Data Protection Officer

Roboyo is a category shaper in Agentic Automation. We help leading brands embed autonomous, AI‑powered agents into their workflows, processes, products and services so they can scale faster and operate smarter.

Built on a strong automation heritage, we focus on seamless integration of AI into enterprise level organization, not just proving concepts, but owning outcomes and driving value in every industry we are present. At Roboyo, you’ll join a global team of builders, consultants and engineers that are top practitioners of taking solutions to the next level for clients in pursuit of excellence.

 

About the Role

The Data Protection Officer (DPO) is responsible for ensuring compliance with the General Data Protection Regulation (GDPR) and Portuguese Data Protection Law (Law No. 58/2019 of 8 August), both:

• Internally, within the organization, and

• Externally, as an outsourced DPO, providing specialized data protection services to the organization’s clients.

The DPO performs an independent advisory and monitoring function, supporting data protection risk management, promoting best practices, and acting as the primary point of contact with the Portuguese Data Protection Authority (CNPD) and with data subjects.

Reporting Line

Reports directly to Top Management (managing director), acting with full functional independence, in accordance with Article 38 of the GDPR.

In the context of outsourced services, the DPO acts independently in relation to each client entity, in accordance with the applicable service agreement.

Scope of Activities

The DPO performs their duties in relation to:

• The organization itself (as controller and/or processor), and

• Client organizations that formally designate the DPO as their external DPO under a services agreement.

In all contexts, the DPO ensures:

• Functional independence

• Professional secrecy and confidentiality

• Absence of conflicts of interest

• Clear segregation of responsibilities between clients and internal activities

Key Responsibilities

1. Advisory and Compliance

• Inform and advise the organization and its clients, including their management bodies and employees, on obligations arising from the GDPR and applicable national data protection legislation.

• Monitor compliance with data protection laws, internal policies, procedures, and governance frameworks.

• Promote the implementation of privacy by design and privacy by default principles across processes, systems, and services.

2. Risk Management and Impact Assessments

• Advise on and monitor the performance of Data Protection Impact Assessments (DPIAs), both internally and for clients.

• Identify, assess, and support the mitigation of risks related to personal data processing, including technical, organizational, and contractual risks.

3. Audits and Controls

• Ensure the performance of periodic and ad‑hoc data protection audits.

• Assess the data protection maturity of the organization and its clients, proposing improvement plans where appropriate.

• Promote awareness regarding early detection of security incidents and compliance with incident reporting procedures.

4. Personal Data Breach Management

• Support the management of personal data breaches, including:

• Risk assessment,

• Support in decision‑making regarding notification obligations,

• Communication with the CNPD,

• Assistance with communication to data subjects, where applicable.

5. Training and Awareness

• Design and deliver data protection training and awareness programs for internal staff and clients.

• Promote a culture of accountability and compliance in relation to privacy and personal data protection.

6. Relationship with Authorities and Data Subjects

• Act as the main point of contact with the Portuguese Data Protection Authority (CNPD), both for the organization and for clients that have appointed the DPO.

• Serve as a contact point for data subjects in relation to the exercise of their rights.

• Cooperate with the supervisory authority whenever required.

7. Records, Contracts, and Documentation

• Oversee and maintain Records of Processing Activities (RoPA).

• Review and issue opinions on contracts, particularly those involving processors, sub‑processors, and suppliers, ensuring GDPR compliance.

• Support clients in the preparation of privacy policies, notices, and mandatory GDPR documentation.

Qualifications and Experience

Mandatory

• Proven expert knowledge of personal data protection, GDPR, and Portuguese Law No. 58/2019.

• Relevant professional experience in data protection, privacy, compliance, legal, IT governance, or information security roles.

• Ability to perform the role with independence, impartiality, and absence of conflicts of interest, including in a multi‑client environment.

• Excellent communication skills in Portuguese; strong command of English for international and client‑facing contexts.

Desirable

• University degree in Law, Information Systems, Computer Science, Information Security, or a related field.

• Demonstrated experience as an external / outsourced DPO.

• Experience in regulated sectors and multi‑client service models.

• Professional certifications in data protection or information security (valued but not legally required).

Model for Performing the Role

• The DPO performs both internal and external functions with clear segregation of contexts, clients, and responsibilities.

• For each client:

• A formal DPO appointment is in place,

• The scope and limits of the services are contractually defined,

• Direct access to the client’s top management is ensured.

• The DPO does not receive instructions regarding the performance of their statutory tasks and must not be penalized for exercising their duties.

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.

Privacy Notice: By applying, you consent to the processing of your personal data for recruitment purposes in line with our Privacy Policy: https://roboyo.global/data-privacy/