Data Protection and Security Manager

N26 Berlin

Stellenbeschreibung:

About the opportunity

Are you ready for your next career step? We are looking for an experienced Data Protection & Security Manager to join the Data Protection & Governance team within the CISO Office. In this pivotal role, you will help ensure N26 meets its data protection obligations. You will play a key role in ensuring continuity of privacy risk coverage, supporting regulatory readiness, and strengthening how data protection requirements are embedded in day-to-day operations.

In this role, you will:

Design, maintain and continuously improve the data protection risk management framework (e.g. methodologies, risk taxonomy and scoring models), ensuring alignment with the wider NFR and operational risk framework as well as applicable regulatory requirements on the protection of personal data and data subjects’ rights.
Maintain the Data Protection Controls Effectiveness Testing and Evaluation Procedure, coordinate the implementation and maintenance of those controls with first-line owners, and report on identified deviations, weaknesses and remediation progress.
Maintain and further develop the data protection risk register and key metrics, ensuring consistent methodologies, high-quality input from first-line stakeholders and clear visibility of inherent and residual risks.
Act as a 2LoD point of contact for internal data protection–related topics, supporting the DPO and CISO Office on data privacy practices in the EU (e.g. GDPR and applicable local privacy laws) and related information security and resilience risks, with awareness of relevant banking and technology regulations such as DORA, MaRisk.
Ensure the proper and timely involvement of the DPO in all relevant personal data protection matters, including coordination, follow-up and the administrative support needed to involve the DPO effectively.
Manage the DPO mailbox / dedicated data protection mailbox, including triage and prioritisation of incoming requests, initial assessment, and coordination of responses to internal and external queries.
Develop and prepare regular privacy and data protection risk reports and global “health check” overviews that provide management and governance forums with a consolidated view of key risks, trends and remediation progress.
Manage or support the Data Protection General Training & Awareness program and required privacy-related trainings, and contribute to the broader data protection & privacy program at N26 (e.g. roadmap, key initiatives, maturity improvements and regular reporting to governance bodies).
Work cross-functionally and build strong relationships to strengthen and enhance data privacy compliance, embed data protection and governance requirements into day-to-day operations, and close identified gaps, findings and audit actions.
Monitor regulatory developments (e.g. EU AI Act) and emerging privacy and cyber/ Information security risks, translating them into practical guidance and continuous improvements to N26’s overall data protection and governance framework.
Support audit and regulatory readiness by managing privacy-related findings and action plans, ensuring clear ownership, evidence quality, and timely closure.

What you need to be successful:

Background:

Bachelor's degree in Law, Information Security, Information Technology, Risk Management, or a related field would be preferable but not mandatory.
Professional privacy certifications such as IAPP CIPP/E / CIPM.
Professional security management certifications such as CISA / CISM / CRISC, or equivalent are preferable.
Minimum of 3–5 years of experience in data protection / privacy risk management, ideally within the banking or financial services industry.
Experience working with risk and control frameworks, audits, regulatory readiness, and remediation tracking is highly advantageous.
An understanding of information security concepts (e.g., access control, logging, encryption, incident management) and how they intersect with privacy requirements.
Experience with third‑party / outsourcing privacy topics (e.g., DPAs, sub‑processors, PIAs/TIAs, vendor risk inputs).
Should be able to leverage modern tooling (including AI where appropriate) to improve risk reporting.

Skills:

Strong stakeholder management skills, with the ability to influence, challenge constructively, and align cross‑functional teams.
Strong project and prioritisation skills, with the ability to manage multiple workstreams and drive actions to closure.
Strong analytical skills with the ability to assess privacy risk, identify gaps, and propose pragmatic, risk‑based recommendations.
Effective communication and interpersonal skills, with the ability to explain privacy and security concepts to non‑technical stakeholders.
Strong report‑writing and documentation skills (e.g., risk rationales, oversight notes, evidence tracking, management‑level summaries).
Good understanding of information security fundamentals and how they intersect with data protection requirements.
Fluency in English (verbal and written) is mandatory. German is a plus.