Warta
4notify Malaysia · Federal Gazette
OFFICIAL · JPDP · PDPA Malaysia
Warta No
WTA-MY-005
Date
2026-05-27
Status
In force
Section
Privacy

PDPA Malaysia, the JPDP Consent Registry and the Do-Not-Disturb regime: a permission framework for transactional and commercial delivery

The Jabatan Perlindungan Data Peribadi (JPDP) — the Department of Personal Data Protection — applies the Personal Data Protection Act 2010 (Act 709) under the Ministry of Communications. Commercial communication requires consent, sensitive personal data has reinforced protection, and the do-not-disturb regime layers on top. 4notify pins the lawful basis on every envelope and verifies consent at the API edge on every delivery.

E-mailSMSWebhook
Preamble

Whereas, in exercise of the powers conferred by the Personal Data Protection Act 2010 (Act 709) and its subsidiary legislation, this Warta is issued concerning the management of consent for electronic delivery in Malaysia.

Statutory basis
Personal Data Protection Act 2010 (Act 709)

Lawful basis (consent, contract, legal obligation, vital interest), data-subject rights and competence of the JPDP.

PDPA subsidiary regulations

Registration of data users, security standards, retention standards and the data-protection notice.

JPDP guidance on consent + DND

Affirmative, informed and revocable consent; opt-out keyword processing; do-not-disturb list maintenance.

Implementation
01

Lawful-basis registration per delivery

Every envelope carries one of the Act 709 lawful bases (consent, contract, legal obligation, vital interest); the basis is fixed at the template registration step.

02

Commercial-consent verification

On commercial messages, consent is verified at envelope level; deliveries without permission are blocked at the API edge before any leg of the cascade.

03

30-day suppression right

Withdrawal requests propagate within 24h through 4notify; the suppression list updates across all four carriers and the e-mail gateway.

04

Breach-notification webhook

Any envelope-level incident raises a webhook to the data controller inside 1h and primes the JPDP notification track-and-trace.

Delivery envelope
json
{
  "event": "delivery.envelope_consent",
  "controller_id": "MY-CTRL-12345",
  "lawful_basis": "consent",
  "consent": {
    "registry": "JPDP-2026-001234",
    "consent_date": "2025-09-14",
    "opt_out_link_present": true
  },
  "delivery": { "channel": "email", "template": "promo_v2" },
  "suppression_check": "passed"
}
Sample message
E-mailSubject: Your marketing preference has been updated

Dear customer, With effect from today, your marketing consent has been withdrawn. You will no longer receive promotional e-mails, but transactional notices (order confirmations, delivery alerts) will continue. To exercise your other rights under PDPA 2010: [email protected]

Compliance checklist
  • Data-user registration with JPDP current
  • Data controller configured at the workspace
  • Consent record retained for every commercial delivery
  • Breach-notification webhook reachable for the controller
The 4notify difference

4notify is the only A2P provider that pins the Act 709 lawful basis on every envelope, propagates suppression within 24h across all four Malaysian carriers, and raises a JPDP-ready incident webhook on every event.

Frequently asked
Does PDPA Malaysia consent apply to SMS too?

Yes — Act 709 covers any commercial communication that processes personal data: SMS, e-mail and instant-messaging channels. All of them require a valid lawful basis.

What if the controller did not register with JPDP?

4notify blocks commercial delivery at the API edge until a valid registration is on file; transactional delivery on a contractual basis remains available.

Published
4notify Operations Department
2026-05-27 · WTA-MY-005

Start free

14 days, no card required. English support across ASEAN business hours.

Other entries in this edition