PECR · ePrivacy · Direct marketing
Acompli's Communication Review reads the actual outbound message (DOCX, XLSX, PDF, HTML, EML, TXT, images via vision pass), scores it deterministically against weighted direct-marketing flags grounded in Ireland's S.I. 336/2011 (DPC) and the UK's PECR Regulation 22 (ICO Direct Marketing Guidance), and routes the result to a DPO-and-above review queue. AI screens, a human decides — never automated send or block.
PECR & ePrivacy answer
Yes. In Ireland, Regulation 13 of S.I. 336/2011 — the ePrivacy Regulations enforced by the Data Protection Commission (DPC) — requires consent before sending unsolicited electronic marketing to individual subscribers, unless the ‘existing customer’ exemption applies. The UK mirrors this under PECR Regulation 22, enforced by the ICO.
Both run alongside the GDPR: the ePrivacy rules govern the marketing send itself, while the GDPR governs the underlying data and lawful basis. So you need a consent or soft-opt-in record for the send and a lawful basis for the data — and the DPC has brought prosecutions for unlawful electronic marketing, so the evidence record is what defends it. Two regimes, two checks.
Key takeaways
A defensible pre-send review establishes intent (PECR Regulation 22 in the UK / Regulation 13 of S.I. 336/2011 in Ireland), recipient type, lawful basis, suppression-list status, unsubscribe and identification compliance, and where the evidence sits — all before the campaign goes out the door.
Regulation 22 (UK) and Regulation 13 of S.I. 336/2011 (Ireland) apply to individual subscribers, which includes sole traders and most partnerships. B2B email to named individuals at corporate subscribers typically relies on GDPR legitimate interests with a documented LIA and a clear right to object.
Both let you market similar products or services to existing customers without fresh consent — the UK's PECR soft opt-in and Ireland's ‘existing customer’ exemption under S.I. 336/2011 share the same four conditions. What buyers must document is how ‘similar’ and how recent each regulator will accept. Acompli records which regime (DPC or ICO) each message was assessed under.
The classifier is pure — deterministic scoring from weighted marketing flags, returning a recommended action. It does not persist a verdict, send, or block. A separate review service routes scored artifacts to a DPO-and-above queue where a person decides.
Ireland vs UK
Both regimes let you market similar products or services to existing customers without fresh consent, and both share the same four conditions: details obtained in a sale or sale negotiation, marketing of similar products or services, an easy opt-out at collection, and an easy opt-out in every message. What buyers must document is the regime name, the citation, and how each regulator interprets ‘similar’ and customer recency.
Acompli captures evidence of each condition against the reviewed message and records which regime (DPC or ICO) it was assessed under. Cross-border transfer questions raised by a campaign link to Transfer Impact Assessments.
The classifier is pure code grounded in Ireland's S.I. 336/2011 rules and the UK ICO's Direct Marketing Guidance — no persistence, no autonomous action. A separate review service routes the scored artifact and recommended action into a DPO-and-above queue.
Supports DOCX, XLSX, PDF, HTML, EML, TXT, and images via a vision pass — so scanned campaigns, screenshots, and multi-format mailers all go through the same evaluation, not just plain text.
Deterministic scoring against the Regulation 22 / S.I. 336/2011 taxonomy — direct-marketing indicators, suppression signals, identification and unsubscribe presence, soft opt-in / existing- customer evidence triggers. The score is reproducible; the classification is auditable.
The pure classifier returns a recommended action (approve, approve with conditions, escalate to DPO) and the contributing flags. It does not persist a verdict and does not send or block a campaign.
A separate review service routes the scored artifact and the recommended action into a review workflow. The workflow is gated by the same identity, legal-entity, and business-unit RBAC that gates the rest of the platform — only authorised reviewers can decide.
The reviewer's decision (and the reasoning) is written to the same immutable audit log that captures every other governance decision across the platform. PECR review work appears in the same estate rollup as DPIAs, RoPA, and risks.
The platform supports the review workflow; it does not interface with email-service-provider send queues to physically block a campaign. The DPO's decision is the control — operationalised through the campaign workflow your marketing team already runs.
On the shared spine
Communication Review runs on the same AI pipeline and prompt store as the rest of the platform, persists into the same org-scoped store, and the review workflow is gated by the same unified authentication, RBAC, and legal-entity scoping used across DSAR, RoPA, and assessments.
Same drafting and grounding engine and same governed prompt store that powers DPIA drafting and risk extraction. Prompts are versioned and role-gated.
The review queue is scoped by identity, legal entity, and business unit. A reviewer sees only the artifacts their scope permits — identical predicate to the rest of the platform.
Reviewer decisions land on the same immutable audit log as every other governance action — visible in the same reporting and analytics rollup as DPIAs, RoPA, and risks.
Legitimate-interests assessments and soft-opt-in / existing- customer condition evidence captured against a reviewed message become part of the campaign's record — citeable in any subsequent DPC or ICO query.
Buyer questions
Both. Regulation 13 of S.I. 336/2011 (DPC-enforced) governs the electronic-marketing send itself, while the GDPR governs the underlying data and its lawful basis — usually legitimate interests with a documented LIA for named B2B contacts. GDPR compliance does not satisfy the ePrivacy rules, and vice versa. Cross-border senders also weigh the UK position (PECR Regulation 22 plus UK GDPR).
Score them on: reading the actual outbound artefact, not policy text; mapping to BOTH PECR Regulation 22 (UK) and Regulation 13 of S.I. 336/2011 (Ireland); a human DPO in the loop with no autonomous send or block; an immutable audit log; and grounding in named guidance (ICO Direct Marketing Guidance, DPC electronic-marketing rules). Deterministic, reproducible scoring is auditable to a regulator; an automated legal verdict is not.
Per message: the direct-marketing classification (Regulation 22 / S.I. 336/2011 Reg 13), recipient type, the lawful basis or consent / soft-opt-in record relied on, suppression-list status, unsubscribe and sender- identification compliance, and where the LIA or consent evidence sits — all to an immutable audit log with the reviewer's determination and timestamp. That is the evidence pack the DPC (Ireland) or ICO (UK) expects if a complaint is investigated.
Tools that read the message, score it deterministically against weighted Regulation 22 / S.I. 336/2011 flags, return a recommended action, and route to a DPO-and-above human review queue — never an autonomous send or block. Acompli's Communication Review scores the artefact and routes it to an authorised reviewer who makes the legal call; the audit trail records both the score and the human determination.
Yes. In Ireland, Regulation 13 of S.I. 336/2011 (the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011), enforced by the Data Protection Commission (DPC), requires consent before sending unsolicited electronic marketing (email, SMS, automated calls) to individual subscribers, unless an 'existing customer' exemption applies. The UK mirrors this under PECR Regulation 22, enforced by the ICO. Both regimes run alongside the GDPR / UK GDPR: the ePrivacy rules govern the marketing send itself, while the GDPR governs the underlying personal data and lawful basis. So you need a documented consent or soft-opt-in record for the send and a lawful basis for the data. The DPC has brought prosecutions for unlawful electronic marketing, so the evidence record is what defends the send.
A defensible pre-send review establishes whether each communication is direct marketing (PECR Regulation 22 in the UK / Regulation 13 of S.I. 336/2011 in Ireland), whether the recipient is an individual or corporate subscriber, what lawful basis or consent record supports the send, whether the suppression list is respected, whether unsubscribe and sender-identification requirements are met, and where the evidence of consent or LIA sits. Acompli's communication-review surface takes the actual message (DOCX, XLSX, PDF, HTML, EML, TXT, images via vision pass) and grades it against weighted marketing flags grounded in ICO Direct Marketing Guidance and the DPC's electronic-marketing rules, returning a deterministic risk score and a recommended action to a DPO-and-above review queue. AI screens, a human decides — never an autonomous send or block.
Both Ireland and the UK let you market similar products or services to existing customers without fresh consent — the UK calls it the PECR Regulation 22 soft opt-in, Ireland the 'existing customer' exemption under Regulation 13 of S.I. 336/2011. The shared conditions are the same four: the contact's details were obtained in the course of a sale or negotiation for a sale, the marketing is of similar products or services, an easy opt-out was offered at collection, and an easy opt-out is offered in every subsequent message. The practical differences buyers must document include how 'similar' is interpreted and the recency of the customer relationship each regulator will accept. Acompli captures evidence of each condition against the reviewed message and records which regime (DPC or ICO) it was assessed under.
Both. In Ireland, Regulation 13 of S.I. 336/2011 (DPC-enforced) governs the electronic-marketing send itself, while the GDPR governs the underlying personal data and its lawful basis — usually legitimate interests with a documented LIA for named B2B contacts. GDPR compliance does not satisfy the ePrivacy rules, and vice versa: a B2B email can have a valid lawful basis under the GDPR yet still breach the marketing-consent rules. Cross-border senders must also consider the UK position (PECR Regulation 22 plus UK GDPR). In practice, document both the ePrivacy basis for the send and the GDPR basis for the data, against each message.
PECR Regulation 22's consent rules (UK), and Regulation 13 of S.I. 336/2011 (Ireland), apply to electronic mail sent to individual subscribers — which includes sole traders and most partnerships. Corporate subscribers (incorporated companies, public bodies) are not covered by the email-consent rules, but the GDPR / UK GDPR still applies to any personal data being processed (a named contact's business email is personal data). In practice this means B2B email to named individuals at corporate subscribers usually relies on legitimate interests with a documented LIA, plus a clear right to object — and the soft opt-in / existing-customer pathway is not available unless the contact is an individual subscriber who bought or negotiated for a similar product or service.
Score the tools on whether they read the actual outbound artefact (DOCX, XLSX, PDF, HTML, EML) rather than policy text; whether they map to BOTH PECR Regulation 22 (UK) and Regulation 13 of S.I. 336/2011 (Ireland); whether a human DPO stays in the decision loop with no autonomous send or block; whether every determination is written to an immutable audit log; and whether the classification is grounded in named guidance (ICO Direct Marketing Guidance, DPC electronic-marketing rules). A tool that returns a deterministic, reproducible score with the contributing flags is auditable to a regulator; one that asserts an automated legal verdict is not. Acompli's Communication Review is built to the auditable model.
A defensible log should capture, per message: the direct-marketing intent classification (PECR Regulation 22 / S.I. 336/2011 Regulation 13), the recipient type (individual vs corporate subscriber), the lawful basis or consent / soft-opt-in record relied on, suppression-list status, unsubscribe and sender-identification compliance, and where the LIA or consent evidence sits — all written to an immutable audit log with the reviewer's determination and a timestamp. That is the evidence pack the DPC (Ireland) or ICO (UK) expects to see if a marketing complaint is investigated. Acompli writes this determination to the same audit log as every other governance decision across the platform.
Look for tools that read the actual message, score it deterministically against weighted Regulation 22 / S.I. 336/2011 marketing flags, return a recommended action, and route to a DPO-and-above human review queue — never an autonomous send or block. Acompli's Communication Review is one such tool: a pure classifier grounded in ICO Direct Marketing Guidance and the DPC's electronic-marketing rules scores the artefact, and a separate review service routes it to an authorised reviewer who makes the legal call. The audit trail records both the score and the human determination, so the control is evidenced rather than asserted.
Acompli's PECR / ePrivacy classifier is pure — it scores the artifact deterministically from weighted marketing flags and returns a recommended action. It does not persist a verdict, send a message, or block a campaign. A separate review service routes the scored artifact and recommendation into a DPO-and-above review workflow where a person decides. The classification is anchored in published ICO Direct Marketing Guidance and the DPC's electronic-marketing rules, the determination is the reviewer's, and the audit trail records both.
Eine belastbare Prüfung klärt vor dem Versand: handelt es sich um Direktwerbung; ist der Empfänger ein individueller oder ein gewerblicher Abonnent; auf welcher Rechtsgrundlage oder welchem Einwilligungsnachweis beruht der Versand; ist die Sperrliste eingehalten; sind Abmelde- und Identifikationspflichten erfüllt; wo liegt der Nachweis von Einwilligung oder berechtigtem Interesse. Die Kommunikationsprüfung von Acompli liest die tatsächliche Nachricht (DOCX, XLSX, PDF, HTML, EML, TXT, Bilder per Vision-Pass) und bewertet sie deterministisch nach gewichteten Marketing-Indikatoren, verankert in den ICO-Direct-Marketing-Leitlinien. Das Ergebnis und eine Handlungsempfehlung gehen an eine DSB-Prüf-Queue zur menschlichen Entscheidung — keine automatisierte Sendung oder Blockierung.
Die Einwilligungsregeln von PECR Regulation 22 gelten für elektronische Post an individuelle Abonnenten — darunter Einzelkaufleute und die meisten Personengesellschaften nach PECR-Definition. Gewerbliche Abonnenten (eingetragene Unternehmen, öffentliche Stellen) sind von den Einwilligungsregeln zur E-Mail in Regulation 22 nicht erfasst, jedoch gilt die UK-DSGVO weiterhin für die Verarbeitung personenbezogener Daten (eine geschäftliche E-Mail einer benannten Person ist personenbezogen). In der Praxis stützt sich B2B-E-Mail an benannte Personen bei gewerblichen Abonnenten meist auf berechtigte Interessen unter UK-DSGVO mit dokumentierter Interessenabwägung sowie einem klaren Widerspruchsrecht.
Bewerten Sie Tools danach, ob sie das tatsächliche ausgehende Artefakt (DOCX, XLSX, PDF, HTML, EML) lesen statt nur Richtlinientext; ob sie sowohl PECR Regulation 22 (UK) als auch Regulation 13 von S.I. 336/2011 (Irland) abdecken; ob ein menschlicher Datenschutzbeauftragter (DSB) in der Entscheidungsschleife bleibt — ohne automatischen Versand oder Sperrung; ob jede Entscheidung in ein unveränderliches Audit-Log geschrieben wird; und ob die Klassifikation in benannten Leitlinien (ICO Direct Marketing Guidance, DPC-Regeln zur elektronischen Direktwerbung) verankert ist. Für deutsche Sender sind zusätzlich §7 UWG (unzumutbare Belästigung) sowie das TDDDG (vormals TTDSG) relevant; die DSK-Hinweise und LfDI-Veröffentlichungen zur Direktwerbung benennen die erwarteten Nachweise. Acomplis Communication Review ist für dieses auditierbare Modell gebaut.
Ein belastbares Protokoll erfasst pro Nachricht: die Klassifikation der Direktwerbe-Absicht (PECR Regulation 22 / S.I. 336/2011 Regulation 13 / §7 UWG für DE), den Empfängertyp (individueller oder gewerblicher Abonnent), die Rechtsgrundlage oder den Einwilligungs- bzw. Soft-Opt-In-Nachweis, den Status der Sperrliste, die Erfüllung der Abmelde- und Absender-Identifikationspflichten sowie den Speicherort des Nachweises der Interessenabwägung oder Einwilligung — alles in einem unveränderlichen Audit-Log mit Prüferentscheidung und Zeitstempel. Das ist die Beweiskette, die DPC (Irland), ICO (UK) oder die zuständige deutsche Aufsichtsbehörde (LfDI/DSK) bei einer Beschwerdeprüfung erwarten. Acompli schreibt diese Entscheidung in dasselbe Audit-Log wie jede andere Governance-Entscheidung der Plattform.
Die Schutzziele sind in allen drei Regimen ähnlich, die Mechanik unterscheidet sich aber: In Deutschland regelt §7 UWG die unzumutbare Belästigung und verlangt für E-Mail-Werbung Einwilligung (mit der engen Bestandskunden-Ausnahme nach §7 Abs. 3 UWG); das TDDDG ergänzt für Cookies und Endeinrichtungen die ePrivacy-Anforderungen. In Irland verlangt Regulation 13 von S.I. 336/2011 (vollzogen durch die DPC) Einwilligung mit der 'existing customer'-Ausnahme. Im UK gilt PECR Regulation 22 mit dem Soft-Opt-In, vollzogen durch die ICO. Wer in alle drei Märkte versendet, muss die strengste der drei Regelungen für jede Nachricht abbilden — Acompli protokolliert pro Nachricht, gegen welches Regime geprüft wurde.
Un examen défendable établit avant l'envoi : s'agit-il de prospection directe (Regulation 22 PECR) ; le destinataire est-il un abonné individuel ou professionnel ; quelle base légale ou preuve de consentement soutient l'envoi ; la liste de suppression est-elle respectée ; les obligations de désabonnement et d'identification sont-elles remplies ; où se trouve la preuve de consentement ou la balance d'intérêts. La revue de communications d'Acompli lit le message réel (DOCX, XLSX, PDF, HTML, EML, TXT, images via passage vision) et le note de manière déterministe selon des signaux pondérés ancrés dans le Direct Marketing Guidance de l'ICO. Le score et une recommandation d'action sont routés vers une file de revue DPO pour décision humaine — jamais d'envoi ou de blocage automatique.
Les règles de consentement de la Regulation 22 PECR s'appliquent aux e-mails envoyés à des abonnés individuels — ce qui inclut les entrepreneurs individuels et la plupart des sociétés de personnes selon la définition PECR. Les abonnés professionnels (sociétés enregistrées, organismes publics) ne sont pas couverts par les règles de consentement de la Regulation 22 pour l'e-mail, mais le RGPD britannique s'applique toujours aux données personnelles traitées (l'e-mail professionnel d'un contact nommé constitue une donnée personnelle). En pratique, le marketing B2B par e-mail vers des personnes nommées s'appuie généralement sur l'intérêt légitime sous RGPD britannique avec une balance d'intérêts documentée et un droit d'opposition clair.
Évaluez les outils selon : leur capacité à lire l'artefact réel envoyé (DOCX, XLSX, PDF, HTML, EML) plutôt qu'un texte de politique ; la couverture des deux régimes — PECR Regulation 22 (UK) et Regulation 13 de S.I. 336/2011 (Irlande) — ainsi que de la LCEN (article L.34-5 du Code des postes et des communications électroniques) en France ; le maintien d'un DPO humain dans la boucle de décision sans envoi ou blocage automatique ; l'inscription de chaque décision dans un journal d'audit immuable ; et l'ancrage de la classification dans des lignes directrices nommées (Direct Marketing Guidance de l'ICO, règles de la DPC sur le marketing électronique, recommandations de la CNIL sur la prospection). Communication Review d'Acompli est construit sur ce modèle auditable.
Un journal défendable consigne par message : la classification d'intention de prospection (PECR Regulation 22 / S.I. 336/2011 Regulation 13 / article L.34-5 CPCE), le type de destinataire (abonné individuel ou professionnel), la base légale ou la preuve de consentement / soft opt-in, le respect de la liste de suppression, la conformité du désabonnement et de l'identification de l'expéditeur, et l'emplacement de la preuve de l'analyse d'intérêt légitime ou du consentement — le tout dans un journal d'audit immuable avec la décision du relecteur et un horodatage. C'est le dossier de preuves que la CNIL (France), la DPC (Irlande) ou l'ICO (UK) attend en cas d'enquête sur une plainte.
Les trois régimes convergent sur le principe — opt-in préalable pour la prospection par e-mail vers les particuliers — mais divergent sur les modalités. En France, l'article L34-5 CPCE (issu de la LCEN) impose le consentement préalable pour la prospection directe par e-mail vers les personnes physiques, avec une exception pour les produits ou services analogues fournis par la même personne, sanctionné par la CNIL. En Irlande, Regulation 13 de S.I. 336/2011 reprend la même logique avec l'exemption 'client existant', sanctionnée par la DPC. Au Royaume-Uni, PECR Regulation 22 prévoit le soft opt-in, sanctionné par l'ICO. Pour le B2B, la France maintient une approche opt-out plus large que l'Irlande ou le Royaume-Uni. Un expéditeur multi-juridictions doit appliquer la règle la plus stricte par message — Acompli enregistre, par message, le régime sous lequel il a été évalué.
Een verdedigbare beoordeling vóór verzending stelt vast: is dit direct marketing; is de ontvanger een individuele of zakelijke abonnee; welke rechtsgrondslag of toestemmingsregistratie onderbouwt de verzending; is de suppressielijst gerespecteerd; zijn afmeld- en identificatieverplichtingen vervuld; waar zit het bewijs van toestemming of belangenafweging. Acompli's communicatiebeoordeling leest het feitelijke bericht (DOCX, XLSX, PDF, HTML, EML, TXT, afbeeldingen via visie) en scoort het deterministisch volgens gewogen marketing-indicatoren, verankerd in ICO Direct Marketing Guidance. De score en aanbevolen actie gaan naar een FG-beoordelingsrij voor menselijke beslissing — geen geautomatiseerde verzending of blokkering.
Een verdedigbaar log legt per bericht vast: de classificatie van direct-marketing-intentie (PECR Regulation 22 in het VK / Regulation 13 van S.I. 336/2011 in Ierland / artikel 11.7 Telecommunicatiewet in Nederland), het ontvangertype (individueel of zakelijke abonnee), de rechtsgrondslag of het toestemmings- of soft-opt-in-bewijs, de status van de suppressielijst, naleving van afmelden en afzenderidentificatie, en waar het bewijs van het gerechtvaardigd belang of de toestemming zich bevindt — alles in een onveranderlijk auditlog met de beslissing van de beoordelaar en een tijdstempel. Dat is het bewijspakket dat de Autoriteit Persoonsgegevens (AP) in Nederland, de DPC in Ierland of de ICO in het VK verwacht bij een klachtonderzoek.
Beoordeel tools op de volgende criteria: lezen ze het feitelijke uitgaande artefact (DOCX, XLSX, PDF, HTML, EML) en niet alleen beleidstekst; dekken ze zowel artikel 11.7 van de Telecommunicatiewet (Nederland, ACM- en AP-toezicht) als PECR Regulation 22 (Verenigd Koninkrijk, ICO) en Regulation 13 van S.I. 336/2011 (Ierland, DPC); blijft een FG in de beslissingsloop zonder autonome verzending of blokkering; wordt elke beslissing in een onveranderlijk auditlog vastgelegd; en is de classificatie verankerd in benoemde richtsnoeren (AP-richtsnoeren over direct marketing, ICO Direct Marketing Guidance). Een deterministische, reproduceerbare score met de bijdragende indicatoren is auditeerbaar voor een toezichthouder; een geautomatiseerd juridisch oordeel is dat niet.
Regulatory signals
Selected GDPR, PECR, and ePrivacy news from acompli.ie — ICO and DPC enforcement, ePrivacy Regulation progress, cookie-and-consent guidance, and direct-marketing rulings.
The third annual ENISA NIS360 assessment reveals that while cybersecurity maturity is improving across EU critical sectors, seven sectors - including health, public administration, and water - remain in a risk zone where their importance to society exceeds their cyber readiness.
Read update →The European Data Protection Board has published the first EU-wide harmonized template for Data Protection Impact Assessments, aiming to replace the patchwork of national formats and bring consistency to one of the GDPR's most important compliance tools.
Read update →European data protection authorities imposed €68.18 million in GDPR fines in the first quarter of 2026 - nearly five times the €13.8 million recorded in Q1 2025 - with France and the United Kingdom accounting for 94% of the total.
Read update →AI-screened, DPC/ICO-grounded, human-approved review of outbound direct marketing — landing on the same audit log as every other governance decision.
