Natascha studied at VU University Amsterdam and completed postgraduate specialization courses in IT Law (Grotius, 2002), Privacy and Personal Data (TILT, 2012), and Cybercrime & Cybersecurity at the Leiden Law Academy. She is a member of VIRA (Vereniging Informaticarecht Advocaten), NVvIR (Nederlandse Vereniging voor Informatietechnologie en Recht), VPR (Vereniging Privacyrecht), VPR-A (Vereniging Privacyrecht Advocaten), VAI-A (Vereniging AI Advocaten), and the Dutch AI Coalition.


Natascha started her career as an adjunct researcher at the Institute of Computer Science and Law at the Free University of Amsterdam. In mid-1998, she transferred to De Clercq as a lawyer, where she became a partner in 2005. In addition to her work as a lawyer, she is a co-author and editor of a series of books entitled ‘Multidisciplinary Aspects of…’ covering topics such as blockchain, AI, COVID-19 apps, and digital security. She also serves as a board member of the NGO Climbing the Right Tree, which aims to create career opportunities for young people in Africa through IT education.

Natascha’s daily practice

In her daily practice, Natascha advises national and international clients on outsourcing and cloud sourcing projects, IT transactions, and IT tenders. She is often involved in IT-related disputes and their resolution. She assists clients with compliance processes in the field of privacy and security, including the implementation of the Network and Information Systems Directive (NIS2 Directive). Additionally, she is regularly part of an incident response team in the event of a cyber-incident, where she takes the lead in handling the legal aspects and settlement of a cyber-incident.

Selected cases

Lead counsel for a Dutch government organization in a historic NAI arbitration case on a failed government IT project

The IT project involved the construction of the Sociale Verzekeringsbank’s so-called Multi Regulations System. The arbitration resulted in the IT supplier being ordered to pay tens of millions of euros in damages.

Lead counsel for various semi-governmental organizations and commercial (IT) service providers in the aftermath of large-scale ransomware attacks

Team member of incident response team in various large-scale cyber incidents. Always working closely with client’s Data Protection Officer and CISO, external forensic specialists and regulatory agencies. Our assistance typically includes notification to the Personal Data Authority, informing those affected and advising the affected organization on the possibility of holding external third parties liable for the cyber incident and resulting damages.

Lead counsel for a reputable healthcare institution in the migration of (healthcare) applications to the Microsoft Azure cloud and the outsourcing of managed services instructure

Our work included the transition, migration and transformation phase as well as application management in the cloud. Part of our advice also included conducting a Data Protection Impact Assessment (DPIA), Data Transfer Impact Assessment (DPIA) and negotiating the data processing agreement.

Lead counsel in a compliance project of a Dutch fintech company

Besides advising on applicable (fintech) laws and regulations, the advice related to an End User License Agreement, privacy statement, general terms and conditions, setting up a legal structure and the transfer of IP rights.

Lead counsel on the European tender for a healthcare management system (and related implementation and consulting services)

The care management system concerned a system used by more than 8,000 employees and processing sensitive personal data of more than 100,000 individuals. In addition to procurement law aspects and contract negotiations, the focus of the consulting was on privacy and security law aspects.

Lead counsel during negotiations in a dispute with an established low-code platform provider in the United States

Dispute over renewal contract terms. We assisted the client in negotiations by designing a strategy for negotiations and helping the client negotiate an acceptable renewal agreement, including agreements on license metrics used, maximum rates, service credits and exit arrangements.

Lead counsel on various Network and Information Systems Directive (NIS2 Directive) implementation processes

The NIS2 Directive requires companies and institution falling under the scope of the NIS2 to, among other things, implement risk management measures and establish governance structures and notification procedures. Our consulting usually begins with a GAP analysis to identify where the organization stands. A roadmap is then developed to ensure timely compliance.