The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area.


Where our customers are sending SMS messages, SMSPortal are defined as Data Processors by GDPR and you, our customers, are Data Controllers. SMSPortal does not sell data services whatsoever and you cannot buy customer databases or customer information from us, nor will we ever provide these services. Our platform merely communicates to the Mobile Network Operators using the customer data and the message copy that you provide us. Hence, you as our customer control the data which you use on our platform, making you the Data Controller.

As a Data Processor, SMSPortal’s requirements for GDPR focus on the manner in which we store the data you process through us, along with the security and control of this data. SMSPortal’s hosting partner provides us with a fully GDPR compliant datacentre solution including the necessary firewalling, networking, physical access control and data destruction requirements.

The second facet of GDPR resides with you, the business/service provider communicating to your customers. Should you not have assessed yourself up to this point, there is a simple (non-legal) document that can assist with this by clicking here.


SMSPortal allow you to create either permanent or temporary groups. Temporary groups are a great way to ensure that your customer data is automatically removed after 24 hours on our platform.
If you are making use of permanent groups, take the time to delete unnecessary groups as often as possible.

Phishing is still the number one source of customer data breaches. Be exceptionally cautious of links emailed to you masquerading as SMSPortal. Check the URL that you are logging into, to be certain that you haven’t been redirected to a website that is attempting to gain your credentials. Giving someone access to your customer information due to phishing, circumvents all of SMSPortal's security. Take exceptional care of your username and password.

One of the core GDPR principals is called the Principal of Least Possible Privilege. If you are sending your customer messages with no personalisation, only upload the contact numbers. The less personal information you upload on to our platform, the better. If you are uploading sensitive customer information, which is required for the processing of your messages, take care to make the group temporary or delete it once you are satisfied that the send is complete.

Take care to understand the implications of the required consent, including those around the consent of minors.

Changes to SMSPortal

For some time, we have allowed users to manipulate the Sender ID field. This meant that our European customers, where the local Mobile Operators supported Alpha Numeric Sender manipulation, could change the displayed sender name to something of their choosing. By way of example, you were able to change this source address to “ABCSHOES”. While this is a great way to allow your customers to know from whom the message has originated, it is susceptible to widespread fraud.

Further to this, and specific to GDPR and the consent of customers, it also meant that users could not reply to these messages. ABCSHOES is naturally not a valid contact number, and once an SMS message arrives on a handset, there is no hidden reply source address behind this Sender ID field. Customers attempting to reply to one of these messages would simply have the reply fail.

This means customers replying to one of these addresses would be unable to send you an opt-out too. If they wished to send you a STOP as they no longer wished to receive these messages, they would be unable to do so. Further to this, since there were no restrictions on what you could put in this Sender ID field, they may have no way of knowing from whom these messages originate.
To ensure that customers can reply to your messages, and hence opt-out should they wish to do so, we have discontinued the ability to manipulate the Sender ID field. GDPR carries some draconian fines of up to twenty million Euros. We want to ensure our customers can manage consent accurately, and hence we have enforced reply capable routes in these territories and removed this functionality.

Should you require further information or clarity, please feel free to reach out to us.