Under the Data Protection Acts employers who force subject access requests now commit a criminal offence and there are increased notification obligations on data controllers.
Ministerial Regulations signed on 18 July 2014 commenced sections 4(13), 6(2) (b) and 10 (7) (b) of the Data Protection Acts. All sections of the Acts are now fully in force in Ireland.
Section 4(13) is an important change because it creates an offence of enforced subject access. An employer or prospective employer commits a criminal offence where he or she requires an employee, prospective employee, or independent contractor, to submit a personal data access request under the Acts, in order to have data available to him or her. A person who is guilty of an offence under this section may be liable to a maximum penalty of €100,000.
Section 6(2) (b) now requires a data controller, who has rectified, blocked or erased personal data in accordance with this section, to notify any person to whom personal data were disclosed during the preceding 12 months, unless such notification proves impossible or involves disproportionate effort.
Section 10 now requires a data controller, who has rectified, blocked or erased personal data in accordance with an enforcement notice issued by the Data Protection Commissioner, to also notify any person to whom the personal data were disclosed during the preceding 12 months, unless such notification provides impossible or involves a disproportionate effort.
If you would like more information, please contact Jennifer O'Neillat firstname.lastname@example.org.