Natascha van Duuren

Natascha studied at VU Amsterdam and successfully completed the postgraduate specialisation courses in IT Law (Grotius, 2002) and Privacy and Personal Data (TILT, 2012), as well as the postgraduate specialism in Cybercrime & Cybersecurity at Leiden Law Academy. She is a member of the Netherlands Association for Computer Lawyers (VIRA), the Netherlands Association for Information Technology and Law (NVvIR), the Privacy Law Association (VPR), the Privacy Lawyers Association (VPR-A), Association of AI Lawyers (VAI-A) and the Netherlands AI Coalition.

Natascha commenced her career as an adjunct researcher at the Institute for Information Law at VU Amsterdam. In mid-1998, she joined De Clercq as an attorney, and went on to become a partner in 2005. In addition to her work as an attorney, she is co-author and editor of a series of books titled ‘Multidisciplinary aspects of…’, on topics such as blockchain, AI, COVID-19 apps and digital security. She is also a board member at Climbing the Right Tree, an NGO that works to create career opportunities for young people in Africa through IT education.

Natascha’s daily practice involves advising national and international clients on outsourcing and cloud-sourcing projects, IT transactions and IT tendering processes. She is frequently involved in IT-related disputes and their resolution. In addition, she supports clients with compliance processes relating to privacy and security, including the implementation of the Network and Information Systems Directive (NIS2). She also regularly participates in an incident response team that addresses cyber incidents, and she takes the lead in handling the legal aspects and resolving the incident.

Lead counsel for a Dutch government organisation in a historical arbitration case concerning a failed IT project

The IT project concerned the construction of the Multi-Regulation System for the Social Insurance Bank (Sociale Verzekeringsbank). The arbitration led to the IT supplier being required to pay tens of millions of euros in damages.

Lead counsel for various semi-government organisations and commercial IT and other service providers in the wake of large-scale ransomware attacks

Member of incident response team for various large-scale cyber incidents, involving close consultation with the client’s Data Protection Officer and CISO, external forensic specialists, and supervisory authorities. In general, our support includes notifying the Dutch Data Protection Authority, and informing the affected parties and organisation about the possibility of holding external third parties liable for the cyber incident and the resulting damage.

Lead counsel for a renowned healthcare institution, in the migration of their healthcare and other applications to the Microsoft Azure Cloud and the outsourcing of managed services infrastructure

Our tasks include both the transition, migration and transformation phase, and application management in the cloud. Part of our advice concerned performing a Data Protection Impact Assessment (DPIA) and Data Transfer Impact Assessment (DTIA), and negotiating the data processing agreement.

Lead counsel in a compliance process for a Dutch fintech company

In addition to providing advice on applicable fintech and other legislation and regulations, this case involved advising on an End User Licence Agreement, privacy statement, general terms and conditions, establishing a legal structure and transferring IP rights.

Lead counsel in the European tender for a healthcare management system (and the associated implementation and consultancy services)

The healthcare management system was to be used by more than 8,000 employees and involved processing sensitive personal data relating to more than 100,000 people. In addition to the procurement law aspects and contract negotiations, the advice focused on privacy and security law matters.

Lead counsel during negotiations in a dispute with a low-code platform provider established in the United States

The dispute concerned the contract terms and conditions with respect to extending the contract. We assisted the client by designing a negotiation strategy and helping the client negotiate an acceptable extension contract that included agreements about the licence metrics used, maximum rates, service credits and exit schemes.

Lead counsel in various implementation processes relating to the Network and Information Systems Directive (NIS2)

NIS2 obliges companies and institutions that are covered by its provisions to take actions such as implementing risk management measures and establishing governance structures and reporting procedures. Our advice generally commences with a gap analysis to identify the organisation’s current position. A step-by-step plan is then drawn up to facilitate timely compliance.