Can you please detail the Data Holder obligations around send notifications to customers when consent is created, withdrawn or expired?
In terms of informing the CDR consumer about their authorisations, a data holder is required to keep the consumer dashboard updated (Rule 4.27). Information that must be contained on the consumer dashboard includes details of the CDR consumer's authorisations (Rule 1.15)(b).
In addition to the rules, you may also want to consider what the CX Guidelines say about management of authorisations. See, e.g., page 108. But it is important to note that the CX Guidelines contain recommendations that SHOULD be followed, as well as mandatory requirements.