Data Protection in Malta

Electronic marketing in Malta

EU regulation

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.


Malta regulation

The Act applies also to most electronic marketing activities since in the course of such activities, it is likely that ‘personal data’ as defined above (including email) will be ‘processed’ as understood by the Act. In relation to direct marketing (even electronic), consent may be revoked at will by the data subject(s).

The controller is legally bound to inform the data subject that he or she may oppose such processing at no cost.

Apart from the Act, the ‘Processing of Personal Data (Electronic Communications Sector) Regulations’ (Subsidiary Legislation 586.01 issued under the Data Protection Act 2018) (the Electronic Communications Regulations) address a number of activities relating specifically to electronic marketing.

In the case of subscriber directories, the producer of such directories shall ensure (without charge to the subscriber) that before any personal data relating to the subscriber (who must be a natural person) is inserted in the directory, the subscriber is informed about the purposes of such a directory of subscribers and its intended uses (including information regarding search functions embedded in the electronic version of the directories). No personal data shall be included without the consent of the subscriber. In furnishing his consent the subscriber shall determine which data is to be included in the directory and is free to change, alter or withdraw such data at a later date. The personal data used in the directory must be limited to what is necessary to identify the subscriber and the number allocated to him, unless the subscriber has given additional consent authorizing the inclusion of additional personal data.

The Electronic Communications Regulations also deal with the issue of unsolicited communications. A person is prohibited from using any publicly available electronic communications service to engage in unsolicited communications for the purpose of direct marketing by means of:

  • An automatic calling machine
  • A facsimile machine
  • Email

to a subscriber, irrespective of whether such subscriber is a natural person or a legal person, unless the subscriber has given his prior explicit consent in writing to the receipt of such a communication.

By way of exception to the above (informally known as the ‘soft opt-in’ rule), where a person has obtained from his customers their contact details for email in relation to the sale of a product or a service, in accordance with the Act that same person may use such details for direct marketing of its own similar products or services. However, the customers must be given the opportunity to object, free of charge and in an easy and simple manner, to such use of electronic contact details when they are collected and on the occasion of each message where the customer has not initially refused such use.

In all cases the practice of, inter alia, sending email for the purposes of direct marketing, disguising or concealing the identity of the sender or without providing a valid address to which the recipient may send a request that such communications cease, shall be prohibited.

The Act does not change the position under the previous Data Protection Act (Chapter 440) and does not introduce derogations from the provisions of the GDPR in this regard. The proposed ePrivacy Regulation would need to be analyzed separately.

Continue reading

  • no results

Previous topic
Back to top