PRIVACY COUNSEL

We are seeking an engaged, business-oriented Privacy Counsel to lead and evolve ESTO’s privacy program across the Baltics. You will own our annual GDPR roadmap, provide practical, risk-based advice to cross-functional teams, and help embed compliant, scalable ways of working across products, technology, operations, risk, and commercial teams. You will be a visible partner to leadership and help ESTO deliver innovative financial services while protecting customer trust.

WHAT YOU WILL DO:

• Own and deliver ESTO’s annual privacy plan, aligning priorities with business goals and regulatory expectations across Estonia, Latvia, and Lithuania.
  
• Act as a key member of ESTO’s privacy network, working closely with the Chief Legal Officer, the Data Protection Officer and internal business stakeholders.
• Provide day-to-day counsel on data protection issues, including:
  
  1) Records of Processing Activities (RoPA) maintenance and reviews.
  2) Data Protection Impact Assessments (DPIAs) and Legitimate Interest Assessments (LIAs).
  3) Transfer Impact Assessments (TIAs) and cross-border data transfer mechanisms (e.g., SCCs).
  4) Vendor and data processing agreements, including vendor due diligence and ongoing oversight.
  5) Cookie/consent management and ePrivacy requirements for web and mobile.
  6) Automated decision-making and profiling.
  
• Partner with product and engineering to embed data protection by design and by default into new products, features, scoring models, analytics, fraud prevention, and merchant/partner integrations.
  
• Support the handling of data subject requests, as well as incident and breach response, including investigations, notifications, corrective actions, and lessons learned.
  
• Monitor regulatory developments and translate them into clear, actionable guidance and processes.
  
• Prepare materials and deliver training to increase privacy awareness and accountability across teams.
  
• Contribute to internal audits, controls testing, and readiness for regulator inquiries; coordinate with local data protection authorities as needed.
  
• Track metrics and KPIs to measure program effectiveness and drive continuous improvement.
  

WHO YOU ARE:

• EU-qualified lawyer with minimum 3+ years of post-qualification experience.
  
• Experience advising on GDPR and related regulatory requirements in a fast-paced environment, ideally within fintech, payments, BNPL, lending, or broader financial services.
  
• Proven ability to implement privacy projects end-to-end: mapping data, conducting DPIAs/LIAs/TIAs, managing data subject requests and incidents, remediating risks, and operationalizing controls.
  
• Strong commercial acumen with the ability to give pragmatic, outcome-focused advice that balances risk and growth.
  
• Comfortable working independently and taking ownership, while being a collaborative team player who builds trust across functions.
  
• Excellent communication skills in English and Estonian, both spoken and written;
• Nice to have skills: Experience with consumer credit and marketing privacy issues, credit bureau data, AML/KYC data processing, and retention strategies. Understanding of information security related regulations and standards. Track record engaging with Baltic DPAs and/or other regulators.

WE OFFER

🌟 Be Part of Something BIG: Gain hands-on experience in a fast-growing fintech   company.

🤝 Work with the Best: Join a tight-knit, highly skilled team where open communication and collaboration drive success.

🏡 Work Your Way: Enjoy a hybrid setup, balancing office time and remote work to suit your lifestyle.

🛡️ We’ve Got You Covered: Benefit from sick leave compensation, Stebby, additional health days, and a flexible work environment that prioritizes your well-being.

🎉 Stay Active and Connected: Take birthday leave, join fun team events, and enjoy plenty of opportunities to unwind.