Data Protection Officer

The Data Protection Officer (DPO) is responsible for ensuring compliance with the General Data Protection Regulation (GDPR) and Portuguese Data Protection Law (Law No. 58/2019 of 8 August), both:

Reports directly to Top Management (managing director), acting with full functional independence, in accordance with Article 38 of the GDPR.

In the context of outsourced services, the DPO acts independently in relation to each client entity, in accordance with the applicable service agreement.

The DPO performs their duties in relation to:

• The organization itself (as controller and/or processor), and

• Client organizations that formally designate the DPO as their external DPO under a services agreement.

In all contexts, the DPO ensures:

• Functional independence

• Professional secrecy and confidentiality

• Absence of conflicts of interest

• Clear segregation of responsibilities between clients and internal activities

• Inform and advise the organization and its clients, including their management bodies and employees, on obligations arising from the GDPR and applicable national data protection legislation.

• Monitor compliance with data protection laws, internal policies, procedures, and governance frameworks.

• Promote the implementation of privacy by design and privacy by default principles across processes, systems, and services.

• Advise on and monitor the performance of Data Protection Impact Assessments (DPIAs), both internally and for clients.

• Identify, assess, and support the mitigation of risks related to personal data processing, including technical, organizational, and contractual risks.

• Ensure the performance of periodic and ad‑hoc data protection audits.

• Assess the data protection maturity of the organization and its clients, proposing improvement plans where appropriate.

• Promote awareness regarding early detection of security incidents and compliance with incident reporting procedures.

• Support the management of personal data breaches, including:

• Risk assessment,

• Support in decision‑making regarding notification obligations,

• Communication with the CNPD,

• Assistance with communication to data subjects, where applicable.

• Design and deliver data protection training and awareness programs for internal staff and clients.

• Promote a culture of accountability and compliance in relation to privacy and personal data protection.

• Act as the main point of contact with the Portuguese Data Protection Authority (CNPD), both for the organization and for clients that have appointed the DPO.

• Serve as a contact point for data subjects in relation to the exercise of their rights.

• Cooperate with the supervisory authority whenever required.

• Oversee and maintain Records of Processing Activities (RoPA).

• Review and issue opinions on contracts, particularly those involving processors, sub‑processors, and suppliers, ensuring GDPR compliance.

• Support clients in the preparation of privacy policies, notices, and mandatory GDPR documentation.

• Proven expert knowledge of personal data protection, GDPR, and Portuguese Law No. 58/2019.

• Relevant professional experience in data protection, privacy, compliance, legal, IT governance, or information security roles.

• Ability to perform the role with independence, impartiality, and absence of conflicts of interest, including in a multi‑client environment.

• Excellent communication skills in Portuguese; strong command of English for international and client‑facing contexts.

• University degree in Law, Information Systems, Computer Science, Information Security, or a related field.

• Demonstrated experience as an external / outsourced DPO.

• Experience in regulated sectors and multi‑client service models.

• Professional certifications in data protection or information security (valued but not legally required).

• The DPO performs both internal and external functions with clear segregation of contexts, clients, and responsibilities.

• For each client:

• A formal DPO appointment is in place,

• The scope and limits of the services are contractually defined,

• Direct access to the client’s top management is ensured.

• The DPO does not receive instructions regarding the performance of their statutory tasks and must not be penalized for exercising their duties.