GGNet – Court Ruling (Netherlands, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court ruled that GGNet, a mental health care provider, could keep a record of a patient's request to delete her medical records. The court decided this was necessary for managing healthcare services. This case highlights the balance between a person's right to erase their data and a company's need to maintain records for service management.
What happened
GGNet retained a record of a patient's request to delete her medical records despite her wishes.
Who was affected
The patient who sought treatment from GGNet and requested the deletion of her medical records.
What the authority found
The court held that GGNet could keep the record of the deletion request to manage its healthcare services, which was allowed under GDPR rules.
Why this matters
This ruling shows that companies can retain certain records even when a user requests deletion, as long as it's necessary for service management. It reminds healthcare providers to carefully consider their data retention policies.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is GGNET, a mental health care institution operating in the Netherlands. The data subject sought medical treatment there after a reference by her general practitioner. The practitioner also forwarded to the controller the data subject’s medical records. After her first session with the social psychiatric nurse of the controller, the data subject decided she didn’t want to continue with the treatment and asked for her medical record to be deleted. The controller informed her that it deleted her medical records but retained a record regarding the erasure request. The data subject filed a complaint before the DPA (Autoriteit Persoonsgegevens-AP) requesting that the controller was ordered to delete the record regarding the erasure request. The DPA rejected her complaint, ruling that the controller could retain this record for the management of its health care services and under the medical treatment contract with the data subject, as referred to in Article 9(h) GDPR. The data subject challenged the decision of the DPA before the court of first instance (Gelderland District Court). The court dismissed the appeal as unfounded, affirming the DPA’s decision. Then, the data subject appealed against this ruling before the Highest Administrative Court (Council of State), claiming that the court of first instance misjudged the case. She claimed that the court did not recognise that the DPA should have taken enforcement action against the controller. According to the data subject, the record of the deletion request was not necessary for the management of the controller's health services nor there was a treatment agreement between the parties since she did not receive any treatment. The court held that the data subject’s right to erasure referred to in Article 17 GDPR could not be satisfied. First, it stated that the retention of the deletion request was necessary for the controller to manage its service, and in particular in order to justify why it no long
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for GGNet in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. GGNet - Netherlands (2025). Retrieved from cookiefines.eu
Last updated: