Apply now »







Title:  Data Privacy Operations Manager

Job ID:  86130
Country:  Poland
City:  Warsaw
Professional area:  Legal
Contract type:  Permanent
Professional level:  Experienced

Warsaw, MZ, PL, 00-841


We’re JTI, Japan Tobacco International and we believe in freedom. We think that the possibilities are limitless when you’re free to choose. In fact, we’ve spent the last 20 years innovating, creating new and better products for our consumers to choose from. It’s how we’ve grown to be present in 130 countries.


But our business isn’t just business. Our business is our people. Their talent. Their potential. We believe when they’re free to be themselves, grow, travel and develop, amazing things can happen for our business. That’s why our employees, from around the world, choose to be a part of JTI. It is why 9 out of 10 would recommend us to a friend. And it is why JTI is recognized with various Employer of Choice certifications across different countries and regions for our top class HR practices and creating thriving conditions for our employees to develop. To find out more please visit Globally Recognized section.


So when you’re ready to choose a career you’ll love, in a company you’ll love, feel free to #JoinTheIdea. Learn more:




 Data Privacy Operations Manager 




What this position is about - Purpose:

An exciting opportunity has arisen to join the Data Privacy Office within the Corporate Governance team. This team brings together under one roof core governance experience and related legal skills and expertise, including in Sanctions, Data Privacy, IT, Contract Management, Corporate Secretary & Holding Legal.


Facing substantial increase in personal data processing and growing risk and complexity of data protection regulations, JTI is investing in a fit-for-JTI governance structure (a “Data Privacy Office”), in order to:


  • support JTI’s consumer-centric and data-driven ambitions
  • enhance governance and reporting
  • manage robustly the privacy and reputational requirements

The Data Privacy Operations Manager is responsible for developing a data privacy control framework, implementing data privacy controls, monitoring, and reporting on their effectiveness to support JTI's global data privacy compliance efforts, as part of the data privacy program. This role reports to the Data Privacy Delivery Director and works closely with the Group Data Protection Director to provide guidance on data privacy risks and related mitigation on group-wide processing activities, for example, by advising relevant stakeholders on control implementation prior to data processing (privacy-by-design) and following up on them to ensure adequate risk mitigation. The role also provides support and practical guidance to our markets and functions on data privacy matters.

What will be the responsibilities:


  • Privacy Management and Controls


Deliver the privacy control framework by crafting controls to adequately mitigate privacy risks at a Group-level. Liaise regularly and consistently with business teams, IT and verticalized Legal function, ensuring that these controls will be seamlessly integrated with business processes. Partner closely with data privacy delivery managers and data privacy champions to drive privacy requirements, for example by supporting stakeholders with guidance, templates and advice when implementing new tools and processes.


  • Reporting & Monitoring


Monitor and report on the privacy control design and its operating effectiveness to support governance requirements. Collaborate closely with privacy delivery team (stakeholders with support from data privacy delivery managers) to continuously improve the control environment. Monitor and follow-up mitigation action plans with risk owners.


  • Data Privacy Culture & Mindset


Create and embed a data privacy culture and mindset, by supporting the upskilling of data privacy champions and training (structural) data controllers to ensure that data protection is fully understood across the business (everyone is accountable).


  • Collaborate with Key Stakeholders


Ensure that Data Privacy controls (identified through various risk and impact assessments) are embedded within business processes by teamwork and alignment with other key stakeholders. Establish a good working relationship and collaborate efficiently with the functions that structurally interact with the Data Privacy Office.


  • People/Talent


Facilitate knowledge sharing about data privacy and risks within the Legal community, leveraging where necessary on the Legal talent pool. Develop solid and mutually beneficial relationships with data privacy champions throughout the company.

Who are we looking for - Requirements:


  • Degree with proven experience in Law, Data Protection or Information Technology, or demonstrable similar relevant experience
  • 1-3+ years of experience within a legal, compliance or audit role advising on privacy and data protection
  • Experience in managing projects, preferably in privacy programs a plus
  • Fluent spoken and written English, other language skills a plus


Functional Skills


  • Good knowledge of data privacy and data protection regulations, any privacy certifications a plus
  • Insight and knowledge of business and related processes in areas such as Digital & IT, Human Resources (P&C), Legal, Finance, and Marketing & Sales
  • Familiarity with OneTrust suite of privacy products a plus


Soft skills


  • Capable of building and maintaining strong relationships with all relevant stakeholders
  • Results-oriented and detail-oriented, able to prioritize, continuous improvement mindset
  • Ability to communicate clearly and concisely the risks and mitigation strategies to stakeholders
  • Ability to leverage technology to coordinate with diverse and high-performing teams across a hybrid working environment
  • Accountable and responsible for achieving objectives, including influencing others outside direct-reporting lines


What are the next steps - Recruitment process


Thank you very much for your interest in the role. You are welcome to apply. We will make sure every candidate will receive a reply within 2 weeks after the application deadline; however, not all candidates will be interviewed.



If you decide to participate in this recruitment, the administrator of your data will be JTI GBS Poland sp. z o.o. with headquarters in Warsaw. Your data will be processed only to support the recruitment process in which you participate. Detailed information on the processing of your data:

How we process your personal data:




Basic information on the processing of personal data


Data Controller:


The data controller is JTI GBS Poland sp. z o.o. with its registered office in Warsaw, ul. Żelazna 51/53, 00-841 Warsaw (‘JTI GBS’).




Purposes of processing:

  1. participation in the recruitment process announced by JTI GBS., in which you are applying;
  2. in case of receiving your consent – enabling participation in recruitment processes conducted by JTI GBS in the future;
  3. if your application is submitted under the employee referral program conducted at JTI GBS - handling your application and implementing the objectives of the program.


In specific situations, JTI GBS may also process your personal data to the extent necessary to establish, assert or defend against claims.


Legal basis for processing:

Ad. 1. Depending on the data scope :


- name, surname, date of birth, contact details, education, course of employment, professional qualifications: necessity for compliance with a legal obligation to which the controller is subject; – Art. 6(1)(c) of the GDPR in connection with Art. 22(1) § 1 of the Labour Code (however education, course of employment and qualifications are required only when it is necessary for the given position);

- other data provided by the candidate: consent – Art. 6(1)(a) of the GDPR


Re. 2. - Future recruitments – consent – Art. 6(1)(a) of the GDPR


Re. 3. - Employee Referral Program - the controller's legitimate interest consisting in conducting effective recruitment - Article 6(1)(f) of the GDPR.


In case your personal data are be processed for the purpose of establishing, investigating or defending against claims, the legal basis of the processing is the legitimate interest of the controller consisting in protecting JTI GBS rights.


GDPR – Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).



Rights related to the processing of personal data:

right to object to the processing of personal data;

right to erasure of data;

right of access to data;

right to restrict the processing of data;

right to rectify data or  complete incomplete data;

right to transfer data;

right to withdraw consent to the processing, at any time;

right to lodge a complaint with the President of the Personal Data Protection Office.



Detailed information on processing: see the questions and answers below.




Detailed information on the processing of your personal data:


  1. Who is the controller of your personal data?

Name and registered office: JTI GBS Poland sp. z o.o., ul. Żelazna 51/53, 00-841 Warsaw

Contact mailbox regarding data processing:

Data Protection Officer: The data controller has appointed a Data Protection Officer who can be contacted directly at the following address: The Data Protection Officer can be contacted in all matters related to the processing of personal data and the exercise of rights related to the processing of such data.

  1. For what purposes is your personal data processed?

Your personal data will be processed for the purpose of enabling you to take part in the recruitment process for the position in JTI GBS to which your application relates. If you have provided your consent to participate in the recruitment processes conducted by JTI GBS in the future, your data will also be processed for this purpose. If your application is considered under the employee referral program, your data will also be processed to accomplish the objectives of the program. In specific situations, JTI GBS may also process your personal data to the extent necessary to establish, assert or defend against claims. Detailed information on the basis of data processing is provided in the table.

  1. What is the data retention period?

The data provided in order to take part in a specific recruitment project will be retained for the period until the end of the recruitment process, up to a maximum of 3 months from the selection of the employee in case no contract has been concluded. If you have given your consent to the processing of your personal data for future recruitments, then your data will be processed until your consent is withdrawn, but for no longer than for 12 months. In case of processing your application under the employee referral program, your personal data will be processed until the objectives of the program have been met. The duration of the processing of your personal data may be extended each time by the period of the statute of limitations for claims, if the processing is necessary to establish, assert or defend against claims.

  1. Who will be the recipients of your personal data?

The data may be transferred to entities processing personal data on behalf of the controller, e.g. IT service providers, entities operating the database, entities handling application requests – however, these entities process data on the basis of an agreement with the controller and only in accordance with the controller's instructions and within the scope of the granted consent. Personal data may also be transferred to other JTI Group companies in connection with intra-group purposes.

  1. Will your personal data be subject to profiling?

During the recruitment process, you may be asked to complete tests (e.g. analytical test, behavioural test, cognitive test) or to participate in an Assessment Center session. In the case of behavioural test, you will be subject to profiling. The system will evaluate the answers you give in the survey and create a profile of your behaviour and preferred working conditions based on these answers. The test is only a support material for the recruiter conducting your recruitment process and no automated decisions are made based thereon.

  1. What are your rights in relation to the processing of your personal data?

You have the right to withdraw your consent for processing of data at any time. The withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal. You have the right to obtain information about the processing of your personal data concerned in accordance with Art. 15 of the GDPR, including to obtain copies of your personal data. In addition, you may request the rectification of inaccurate personal data, as well as the completion of incomplete personal data. You may also request restriction of the processing in the cases referred to in Art. 18 of the GDPR, as well as the data portability. You have the right to object to the processing of your personal data. You have also the right to erasure your personal data. . When profiling is used (it may take place when using behavioural tests in the recruitment process), you have the right to object to the profiling of your personal data. In order to exercise the above rights, please contact the data controller, e.g. by sending an appropriate request via e-mail. You also have the right to lodge a complaint with the supervisory authority (Poland: President of the Personal Data Protection Office).

  1. Is personal data transferred outside the European Economic Area?

Your personal data may be entrusted for processing to JT International S.A. with its registered office in Switzerland, i.e. outside the European Economic Area (EEA). The European Commission has stated that this country offers an adequate level of personal data protection (Commission Decision of 26 July 2000). The recipient has implemented adequate and appropriate safeguards for your personal data. You have the right to receive a copy of the transferred personal data. Your personal data may also be transferred to other JTI Group companies that are based outside the EEA. Whenever the country to which the transfer of personal data will take place does not provide an adequate level of protection for personal data, JTI GBS will ensure the protection of your personal data in accordance with applicable legislation.

  1. Is provision of the personal data mandatory?

Responding to the Company's advertisement and providing your data is voluntary. However providing the mandatory data is necessary for your application to be considered during the recruitment process. Failure to provide this data will prevent your application from being considered. The provision of other data is voluntary and constitutes the candidate's consent to their processing in the recruitment process. If you raise an objection to the processing of your personal data during the recruitment process, further participation will not be possible.


Job Segment: Compliance, Operations Manager, Data Management, Outside Sales, Marketing Manager, Legal, Operations, Data, Sales, Marketing

Apply now »