Skip to content

Editorial team

Portrait of Sanne de Vries
Years at Blue Spirit
4
Industry years
12
Posts on this blog
1
Languages
4

Sanne de Vries

Senior Compliance & Privacy Counsel · GDPR Lead

📍 Utrecht, Netherlands

Senior compliance and privacy counsel covering GDPR, the EU AI Act, ePrivacy, NIS2, DORA and the cross-border data transfer mechanics that govern how Blue Spirit handles client data and how clients handle their own subscriber data. Trained as a Dutch lawyer, then moved into privacy engineering as the discipline matured.

Background

Sanne is the privacy and compliance counsel at Blue Spirit Hosting. She qualified as a Dutch lawyer at the Hoge Raad (Supreme Court) bar in 2014, practised privacy law for six years at a mid-size Utrecht firm where she advised insurers, healthcare providers and a handful of fintechs through their initial GDPR readiness in 2017–2018, then moved fully into privacy engineering as she found herself spending more time reading server logs than legal pleadings.

At Blue Spirit she owns the GDPR Article 28 processor terms with all client contracts, the Standard Contractual Clauses framework that covers the (occasional, narrow) cross-border data flows required by the LATAM client practice, the DORA operational resilience framework documentation that affects financial-services clients, and the NIS2 incident notification procedures that apply to the Dutch and Bulgarian nodes from October 2024.

Her current focus is the operational impact of the EU AI Act on email content scanning — specifically whether automated content classification by Blue Spirit's anti-spam infrastructure constitutes "automated decision-making" within the meaning of Article 22 GDPR when it influences mail routing decisions. Her current operational guidance (which is the basis for client onboarding paperwork) is conservative: she treats it as if it were, and ensures human review is documented as available on request for any classification with material impact on a client's sending operation.

Sanne writes and reviews the legal/compliance pieces published on the Blue Spirit blog, and is the company's data protection officer in name and in fact. She maintains active membership in the IAPP (CIPP/E, CIPM, CIPT all current), reads case law for entertainment, and competes in dressage at regional level.

Areas of expertise

Click any area to filter the post list below to Sanne's writing on that topic.

Education

  • Universiteit Utrecht

    LLM Privacy Law (with distinction)

    2013–2014 · Netherlands

  • Universiteit Utrecht

    LLB Dutch Law

    2009–2013 · Netherlands

Certifications

  • CIPP/E — Certified Information Privacy Professional, Europe

    IAPP · 2017

  • CIPM — Certified Information Privacy Manager

    IAPP · 2018

  • CIPT — Certified Information Privacy Technologist

    IAPP · 2020

  • Dutch Bar Admission (Hoge Raad)

    Nederlandse Orde van Advocaten · 2014

Languages

  • Dutch (native)
  • English (C2)
  • German (B2)
  • French (B1)

Selected projects at Blue Spirit

A non-exhaustive list of work Sanne has led or contributed to, with the operational metrics that came out of each.

EU AI Act readiness assessment for content classification

2025 Q3–2026 Q1

Led the Article 22 GDPR + EU AI Act analysis covering Blue Spirit's automated content classification systems (anti-spam scoring, DKIM-failure-driven routing, blacklist auto-response). Produced the operational documentation that became the basis for Blue Spirit's standard onboarding privacy disclosure for new client tenants.

  • Operational classification systems documented: 7
  • New client onboarding template length: 14 pages
  • Client questions resolved at template stage (no escalation): 96%

NIS2 incident notification framework

2024 Q4–2025 Q1

Wrote and operationalised the NIS2-compliant incident notification framework covering the Dutch and Bulgarian nodes (both subject to NIS2 since October 2024 transposition). Includes the 24-hour early warning, 72-hour incident notification, and final report timeline coordination across operations and legal.

  • NIS2-reportable incidents in 2025: 0
  • Internal NIS2 readiness drills run: 4
  • Average drill-to-final-report cycle time: 71 hours

Standard contractual clauses for LATAM data flows

2023 Q1–Q2

Designed the SCC framework (using the EU 2021 modules) covering the narrow cases where Blue Spirit acts as data importer for personal data flowing from EU client controllers to Mexican-resident operational staff. Includes the Data Privacy Framework cross-check for any future US-resident contractor scenarios.

  • Clients covered by SCC framework: 47
  • Schrems II adequacy assessment depth: 14 pages per importing country
  • Time from new client signature to SCC operational: 48 hours

Want Sanne on your engagement?

Senior engineers handle every Blue Spirit account directly. If you have a deliverability or compliance question that fits Sanne's background, we'll route the conversation to them.

Chat with us on WhatsApp