The bank for a changing world

We are looking for

Data Protection Officer

Apply REF: 1903RSK2291
BNP Paribas is a leading European bank with an international reach. It has a presence in 73 countries, with more than 192,000 employees – including more than 146,000 in Europe and over 4,000 in Portugal alone.
BNP Paribas is present in Portugal since 1985, having been one of the first foreign banks to operate in the country. Today, BNP Paribas has several entities operating directly in this territory, offering a wide range of integrated financial solutions to support its clients and their businesses.
Worldwide, the Group has key positions in its three main activities: Domestic Markets and International Financial Services (whose retail-banking networks and financial services are covered by Retail Banking & Services) and Corporate & Institutional Banking, which serves two client franchises: corporate clients and institutional investors. The Group helps all its clients (individuals, community associations, entrepreneurs, SMEs, corporate and institutional clients) to realise their projects through solutions spanning financing, investment, savings and protection insurance.


BNP Paribas Personal Data Protection framework, defined to respond to the new General Regulation on Data Protection - GDPR coming into effect on 25 May 2018, relies on the accountability of teams within the Bank in their processing of Personal Data (customer, employees, UBOs, representatives of corporate and vendors, etc.)
The 1st Line of Defense (Business, Operations, IT and CDO) has the responsibility to imbed data protection regulations and Group policies and guidelines in the internal organisation and processes within its perimeter  (e.g.  privacy by design, PIA, security measures, etc).
DPO is positioned in the 2nd line of Defense (within RISK function), and will constitute his/her DPO office for the scope outlined under his/her responsibility. The DPO must supervise the compliance with data protection regulations and Group policies and guidelines, , ensure second level controls and give the necessary guidance to support the 1st Line of Defense.
In order to ensure consistency with the Group's management structure, a DPO is positioned at each  Business Line for his/her scope of responsibility in consistency with CDO approach. He/she will be in the reporting line of the Chief Risk Officer (CRO) of  Business Line and will have a functional reporting line to Group DPO.
For his/her Business-Line’s scope of responsibility, the DPO relies on Data Protection Correspondents (DPC) positioned in entities.  For some countries, if relevant, a DPO may be appointed at entity level and may exercise also a role of a country DPO.
The DPO and DPC are under the hierarchical responsibility of RISK.


1. The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
A DPO will be appointed on a full-time basis with following key direct responsibilities within his / her scope:
1. Communication with external stakeholders, Data Protection Authorities and data subjects
  • Act as the key point of contact and cooperate with relevant Data Protection Authorities (DPA) on issues relating to personal data processing;
  • Act as a point of contact for data subjects with regards to significant issues
2. Matters related to organisation and framework related to personal data protection within his / her scope: 
A. Define general policies and guidelines on personal data protection and ensure their consistence with the relevant Group policies and guidelines.
B. Contribute to the monitoring of the regulatory landscape on data protection regulations and the relevant communication performed by LEGAL.
C.Participate in committees on / in relation to personal data protection at different levels (e.g. ICC, Personal Data Protection and Privacy Committee, etc.)
D.Oversee and supervise the overall personal data protection framework on the following topics:
  • Review and advise on implementation of policies and guidelines on Personal Data Protection and monitor consistency in their implementation (Consent collection process, cross border transfers, management of retention or personal data obsolescence)
  • Review and advise on implementation of Privacy by design principles from the design stage and during the life-cycle into all projects, products, services, activities, processes and systems
  • Provide advice on Privacy Impact Assessment (PIA) (e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate any risks to the rights and interests of individuals) and monitor that PIAs are performed correctly
  • Review and advise on implementation of Personal Data Security principles and management of personal data breaches
- Monitor the implementation of Group security strategy in line with Personal Data Protection regulatory requirements
- Contribute to risk evaluation in case a personal data breach occurred to ensure in a timely manner:
- Appropriate safeguards (technical and organizational) are set-up to mitigate any risks to the rights and interests of the data subjects
- Adequate communication and reporting channels are in place to notify the appropriate stakeholders (e.g. management, Data Protection Authorities, data subjects)
- Oversee the Reporting of personal data breaches to the DPA
  •  Oversee the Records of processing activities (“Register”)
- Review and advise on rules regarding record of processing activities
- Monitor record of processing activities (“Register”) is kept up to date, filed under the responsibility of the controller / processor, in line with defined rules and make it available upon Data Protection Authorities request
  • Build and implement an awareness program
- Contribute to the promotion of a data protection culture
- Ensure that trainings to the employees involved in processing activities are sufficient and provided on a periodic basis to maintain data protection awareness
E. Define and operate the second level controls and independent testing on personal data protection framework in order to monitor compliance with personal data protection legislation and internal policies and guidelines:
  • Define and perform risk-based second level of controls on processes related to personal data protection.
  • Assess effectiveness of the 1st Line of Defence (business and IT) controls on Personal Data Protection based on Generic Control Plans defined by the Group
This will involve 2LoD controls testing against GDPR requirements, for: personal data processed across the organisation; high risk activities, new products and activities which involve personal data and testing of IT systems in addition to testing of business operations
  • Provide independent reporting and alert on critical points to senior management
When DPO exercises the role of country DPO, following key direct responsibilities are also included:
  • Coordinate overall communication with Data Protection Authorities for all Entities present in the country
  • Provide independent reporting and alert on critical points to corresponding CRO and Head of country
  • Coordinate the network of DPC and DPOs within his / her scope
  • Define and chair country Personal Data Protection and Privacy Committee

Confidentiality obligation

The DPO will be bound by secrecy or confidentiality concerning the performance of his/her or her tasks, in accordance with applicable laws.



  • 10 + years’  experience with significant knowledge and experience in Data Protection/Privacy and banking sector
  • Knowledge of internal organisation and processes
  • Understanding of data processing operations, including business applications and data use
  • Experience in interacting with regulators
  • Experience in transversal management and working
  • Experience in project management and change management
  • Experience of advising on regulatory requirements, in particular the ability to explain in “plain English”
Strong knowledge and interest in Information Technology, digital and new technologies and understanding of information security principles and controls

Behaviour and soft skills

Data Protection Officer should demonstrate:
  • Independency, objectivity and integrity.
  • Excellent writing and communication skills – allowing him/her to act as a communicator across the bank
  • Ability to lead, engage and work transversally 
  • Ability to manage and develop teams’ knowledge on data protection and privacy
  • Fluent in English (mandatory), national language (language of the country where DPO exercises)
  • Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in order to be a successful Data Protection Officer


  • Be a role model, supporting and fostering a culture of good conduct
  • Demonstrate proactivity, transparency and accountability for identifying and managing conduct risks
  • Consider the implications of your actions on colleagues, partners and clients before making decisions.
  • Take responsibility for your team’s conduct and conduct risks.


Qualification on Data Privacy is highly appreciated. He/she will be required to enrich his/her competencies with additional professional qualifications relevant to Data Protection, such as:
  • IAPP Information Privacy Professional/Europe (CIPP/E) or Certified Information Privacy Professional/ IT (CIPP/IT)
  • Certified Information Privacy Manager (CIPM)
  • Practitioner Certificate in Data Protection (PC.dp)
  • Fellow of Information Privacy (FIP)
  • ISEB Data Protection or equivalent data privacy qualification
BNP Paribas is an equal opportunity employer and proud to provide equal employment opportunity to all job seekers. We are actively committed to ensuring that no individual is discriminated against on the grounds of age, disability, gender reassignment, marriage or civil partnership status, pregnancy and maternity, race, religion or belief, sex or sexual orientation. Equity and diversity are at the core of our recruitment policy because we believe that they foster creativity and efficiency which in turn increase performance and productivity. We strive to reflect the society we live in, while keeping with the image of our clients.
Please note that only applications submitted in English will be considered.
In case you are selected for this role, further documentation will be requested to support your hiring process.



Primary Location: PT-11-LisbonJob Type: Standard / PermanentJob: RISKSEducation Level: Master Degree or equivalent (> 4 years)Experience Level: At least 10 yearsSchedule: Full-time Behavioural competency: Decision MakingTransversal competency: Ability to manage a project