The remaining provisions of the Data Protection Acts 1988 and 2003 (the Acts), including sections 4(13), 6(2) (b), and 10(7) (b) were commenced on 18 July 2014, by Statutory Instruments 337 and 338 of 2014.

Statutory Instrument 337 of 2014

This Regulation commences sections 6(2) (b) and 10(7)(b) of the Acts. These provisions provide data controllers with an obligation to notify third parties when personal data has been rectified or erased.

Section 6 already provides that a data controller must notify a data subject when the controller rectifies, blocks or erases personal data that are collected, processed or otherwise dealt with in contravention of the Data Protection Acts. Section 6(2) (b) now requires the data controller to also notify any person to whom personal data were disclosed during the preceding 12 months, unless such notification proves impossible or involves disproportionate effort.

Section 10 already provides that a data controller must notify the data subject, where the controller rectifies, blocks, erases, destroys, or adds a statement to personal data, in compliance with an enforcement notice issued by the DPC. Section 10(7)(b) now requires the data controller to also notify any person to whom the personal data were disclosed during the preceding 12 months, unless such notification provides impossible or involves a disproportionate effort.

Statutory Instrument 338 of 2014

This Regulation commences section 4(13) of the Acts, concerning enforced subject access. It makes it a criminal offence for an employer to attempt to require an employee, prospective employee, or independent contractor, to make an access request or to reveal the result of such an access request.