Tilburg Institute for Law, Technology, and Society (TILT)

TILT studies emerging technologies and their impact on the individual and society, recognizing the interplay between technology, regulation and fundamental values & human rights.

Alumni track

General information

The Alumni track which will be held on 19 May 2017 is designed for TILT MA alumni and TILT PAO alumni (practitioners). This track comprises refresh courses on the General Data Protection Regulation, by and for alumni. The track offers a form of post academic education as well as a possibility to meet other TILT alumni.

The day is organized around implications of the General Data Protection Regulation. In the first session prof. Lokke Moerel and prof. Paul de Hert will share their insights on the impact of the GDPR, both from an academic and a practical perspective. After these introductions, four TILT alumni will shed light on the practical impact of specific provisions of the GDPR. Rachel Marbus, privacy officer at KPN, will discuss privacy governance. Mark Wijnhoven, Global Legal and Privacy lead at Philips, will address Data Protection Impact Assessments. Simone Fennell, consultant at Privacy Company, will address the ins and outs of data breach notification. And Aleksandrina Banusheva, expert at the Commission for Personal Data Protection in Bulgaria, will discuss the role of Data Protection Authorities under the GDPR.

NOvA credit points

Alumni participating in this track will be entitled to NOvA credit points (Certificate and Maintaining Professional Competence of the Dutch Order of Lawyers (Nederlandse Orde van Advocaten) for providers of courses to lawyers in the context of the policy of maintaining professional competence. You are responsible for applying the relevant credit points yourself.


Alumni can also register for this day only.

Registration fee: Euro 150 (one day)

Program 19 May 2017

Location: Dante building (DZ 1)

Time Session Speaker
9:00 - 9:30 Coffee and registration
9:30 - 9:45 Introduction Alumni Track Colette Cuijpers
9:45 - 11:15 Session 9
The GDPR principles and solutions as a framework for gatekeeping in the Big Data Economy Paul de Hert
Big data analytics under the GDPR: what has changed and how to implement the rules in practice Lokke Moerel
11:15 - 11:35 Coffee break
11:35 - 13:05 Session 10
Data Protection Impact Assessment: reflections on how to execute the DPIA in a global environment Mark Wijnhoven
Privacy governance in practice: how does it actually work? Rachel Marbus
13:05 - 14:05 Lunch
14:05 - 15:35 Session 11
The ins and outs of Data Breach Notification Simone Fennell
DPAs at the dawn of the GDPR Aleksandrina Banusheva
15:35 Drinks

Information about the speakers (bio and abstract)

Paul de Hert


Paul de Hert is full professor at the Vrije Universiteit Brussel (VUB) and associated professor at Tilburg University. His main area of expertise is data protection law. With a background in criminal law he concentrates on topics such as enforcement and sanctioning within this area of law. De Hert has written several reports on behalf of the European Parliament and the Commission and often delivers talks at various gatherings, such as the International Working Group on Data Protection in Telecommunications, and the Council of Europe Committee on Data Protection, among others. He has published in European Journal of International Law, International Journal of Law and Information Technology, Computer Law & Security Review and International Data Privacy Law. 


‘The GDPR principles and solutions as a framework for gatekeeping in the Big Data Economy’

This presentation looks at the impact of big data and draws conclusions on how legal frameworks can be adapted, using data protection as a case study. Big data practices affect interactions between different actors and can thereby also unsettle the legal frameworks regulating these interactions. The capacity to link and analyze data on a large scale has turned data into a network good. Positive network effects are an incentive for data-intensive business models. Data-driven business processes further involve a shift from limited, time-bound transactions to continuous services. These larger data flows penetrate an actor's boundaries and affects its gatekeeping functions. They result in an enlarged, fine-grained visibility of actors, which can be subjected to faster and targeted actions.

Lokke Moerel


Lokke Moerel is senior counsel with Morrison & Foerster (Berlin), and professor of global ICT law at Tilburg University. Lokke is an expert on Big Data and Internet of Things. In February 2014, she accepted her professorship with the inaugural speech: “Big Data Protection. How to make the draft EU Regulation on Data Protection Future Proof”. She was further appointed to author (together with Prof. Corien Prins) the 2016 report for the Netherlands Lawyers Association on the impact of the digital age on society and how to regulate information technology on society and how to regulate the relationship between IT and society: “Privacy for the Homo Digitalis: Proposal for a New Regulatory Framework for Data Protection in the Light of Big Data and the Internet of Things”. Lokke has further written Binding Corporate Rules (Oxford University Press, 2012), which is considered the leading textbook on BCR and numerous international publications on global privacy, cybercrime, e-commerce, online advertising and outsourcing. Lokke is a member of the Dutch Cyber Security Council, the advisory body of the Dutch cabinet on cybersecurity. She is consistently ranked as a leader in data protection law in Chambers Global and Legal 500. "She has a formidable reputation in the field of data protection, advising numerous blue-chip clients. She is doing market-leading work." (Chambers Global 2015).


‘Big data analytics under the GDPR: what has changed and how to implement the rules in practice’

The GDPR does not provide for a specific regime on profiling. Profiling has now been defined under the GDPR and is mentioned in various provisions, including in the provision on the right to object, on automatic decision-making and when to perform a Data Protection Impact Assessment. How do these rules fit together into one comprehensive regime? The various rules are discussed and practical guidelines are given how to implement these in practice.  

Rachel Marbus


Rachel Marbus is a civil rights fundamentalist obsessed with the fundamental right to privacy. If someone tells her "Privacy is dead," she usually ignites a flaming speech beginning with "I have nothing to hide, but they don’t have to know."

Marbus is the Privacy Officer of KPN, did scientific research on privacy and identity in the online world, is a board member of the PvIB (Platform for Information Security), often speaks about privacy & security, and has a regular column in IB Magazine.


‘Privacy governance in practice: how does it actually work?

Many years ago I left the academia to pursue a career in business and privacy governance. I thought I knew a lot about privacy – which was basically true of course since I was taught by the best at TILT. But, knowing about privacy and putting all that knowledge through the test by implementing it in businesses was a whole other thing, I can assure you. I’ll take you through some of the trials and tribulations and show you that some of them are still and always will be current.

Mark Wijnhoven


Mark Wijnhoven works as global legal and privacy lead for Philips Information Security Office (CISO). As part of this role, Mark is leading in safeguarding privacy compliance for the (global) initiatives that are deployed to protect the organization against cyber related threats, as well as the integrity and confidentiality of the valuable (personal) data that Philips processes. For the initiatives that are deployed by the CISO, Mark is engaged in ensuring that consultation with works councils and national regulatory bodies takes place. Mark is also the CISO privacy officer.  


‘Data Protection Impact Assessment: reflections on how to execute the DPIA in a global environment’

Before addressing the DPIA in the vibrant Philips environment, first a brief overview is given of some key features of the DPIA. After addressing the underlying principles, a closer look is given at the operational side of Data Protection Impact Assessment. A very important aspect in the impact assessment is data security. This topic will be highlighted, also in view of the close connection between DPIA and Privacy by Design; requiring the implementation of security standards and safeguards to mitigate risks. In providing some insight into how a business environment like that of Philips has implemented DPIA strategies, some best practices will be addressed at different levels: Process; Execution; and Learning. The presentation is concluded by an interactive discussion where the public can engage by commenting and asking questions. 

Simone Fennell


Simone Fennell is senior privacy consultant at Privacy Company and provides privacy services to companies and organizations in both the commercial and public sector. As a part of Privacy Company’s team, Simone takes care of Privacy Impact Assessments, quick scans, onboarding processes for new products and services, acting as a privacy officer, assessing and implementing privacy frameworks and data breach compliance. She develops a wide variety of in-company and public training sessions. As a senior advisor, she is responsible for permanent education within Privacy Company. Simone teaches at various universities in The Netherlands, and is a faculty member of the International Association of Privacy Professionals (IAPP). As an accredited IAPP trainer, she teaches Privacy and European Law (CIPP/E) and Privacy Management (CIPM) in both Veenendaal (NL) and Brussels (BE). Prior to working for Privacy Company, Simone worked for Fennell Roosendaal and at the Tilburg Institute for Law, Technology, and Society (TILT) at Tilburg University, where she also obtained her degree in Law and Technology.


‘The ins and outs of Data Breach Notifications’

Two data breach acts have been effective in The Netherlands; the notification obligation from the Telecommunications act (2012) and from the Data Protection Act (2016). With the General Data Protection Regulation coming into effect in 2018, all European countries will have a data breach notification duty. But how do these data breach notification duties play out in practice?

What can be your game-plan? And how do you implement and manage this?

Aleksandrina Banusheva


Aleksandrina Banusheva is an expert at the Bulgarian Data Protection Authority. As a member of the Legal Affairs, International Cooperation, Planning and Training Directorate she performs legal consultations and gives opinions on the implementation of the legislation, participates in the drafting of legal acts, prepares positions of the DPA and handles individuals’ requests concerning their rights. Aleksandrina has previous practical experience in the data protection sphere in different fields including the non-profit (International Cyber Investigation Training Academy), academic (Tilburg Institute for Law, Technology and Society), business (Philips B.V.) and public field (Europol). 


‘DPAs at the dawn of the GDPR’

The data protection reform will require substantial amendments in the structure and functions of the DPAs. Many DPAs will have to increase their budget and staff (both in number and qualifications) in order to meet the new requirements.

How will the day-to-day work of the DPAs change after 25 May 2018? What will be the new tasks and what tasks will have to be abandoned? What are the new DPA’s powers to ensure lawful data processing across Europe? And what is the role of the Data Protection Officer amongst the DPAs, controllers and processors?