GGNet – Court Ruling (Netherlands, 2025)

The controller is GGNET, a mental health care institution operating in the Netherlands. The data subject sought medical treatment there after a reference by her general practitioner. The practitioner also forwarded to the controller the data subject’s medical records. After her first session with the social psychiatric nurse of the controller, the data subject decided she didn’t want to continue with the treatment and asked for her medical record to be deleted. The controller informed her that it deleted her medical records but retained a record regarding the erasure request. The data subject filed a complaint before the DPA (Autoriteit Persoonsgegevens-AP) requesting that the controller was ordered to delete the record regarding the erasure request. The DPA rejected her complaint, ruling that the controller could retain this record for the management of its health care services and under the medical treatment contract with the data subject, as referred to in Article 9(h) GDPR. The data subject challenged the decision of the DPA before the court of first instance (Gelderland District Court). The court dismissed the appeal as unfounded, affirming the DPA’s decision. Then, the data subject appealed against this ruling before the Highest Administrative Court (Council of State), claiming that the court of first instance misjudged the case. She claimed that the court did not recognise that the DPA should have taken enforcement action against the controller. According to the data subject, the record of the deletion request was not necessary for the management of the controller's health services nor there was a treatment agreement between the parties since she did not receive any treatment. The court held that the data subject’s right to erasure referred to in Article 17 GDPR could not be satisfied. First, it stated that the retention of the deletion request was necessary for the controller to manage its service, and in particular in order to justify why it no long