By way of illustration, the policies put in place by Epsilon describe how consumers or end-users can exercise their rights simply and directly on the website: https:// legal.epsilon.com/dsr. These policies are reviewed annually to ensure that they comply with the local regulatory context and incorporate best practices. [S4-1-AR 13]
The example of Free Thinking in France: a pioneer and pure player in collaborative work, FreeThinking is dedicated to the detection of trends and insights in France and internationally – studies conducted in 26 countries. For nearly 20 years, they have been developing their investigative tools in the service of social and societal listening. The FreeThinking conversational platform is a 100% responsive agora for an “ATAWAD(1)” reflection as close as possible to new consumer uses, and the FreeThinking Gallery is a space for illustrations/photos. Tools designed to work iteratively and push reflection as far as possible, as well as to work in projection or observation.
The GDPO (Global Data Privacy Office) is an experienced team of specialists, lawyers and certified professionals, working under the supervision of the Chief Data Protection Officer (CDPO). The GDPO is part of the Groupe’s Legal Department, which reports to the Secretary General. Its role is to oversee the data protection program, advise agencies on protection issues and help them with risk management. It also participates in various professional bodies or joint initiatives such as IAB EU’s Transparency & Consent Framework and the IAB, US’ CCPA Framework. The deployment of the global data protection program is managed by a central team, in charge of the implementation and support to the local Country/Regional Privacy Operational Leads. They work closely with the Data Privacy Stewards appointed in each agency to implement the action plan, worldwide. This hybrid operation, with centralized and local governance, ensures that all entities are aligned behind the same principles and rules, while enabling agencies to respond to more specific issues linked to their country or region.
The GDPO and GDPOps teams work closely with the GSO (Global Security Office) on technical or organizational aspects to ensure the protection of personal data and their encryption, transfer and storage, as well as destruction. A Groupe process is dedicated to incident response (Incident Response Process) to manage cybersecurity incidents and data breaches. [S4-3-25 (b)]
The Groupe’s data protection policy is based on key principles such as transparency and respect for individual rights. The Privacy-by-Design policy and the Default policy provide teams with guidance on how to take data protection issues into account in their day-to-day activities and comply with current legislation and best practices. This very early stage approach facilitates cooperation with all teams from the earliest stages of a project, so that data protection is well integrated into systems and solutions, and in close contact with client-side teams and their partners. [S4-1-15]
These compliance issues are handled with vigilance, in order to ensure that the teams are well trained and supported to maintain a high standard of compliance. Training is mandatory for all employees on data protection principles as well as security issues. More specific and in-depth training is given when there are specific regional issues such as on the European/United Kingdom GDPR (General Data Protection Regulation) or for the regulations of the various states in the United States, or those industry-related, such as digital advertising.
As required by law, the Groupe offers consumers access to their privacy rights. For example, with Epsilon, certain rights can be exercised using an automated tool: https:// legal.epsilon.com/dsr. In addition, in the United States, Epsilon indicates in its privacy policy the number of requests received by consumers during the previous year: https:// legal.epsilon.com/us/NA-products-privacy-policy. [S4-3-25 (b)]
In 2024, Publicis Groupe, as Data Controller, did not notify a regulator of any data breach.
