • ePrivacy consent or soft opt-in stored per marketing delivery
  • 72-hour breach notification webhook reachable
The 4notify difference

4notify is the only A2P provider that stores the ePrivacy consent state and GDPR lawful basis on every envelope, propagates erasure across three operators in under 24 hours, and raises a 72-hour DPC breach-notification webhook on any incident.

Frequently Asked Questions
Does the soft opt-in cover SMS marketing?

The existing-customer soft opt-in under the ePrivacy Regulations can cover SMS and email for similar products and services, where the customer was given an opt-out at the point of sale and on every message. 4notify enforces the opt-out path on every send.

What if the controller is not properly registered?

4notify blocks marketing delivery at the API edge until a valid lawful basis is provided; transactional delivery (contract basis) remains available.

Recorded by
4notify Operations Office
2026-05-27 · ANN-IE-005

Start for free

14 days, no card required. Weekday support in English.

Other Annals in This Edition