Attorney at law
IT, Privacy & Cybersecurity
Michelle provides advice to a variety of organisations in the fields of IT, privacy and cybersecurity, and supports entrepreneurs in trademark law matters. She specialises in compliance and compliance processes, and acts as a regular sounding board and advisor for several DPOs and CISOs.
A reliable, client-oriented professional, Michelle has a unique capacity for handling the most complex legal matters with patience and a dash of humour. She readily adapts her work and communication style to suit her clients and their target audience.
Michelle completed her Bachelor of Laws (LLB) at Radboud University Nijmegen. She went on to successfully complete the English-language Master’s in Law and Technology at Tilburg University in 2016, specialising in privacy legislation and regulation. During her career, Michelle has continued to specialise in privacy and cybersecurity, completing the specialist training for senior IT lawyers in 2018 and obtaining a number of privacy and cybersecurity certificates (specifically, CISM, CIPP/E, CIPM and CIPT).
Michelle commenced her legal career in 2016 as a legal advisor at a legal consultancy specialising in IT law. The experience she accrued in this role enabled her development to become a senior legal advisor and trainer/course leader. She then went on to work as a privacy and information security coordinator for two government ministries. Michelle joined De Clercq as an attorney in June 2021.
On a daily basis, Michelle provides advice and support to administrators, directors, DPOs and CISOs on matters relating to privacy and cybersecurity. Her work includes tasks such as setting up the necessary organisation and documentation, conducting negotiations, providing training, advising on complex matters, and performing risk analyses. Michelle also supports and advises a variety of entrepreneurs in matters such as applying for trademark registrations and monitoring these, and any procedures necessary. She works for both public/semi-public organisations and national and international commercial organisations.
Performing risk assessments and written safeguards relating to IT migration
A client’s IT environment was to be migrated to the Cloud environment of a Cloud provider with a U.S. parent company. To this end, the necessary risk analyses (DPIA and DTIA) were performed, the required contracts were negotiated, and the following-up of the improvement measures was monitored.
Negotiation and documentation for a partnership
The client was to participate in a partnership between public and non-public organisations for which the necessary documentation was drafted (contracts, privacy and cookie statements and consent declarations). All of the parties were able to agree with these, and the client’s interests were effectively represented.
Conducting DPIA for healthcare systems
The client’s healthcare system was to undergo further development. To this end, advice was provided from the Privacy and Security by Design perspective, and a DPIA was performed. The development and follow-up of the advice and the necessary improvement measures were monitored, and adjusted where necessary.
Development of a national privacy strategy
The client’s privacy organisation needed to be further professionalised and expanded. Advice was provided with respect to this, functions were proposed and the necessary policies, procedures and documents were drafted and put in place.
Preparation for certification
The client’s organisation needed to be prepared for NEN certification. Support was provided in identifying the organisation’s current status, drafting a gap analysis, and implementing necessary improvement measures.
IT, Privacy & Cybersecurity
30 June 2025
In December 2023, 'Bumble for Friends'—a feature of the dating app Bumble—used AI to generate 'AI icebreakers.' These are messages that users can use to 'break the ice' with their matches. To generate these AI icebreakers, AI technology (powered by OpenAI’s ChatGPT) is employed. In doing so, Bumble uses users’ personal profile information as input and shares (sensitive) personal data with OpenAI.
IT, Privacy & Cybersecurity
5 June 2025
In recent years, we’ve seen that new laws and regulations are placing increasingly specific requirements on ICT service providers. Consider, for example, the GDPR (which outlines tasks and responsibilities for the “processor”), the Cybersecurity Act (which mandates supply chain security and directly applies to “business-to-business ICT service providers”), and the AI Regulation (which imposes specific obligations and responsibilities on the “provider”). It’s no surprise, then, that this trend is also reflected in more and more guidelines and codes of conduct, including the Notarial Information Security Code of Conduct (hereinafter: “KNB Code of Conduct”). Given that the Royal Dutch Notarial Association (KNB) had 3.497 members at the beginning of 2025, there’s a good chance that, as an ICT service provider, you count at least one affiliated notary among your clients. This blog outlines what the Code of Conduct means for you as an ICT service provider.
IT, Privacy & Cybersecurity
27 May 2025
When the municipality of Amersfoort intended to award a contract for a management system to the winning bidder, a losing bidder initiated preliminary relief proceedings. The bidder questioned the expertise and independence of the review committee. In his ruling, the preliminary relief judge provides a clear overview of the legal framework applicable to such a situation.