There are a few interesting developments in the area of data protection that you may have missed and we can recap for you:

• CONDITIONS TO PROCESS CERTAIN DATA ISSUED BY THE ITALIAN DATA PROTECTION AUTHORITY. According to section 9 paragraph 4 of the GDPR, Member States are entitled to introduce additional conditions for the processing of genetic, biometric or health data. On July 29, 2019 the final version of such conditions issued by the Italian Data Protection Authority has been published on the Official Journal. Such conditions apply to processing of data (i) in employment relationships, (ii) by associations, (iii) by private investigators, (iv) that are genetic or (v) for purposes of scientific research.
• RIGHT TO BE FORGOTTEN. On September 24, 2019 the European Court of Justice has issued a judgment on the right to be forgotten in case C‑507/17 against Google Inc. The Court has ruled that “there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.” While the right to be forgotten must be enforced in all Member States, there is no obligation to do that in all national search engines. The Court, however, added that a supervisory or judicial authority, after balancing all rights concerned, would be able to order de-referencing on all search engines in the world since “EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice.” Given the reaction to the judgment by the Chairperson of the Italian Garante (the data protection authority) Mr. Antonello Soro, it cannot be excluded that that the Garante may issue a universal, rather than EU-wide, dereferencing order.
• PROCESSING FOR “OWN PURPOSES”. A med-tech company has been sanctioned for having used patient data (medical scans) in a public tender process and in a subsequent litigation in an anonymized form. The company had been appointed by the hospital as a data processor but, the Garante ruled, had further processed such patient data for an own purpose rather than for the purposes mandated by the data controller (i.e., maintenance of equipment generating scans for patients).
• AGAIN ON THE RIGHT TO BE FORGOTTEN. In a decision by the Italian Garante dated July 24, 2019 Google LLC has been ordered to de-reference from its search engine news about criminal facts occurred in 2007 for which an individual, without any public role, had been condemned, but who had been fully rehabilitated.
• CONSUMER CREDIT CODE OF CONDUCT. On September 19, 2019 the Italian Garante approved a new code of conduct for companies operating in the areas of consumer credit, credit worthiness analysis and payment punctuality.