Data Protection Manager

Aion Bank is a fully regulated European bank and credit institution combining Vodenos cutting-edge private blockchain-based platform with its ECB banking license strong balance sheet and deep regulatory expertise. Our mission is to provide a comprehensive suite of embedded banking solutions enabling businesses to seamlessly integrate financial services into their offerings.

As part of the UniCredit Group Aion Bank and Vodeno will accelerate their digital banking offer in strategic markets and will act as a sandbox for innovation for the wider UniCredit Group. Aion Bank and Vodenos existing Banking-as-a-Service (BaaS) offering across key European markets includingGermanyandPoland will see the bank embed its services - ranging from account access and deposits to lending payments and loyalty programs - directly into non-banking digital platforms facilitating seamless customer experiences.

At Aion Bank ourbiggest strength is our peoplea team of highly intelligent creative and ambitious professionals who thrive in a fast-paced innovative environment. We believe in delivering results while fostering a culture of passion and collaboration.

We are looking forData Protection Manager who will act as the 1st Line of Defence (1LoD)operational manager and data protection policy owner for both UniCredit NV and Vodeno.
This is an end-to-end responsibility working closely with Data Governance IT teams Product Teams and managing our external privacy partner.
You will act as the internal project manager and enforcer leveraging external partner support to handle the heavy-lifting of standard controller tasks and documentation.

Your core responsibilities will include:

• Operational Ownership: Operationalize our control catalogue and enforce Group Data Processing Agreements (DPAs) across our core EU markets (Poland Spain Portugal Germany and Belgium).

• GDPR Assurance & Documentation: Implement execute and enforce business compliance with GDPR national laws and internal policiesOwn the ROPA ensuring valid legal bases (Art. 6) and localized retention periods (Tax HR Criminal) are strictly defined.

• Third-Party Risk & Advisory:Verify vendor due diligence ensure compliant DPAs advise internal teams (IT Product) on privacy requirements and drive staff awareness training.

• Current Compliance Projects:

  • Data Retention: Update and operationalize the Guidelines - Data Retention Periods specifically ensuring alignment with local laws (e.g. tax data employment data and criminal records).

  • Marketing Privacy:Prepare and get formal approvals for standalone Legitimate Interest Assessments (LIAs) for processing personal data for marketing purposes. Ensure marketing consent templates allow granular per-channel choices.

  • Process Finalization:Update the Data Protection Process documentation to include required elements such as Transfer Impact Assessments (TIAs) and ROPA certification.

  • Data Subject Access Requests (DSARs) Management: Oversee the end-to-end DSAR lifecycle (e.g. right to access right to erasure). Coordinate actively with IT and business units to ensure the accurate retrieval review and deletion of personal data across all systems within strict regulatory SLAs

• Incident Response & Security Operations:Execute Data Protection Impact Assessments (DPIAs) advise on cross-border data transfers and coordinate data breach incident management. Implement 1LoD controls to prevent sensitive personal data from being stored in unauthorized locations and oversee clean-up efforts.

• AI & New Technologies: Ensure that all Artificial Intelligence (AI) tools used within business processes are identified assessed through a DPIA and properly documented in the ROPA.

• Strategic Collaboration:

  • Work closely with the Data Architect Lead and Data Management Team to build out global data lifecycle and retention plans.

  • Collaborate with IT teams to activate and operationalize data privacy controls within the IT Service Management (ITSM) control matrix.

  • Collaborate with Product Teams to operationalize data privacy within business products.

  • Champion and embed Privacy by Design principles directly into the Software Development Life Cycle (SDLC) and Agile workflows.

  • Act as the primary First Line of Defence (1LoD) liaison to the official Data Protection Officer (2LoD).

  • Direct and manage our external privacy agency to ensure they deliver high-quality controller documentation.

• Minimum 5 years experience required in Data Protection Compliance or Risk Management within the Financial Sector (banking/fintech).

• Deep practical expertise in GDPR EU data protection law and data subject laws.Specific knowledge of Polish data protection nuances (e.g. Electronic Communications Law Criminal Record Act and local retention limits) is highly preferred.

• Hands-on Assessment Experience: Proven experience in a First Line of Defence (1LoD) or senior privacy/DPM role. Proven capability in conducting specialized assessments including Data Protection Impact Assessments (DPIAs) Legitimate Interest Assessments (LIAs) and Transfer Impact Assessments (TIAs).

• Technology & AI Privacy Risk:Experience evaluating new technologies specifically AI tools within business processes and establishing compensating controls within a Risk and Control Self-Assessment (RCSA) framework.

• Data Governance & IT Operations Integration: Practical understanding of metadata unstructured data cataloging and implementing privacy controls directly into ticketing/ITSM systems.

• Bachelors Degree (Law Compliance Risk etc.).

• Excellent communication skills. English fluency is mandatory.

• Data privacy certifications (e.g. CIPP/E CIPM) are a significant advantage.

• Ability to leverage strong organizational and problem-solving skills to efficiently juggle complex tasks meet critical deadlines and anticipate challenges before they arise.

Diverse teams really are the best teams. Research shows that some candidates may hesitate to apply for a job unless they meet every requirement. If you are excited about working with us we encourage you to apply - even if youre not 100% sure. We are interested in getting to know you and learning about what you bring to the table.

Please note that we may close a job posting early if we receive a large number of exceptional applications.

Good luck!