Bando

4notify Malta · By the Grace of the Order

PROCLAMATION · IDPC · Data Protection Act

Bando No

BND-MT-005

Date

2026-05-28

Status

In force

Section

Privacy

IDPC, Data Protection Act and consent: lawful-basis framework for transactional and marketing delivery in Malta

The Information and Data Protection Commissioner (IDPC) supervises Maltese implementation of the GDPR through the Data Protection Act (Cap. 586) and the Processing of Personal Data (Electronic Communications Sector) Regulations (S.L. 586.01). Marketing communications require consent; transactional traffic requires a valid lawful basis. 4notify records the lawful basis on every envelope and verifies consent at the API edge before each send.

EmailSMSWebhook

Preamble

Article 1. — By the Grace of the Order, and pursuant to the Data Protection Act (Cap. 586) of the Laws of Malta, Subsidiary Legislation 586.01 on electronic communications and Regulation (EU) 2016/679 (GDPR), this present Bando is hereby published touching upon the management of lawful basis and consent for electronic delivery.

Citations to statute

Cap. 586 — Data Protection Act

Anchors Maltese implementation of the GDPR and grants supervisory powers to the IDPC.

S.L. 586.01 — Electronic Communications (Personal Data) Regulations

Mirrors the ePrivacy Directive: opt-in for direct marketing by SMS, voice and email; exceptions for soft opt-in.

Regulation (EU) 2016/679 — GDPR

Lawful basis (Article 6), special categories (Article 9), data subject rights and 72-hour breach notification to the IDPC.

Articles

Lawful basis recorded per delivery

Each envelope carries one of the six GDPR Article 6 bases (consent, contract, legal obligation, vital interest, public task, legitimate interest); the basis is fixed in the template registry.

Marketing consent verification

For S.L. 586.01 marketing messages, consent is verified at envelope level; deliveries without a valid permission are blocked at the API edge and surface a 4notify-side compliance receipt.

30-day right-to-erasure propagation

Erasure requests propagate within 24 hours through 4notify; the suppression list is updated on all three operators and the email gateway, with confirmation receipts back to the controller.

Breach notification webhook

Any envelope-level incident generates a webhook to the data controller within 60 minutes, enabling the controller to meet the GDPR 72-hour notification window to the IDPC.

Delivery envelope

json
{
  "event": "delivery.consent_envelope",
  "controller_id": "MT-CTRL-12345",
  "lawful_basis": "consent",
  "consent": {
    "record": "IDPC-2026-001234",
    "consent_date": "2025-09-14",
    "unsubscribe_link_present": true
  },
  "delivery": { "channel": "email", "template": "promo_v2" },
  "suppression_check": "passed"
}

Sample message

EmailSubject: We have updated your marketing preferences

Dear customer, From today your marketing permission is revoked. You will no longer receive promotional emails, but you will continue to receive transactional notices (order confirmations, delivery alerts). To exercise your other rights under Cap. 586 and the GDPR: [email protected]

Compliance checklist

IDPC controller registration / DPO contact current
Lawful-basis registry kept per template
Consent record retained per commercial delivery
Breach-notification webhook reachable and tested

The 4notify Difference

4notify is the only A2P provider that retains the GDPR lawful basis on every envelope, propagates erasure within 24 hours on all three Maltese operators and surfaces an IDPC-ready breach webhook on every event.

Frequently asked questions

Does the consent requirement also apply to SMS?

Yes — Cap. 586 and S.L. 586.01 cover every commercial communication processing personal data: SMS, email, push, in-app messaging. A valid lawful basis is required for each channel.

What if the controller has not registered with the IDPC?

4notify blocks commercial deliveries at the API edge until a valid controller / DPO contact is in place; transactional deliveries on a contract basis remain available so the operational service does not stop.

Proclaimed

4notify Office of Operations

2026-05-28 · BND-MT-005

Start free

14 days, no card required. English-speaking support across CET hours. EUR pricing throughout.

Try 4notify Talk to the team

Other proclamations in this edition

BND-MT-001 · Banking and payments

PSD2 Strong Customer Authentication and SEPA Instant: OTP delivery to Bank of Valletta, HSBC Malta, APS Bank and BNF over GO, Melita and Epic

BND-MT-002 · Telecommunications

MCA numbering plan, Sender ID and A2P routing into Malta over GO, Melita and Epic

BND-MT-003 · Tax administration

Commissioner for Revenue, electronic invoicing and Maltese VAT: acknowledgement and validation delivery to the taxpayer

BND-MT-004 · Digital government