The GDPO (Global Data Privacy Office) is an experienced team of specialists, lawyers and certified professionals, working under the supervision of the Chief Data Protection Officer (CDPO). The GDPO is part of the Groupe’s Legal Department, which reports to the Secretary General. Its role is to oversee the data protection program, advise agencies on protection issues and help them with risk management. It also participates in various professional bodies or joint initiatives such as IAB EU’s Transparency & Consent Framework and the IAB, US’ CCPA Framework. The deployment of the global data protection program is managed by a central team, in charge of the implementation and support to the local Country/Regional Privacy Operational Leads. They work closely with the Data Privacy Stewards appointed in each agency to implement the action plan, worldwide. This hybrid operation, with centralized and local governance, ensures that all entities are aligned behind the same principles and rules, while enabling agencies to respond to more specific issues linked to their country or region.
The GDPO and GDPOps teams work closely with the GSO (Global Security Office) on technical or organizational aspects to ensure the protection of personal data and their encryption, transfer and storage, as well as destruction. A Groupe process is dedicated to incident response (Incident Response Process) to manage cybersecurity incidents and data breaches.
The Groupe’s data protection policy is based on key principles such as transparency and respect for individual rights. The Privacy by Design policy and the Default policy provide teams with guidance on how to take data protection issues into account in their day-to-day activities and comply with current legislation and best practices. This very early stage approach facilitates cooperation with all teams from the earliest stages of a project, so that data protection is well integrated into systems and solutions, and in close contact with client‑side teams and their partners. This Privacy‑by‑Design policy incorporates issues related to the use of artificial intelligence (AI) in processes and various systems, so that responsibilities are clear, with rigorous oversight and strong governance.
These compliance issues are handled with vigilance, in order to ensure that the teams are well trained and supported to maintain a high standard of compliance. Training is mandatory for all employees on data protection principles as well as security issues. More specific and in‑depth training is given when there are specific regional issues such as the European GDPR (General Data Protection Regulation) or the CCPA (California Consumer Privacy Act) or related to an industry such as digital advertising.
As required by law, the Groupe offers consumers access to their privacy rights. For example, with Epsilon, certain rights can be exercised using an automated tool: https://legal.epsilon.com/dsr. In addition, in the United States, Epsilon indicates in its privacy policy the number of requests received by consumers during the previous year: https://legal.epsilon.com/us/NA‑products‑privacy-policy.
In 2023, Publicis Groupe, as Data Controller, did not notify a regulator of any data breach.
In 2023, Publicis Groupe was assessed by CyberVadis and remains in the top 1% of companies in terms of security and data protection (score for 2023: 958/1000), thanks to the joint work between the GDPO and the GSO.
A summary of data protection policies can be found in Janus and is publicly available on the Groupe’s website, in the CSR library. Data protection issues are centralized and each employee can directly contact the GDPO and its teams: privacyofficer@publicisgroupe.com.
Suppliers are subject to an initial due diligence whose purpose is to assess their processes and policies in terms of data protection and security, to verify their compliance and to understand their practices. The various GDPO, GDPOps and GSO teams work together for these initial reviews. Suppliers and partners must also complete a self‑assessment of compliance with laws and best practices. The contracts contain strict contractual obligations, in particular data protection declarations and guarantees. A Data Processing Addendum (DPA) is systematically distributed to suppliers, partners and publishers. This work is carried out in cooperation with the Procurement Department (see Section 4.3.9 of this document).