Data Protection Specialist, Vienna At Organization for Security and Co-operation in Europe (OSCE)

Closing date: Sunday, 21 May 2023


This position is open for secondment only and participating States are kindly reminded that all costs in relation to an assignment at the Secretariat must be borne by their authorities.

Candidates should, prior to applying, verify with their respective nominating authority to which extent financial remuneration and/or benefit packages will be offered. Seconded staff members in the OSCE Secretariat and Institutions are not entitled to a Board and Lodging Allowance payable by the Organization.

The OSCE has a comprehensive approach to security that encompasses politico-military, economic and environmental, and human aspects. It therefore addresses a wide range of security-related concerns, including arms control, confidence and security-building measures, human rights, combating human trafficking, national minorities, democratization, policing strategies, counter-terrorism and economic and environmental activities. All 57 participating States enjoy equal status, and decisions are taken by consensus on a politically, but not legally binding basis.

The OSCE Secretariat in Vienna assists the Chairmanship in its activities, and provides operational and administrative support to the field operations, and, as appropriate, to other institutions. The Department of Management and Finance (DMF) is responsible for managing the material and financial resources of the Organization. The objective of DMF is to provide efficient and effective management of non-staff resources in support of OSCE programmatic activities. It provides policy guidance on the management of OSCE financial and material resources and develops and maintains OSCE Financial Regulations and Rules and Financial Administrative Instructions. DMF consists of Budget and Finance Services, General Services Section, Information and Communication Technology Section and the Information Security and Co-ordination Unit.

Tasks and Responsibilities:

Under the direct supervision of Senior Information Security and Risk Management Officer and in close co-ordination with relevant Units at the OSCE Secretariat, Data Protection Specialist should advance data protection and privacy processes based on the OSCE Personal Data Protection Administrative Instruction No. 2/2022 as well as other relevant policies. To oversee and co-ordinate effective and consistent implementation of data protection and privacy processes including establishing as well as steering an effective Focal Point network in all Executive Structures, providing technical advice, designing training for the Focal Points and conducting regular monitoring of data subjects‘ information to ensure compliance with the established standards and rules. The incumbent will be asked to do the following:

  •  Acting as the OSCE Data Protection Specialist to co-ordinate effective and consistent implementation of the OSCE Personal Data Protection Administrative Instruction No.2/2022 (AI) according to international requirements, best practices and in compliance with the recent EU pillar assessment results on data privacy in consultation with key stakeholders;
  •  Steering the implementation of the OSCE data protection policy in co-ordination with all relevant stakeholders and conducting the relevant consultation processes, so that an effective implementation policy or guidelines, business processes/SOP’s are drafted and promulgated;
  •  Establishing and steering an effective Focal Point network in all OSCE Executive Structures;
  •  Assessing data protection risks within the Organization, especially in the area of Human Resources and Procurement, in close co-operation with the Information Security and Risk Management Unit;
  •  Benchmarking against best data protection practices in other International Organizations in order to develop business processes and SOPs including templates and co-ordinate the consultation process;
  •  Developing a methodology to follow when carrying out a Data Privacy Impact Assessment (DPIA), assessing and defining risk mitigation measures, reviewing DPIA conclusions and making recommendations; requesting and commissioning DPIA independently, when required and providing advice to the data controllers and processors on the methodology;
  •  Developing and implementing consent management processes throughout relevant areas. In situations where data is processed based on consent, a clear consent form/clause should be drafted;
  •  Reviewing and completing the existing Personal Data Inventory on the basis of a data mapping exercise;
  •  Supplementing Personal Data Inventory by the categories of data recipients, Data Processing Agreements (DPAs) concluded with them and references to international data transfers;
  •  Developing procedures to react to possible personal data breaches, including a procedure for complaints by data subjects, establishing a record of complaints in close co-operation with the Office of Legal Affairs;
  •  Making proposals for adequate provision of information that information on processing personal data is made available on the OSCE website as appropriate;
  •  Providing strategic policy and/or technical advice to OSCE Executive Structures on personal data protection matters;
  •  Co-ordinating a review of an appropriate OSCE Retention Schedule for personal sensitive data with benchmarking against other International Organizations’ best practices and other relevant stakeholders in close co-operation with OSCE Records Management;
  •  In collaboration with key stakeholders, initiating, designing and delivering training modules with the ultimate objective of building corporate technical knowledge and expertise on data protection;
  •  Providing any additional services upon request related to overseeing and co-ordinating effective and consistent implementation of the OSCE Personal Data Protection Administrative Instruction No.2/2022
  •  Performing other related tasks as assigned.

For more detailed information on the structure and work of the OSCE Secretariat, please see:

Necessary Qualifications:

  •  First-level university degree in political science, business administration, law or international law or similar related fields;
  •  A minimum of six years of experience in privacy and data protection disciplines;
  •  Working knowledge of how to design and establish business processes, SOPs preferably related to data protection and privacy programmes including how to achieve business alignment, data governance, managing of data subject issues and data breaches;
  •  Familiarity with privacy and security risk assessment and best practices, privacy certifications/seals and information security standards certifications;
  •  Good drafting, reporting and presentation skills;
  •  Professional fluency in English; knowledge of other OSCE languages is an asset;
  •  Ability to integrate a gender perspective in data privacy policies and procedures.
  •  Demonstrated gender awareness and sensitivity, and an ability to integrate a gender perspective into tasks and activities;
  •  Ability and willingness to work as a member of team, with people of different cultural, and religious backgrounds, different gender, and diverse political views, while maintaining impartiality and objectivity;
  •  Computer literate with practical experience using Microsoft applications;
  •  Certifications such as CIPP/E/U, and/or CIPM, CIPT is desirable;
  •  Knowledge on the most relevant risk management industry standards (ISO 31000, ISO 27001, NIST, CREST) is an asset.

If you wish to apply for this position, please use the OSCE’s online application link found under

The OSCE retains the discretion to re-advertise/re-post the vacancy, to cancel the recruitment, to offer an appointment with a modified job description or for a different duration.

Only those candidates who are selected to participate in the subsequent stages of recruitment will be contacted.

Please note that vacancies in the OSCE are open for competition only amongst nationals of participating States, please see

The OSCE is committed to diversity and inclusion within its workforce, and encourages the nomination of qualified female and male candidates from all religious, ethnic and social backgrounds.

Candidates should be aware that OSCE officials shall conduct themselves at all times in a manner befitting the status of an international civil servant. This includes avoiding any action which may adversely reflect on the integrity, independence and impartiality of their position and function as officials of the OSCE. The OSCE is committed to applying the highest ethical standards in carrying out its mandate. For more information on the values set out in OSCE Competency Model, please see

Please be aware that the OSCE does not request payment at any stage of the application and review process.

Please apply to your relevant authorities well in advance of the deadline expiration to ensure timely processing of your application. Delayed nominations will not be considered. The OSCE can only process Secondment applications that have been nominated by participating States. For queries relating to your application, please refer to the respective delegation as listed here:

Additional Information

  •  Issued by: OSCE Secretariat
  •  Requisition ID: SEC000096
  •  Contract Type: International Secondment
  •  Grade: S
  •  Job Type: Seconded
  •  Number of posts: 1
  •  Location: SEC – OSCE Secretariat, Vienna
  •  Issue Date: Dec 14, 2022
  •  Closing Date: May 22, 2023
  •  Employee Status: Short-Term
  •  Schedule: Full-time
  •  Education Level: Bachelor’s Degree (First-level university degree or equivalent)
  •  Job Field: Information Technology and Information Management
  •  Target Start Date: As soon as possible


June 2024