Digital Affairs & DPO Senior Specialist

About Us

Nu is one of the largest digital financial platforms in the world with more than 127 million customers across Brazil Mexico and Colombia. Guided by our mission to fight complexity and empower people we are redefining financial services in Latin America and this is still just the beginning of the purple future were building.

Listed on the New York Stock Exchange (NYSE: NU) we combine proprietary technology data intelligence and an efficient operating model to deliver financial products that are simple accessible and human.

Our impact has been recognized by global rankings such as Time 100 Companies Fast Companys Most Innovative Companies and Forbes Worlds Best Bank. Visit our institutional page

About the role

• As a Digital Affairs & DPO Senior Specialistbased in the United States you will play a senior role in Nubanks global privacy function acting as a key point of contact for complex privacy data protection and AI topics in the US while supporting our global privacy governance program.
• You will bridge highlevel legal strategy and daytoday program execution combining handson product counseling with ownership of core privacy governance workflows (RoPA DPIAs/PIAs DSRs incident response thirdparty risk metrics) across multiple jurisdictions.
• Protecting personal data is fundamental to maintaining the fanatical trust our customers place in us. This role ensures that as Nubank expands its footprint and launches dataintensive products (including in the US) our privacy and AI governance remain compliant scalable businessenabling and deeply embedded into our technology and product lifecycle.
• You will respond to the Global DPO and work closely with Legal Compliance IT Security Data Risk and Products teams to identify and close privacy and AIrelated gaps design pragmatic controls and translate complex regulatory expectations (e.g. US federal and state privacy laws LGPD GDPR) into simple repeatable mechanisms that enable innovation.

Youll be responsible for:

Product Legal Counseling (Privacy Data Protection & AI)

• Provide clear fast and actionable legal guidance to product engineering data and business teams on US and global privacy data protection AI and cybersecurity questions with focus on dataintensive products and internal tools.
• Conduct legal risk assessments for new and existing products features and AI/ML use cases (including automated decisionmaking profiling biometrics fraud/credit models) aligning recommendations with Nubanks risk appetite and product strategy.
• Draft review and negotiate privacyrelevant documentation (e.g. DPAs data sharing agreements vendor addenda privacy and AI notices inproduct disclosures terms of service and consent flows) including crossborder data transfer mechanisms.
• Translate complex and evolving US and international privacy/AI requirements into simple operational guidance and design patterns for squads avoiding legal black boxes and enabling selfservice where possible.

Privacy Governance & Program Management

• Work closely with the Global DPO to colead the execution of the global privacy governance roadmap ensuring clear ownership milestones and visibility to leadership.
• Own or coown key pillars of the Privacy Governance Program as they relate to the US and global scope including:
• Record of Processing Activities (RoPA) and personal data mapping;
• Privacy and data protection risk management and controls;
• DPIAs/PIAs and other privacy risk assessments at scale;
• Global data subject rights (DSR) strategy and processes;
• Training awareness and privacy metrics.
• Design and implement projects to simplify and automate privacy governance wherever possible (e.g. templates workflows playbooks selfservice tools) balancing regulatory expectations with business velocity.

Data Subject Rights Transparency & USFocused Governance

• Maintain and enhance how Nubank handles data subject rights requests across geographies with particular focus on US privacy rights (e.g. access deletion correction portability optout mechanisms sensitive data rules under state laws).
• Partner with CS/Ops and engineering teams to scale DSR handling ensuring consistent identity verification response quality and SLA adherence without increasing operational headcount.
• Support the design and continuous improvement of privacy notices inproduct privacy UX and choice mechanisms for US users ensuring alignment with global standards and local requirements.

ThirdParty & Data Sharing Governance

• Assess third parties and new datasharing arrangements (including US vendors and crossborder engagements) from a privacy and AIgovernance perspective recommending proportionate controls and contractual protections.
• Enhance endtoend thirdparty due diligence and oversight flows together with Procurement Security Risk and Data ensuring that privacy controls are embedded in onboarding monitoring and offboarding.

Privacy Incident Response & Regulatory Readiness

• Coordinate and continuously improve the global privacy incident response process focusing on impact assessments escalation remediation and documentation that stand up to regulatory scrutiny in the US and abroad.
• Lead or colead privacy/legal workstreams in complex incidents (including those involving US data subjects or US regulators) advising on notification strategy to individuals DPAs and other authorities.
• Contribute to regulatoryreadiness initiatives (audits supervisory processes evidence frameworks) that demonstrate maturity of Nubanks privacy and AI governance program.

Digital Public Policy & Institutional Positioning (Privacy Data & AI)

• Support Digital Affairs and Public Policy teams in monitoring interpreting and prioritizing US and international privacy data and AI regulatory developments connecting them with concrete risks and opportunities for Nubanks products.
• Help craft clear wellreasoned positions for Nubank in consultations hearings industry forums and regulatory dialogues ensuring consistency between our public narrative and our internal governance.
• Identify where product governance and advocacy work should reinforce each other (e.g. aligning DPIA/AI risk frameworks with emerging US and EU AI rules).

CrossFunctional Leadership & Ways of Working

• Act as a senior trusted counterpart for leaders in Product Tech Data Security Risk Compliance and Operations on privacy and digital governance topics.
• Mentor and upskill peers and more junior team members (in Digital Legal and DPO) on US privacy/AI topics complex governance problems and stakeholder management while operating as an individual contributor (IC).
• Use Nubanks hybrid work model to collaborate effectively across time zones and locations making extensive use of asynchronous tools (Docs Slides Slack Jira Confluence AI tools).

We are looking for a person who has:

Skills and Knowledge (What)

• Outstanding organizational communication and relationshipbuilding skills with the ability to explain complex legal and governance concepts to nonlawyers in a clear actionable way.
• Deep handson knowledge of US privacy and data protection laws (e.g. CCPA/CPRA sectoral and state privacy laws) and practical familiarity with international data protection regulation particularly GDPR.
• Strong understanding of AI data and cyber topics including automated decisionmaking profiling model governance and AIdriven products and how they intersect with privacy and consumer protection.
• Proven ability to act as an enabler not a blocker designing solutions and tradeoffs that let privacy AI governance and innovation coexist in practice.
• Solid experience with privacy governance frameworks (e.g. privacy management frameworks DPIAs/PIAs RoPA controls and metrics) and corporate risk management methodologies.
• Comfort operating in a lean global environment navigating ambiguity and balancing shortterm risk decisions with longterm governance maturity.
• Strong experience with productivity and collaboration tools (e.g. Jira Confluence Slack Google Workspace) and openness to using AI tools to enhance efficiency (drafting analysis documentation).
• Excellent written and verbal communication skills in English; Portuguese or Spanish is a plus.

Achievements and Experience (What How Where)

• 8 years of postqualification experience in privacy data protection and/or technology law with a significant portion dedicated to digital products and/or fintech/financial services or equivalent experience in house or in top law firms / consultancies.
• Demonstrated track record of leading complex privacy and/or AI matters endtoend such as:
• Launching or significantly redesigning dataintensive products under US and international privacy rules;
• Implementing or maturing a privacy governance or AI governance framework;
• Leading or advising on complex data or AI incidents and regulatory interactions.
• Experience working closely with engineering and data teams ideally in a productcounsel or privacybydesign capacity.
• Experience interfacing with or supporting interactions with regulators DPAs or supervisory authorities (US or international) is strongly preferred.
• Law degree (JD or equivalent) and active license in at least one US jurisdiction or equivalent senior inhouse/regulatory experience; relevant privacy certifications (e.g. CIPP/US CIPP/E CIPM EXIN DPO) are a plus

Our Benefits

• Opportunity of earning equity at Nu
• Medical Insurance
• Dental and Vision Insurance
• Life Insurance and AD&D
• Extended maternity and paternity leaves
• Nucleo - Our learning platform of courses
• NuLanguage - Our language learning program
• NuCare - Our mental health and wellness assistance program
• 401K
• Saving Plans - Health Saving Account and Flexible Spending Account
• Work-from-home Allowance
• Relocation Assistance Package if applicable.

Work Model for this Role

• Option 1: Hybrid 2-3 times/week: Our hybrid work model brings us to the office at least twice a week on strategic days designed to maximize team connection and collaboration. For more details visit Experience:

  Senior IC