Sanne is the privacy and compliance counsel at Blue Spirit Hosting. She qualified as a Dutch lawyer at the Hoge Raad (Supreme Court) bar in 2014, practised privacy law for six years at a mid-size Utrecht firm where she advised insurers, healthcare providers and a handful of fintechs through their initial GDPR readiness in 2017–2018, then moved fully into privacy engineering as she found herself spending more time reading server logs than legal pleadings.
At Blue Spirit she owns the GDPR Article 28 processor terms with all client contracts, the Standard Contractual Clauses framework that covers the (occasional, narrow) cross-border data flows required by the LATAM client practice, the DORA operational resilience framework documentation that affects financial-services clients, and the NIS2 incident notification procedures that apply to the Dutch and Bulgarian nodes from October 2024.
Her current focus is the operational impact of the EU AI Act on email content scanning — specifically whether automated content classification by Blue Spirit's anti-spam infrastructure constitutes "automated decision-making" within the meaning of Article 22 GDPR when it influences mail routing decisions. Her current operational guidance (which is the basis for client onboarding paperwork) is conservative: she treats it as if it were, and ensures human review is documented as available on request for any classification with material impact on a client's sending operation.
Sanne writes and reviews the legal/compliance pieces published on the Blue Spirit blog, and is the company's data protection officer in name and in fact. She maintains active membership in the IAPP (CIPP/E, CIPM, CIPT all current), reads case law for entertainment, and competes in dressage at regional level.