The Groupe’s data protection policy is based on key principles such as transparency and respect for individual rights. The Privacy-by-Design and Default policy provides teams with guidance on how to take data protection issues into account in their day-to-day activities and comply with current legislation and best practices. This very early stage approach facilitates cooperation with all teams from the earliest stages of a project, so that data protection is well integrated into systems and solutions, and in close contact with client-side teams and their partners. [ESRS 2 MDR-P]
These compliance issues are handled with vigilance, in order to ensure that the teams are well trained and supported to maintain a high standard of compliance. Training is mandatory for all employees on data protection principles as well as security issues. More specific and in-depth training is given when there are specific regional issues such as on the European/ United Kingdom GDPR (General Data Protection Regulation) or for the regulations of the various states in the United States, or those industry-related, such as digital advertising.
As required by law, the Groupe offers consumers access to their privacy rights. For example, with Epsilon, certain rights can be exercised using an automated tool: https://legal.epsilon.com/ dsr. In addition, in the United States, Epsilon indicates in its privacy policy the number of requests received by consumers during the previous year: https://legal.epsilon.com/us/NAproducts- privacy-policy. [ESRS 2 MDR-A]
In 2025, Publicis Groupe was assessed by CyberVadis and remains in the top 1% of bestperforming companies in terms of security and data protection (score for 2025: 980/1000), thanks to the joint work between the GDPO and the GSO.
A summary of data protection policies can be found in Janus and is publicly available on the Groupe’s website, in the CSR library. Employees can directly contact the GDPO and its teams: privacyofficer@publicisgroupe.com. [ESRS 2 MDR-P]
Suppliers are subject to an initial due diligence whose purpose is to assess their processes and policies in terms of data protection and security, to verify their compliance and to understand their practices. The various GDPO, GDPOps and GSO teams work together for these initial reviews. Suppliers and partners must also complete a self-assessment of compliance with laws and best practices. The contracts contain strict contractual obligations, in particular data protection declarations and guarantees. A Data Processing Addendum (DPA) is systematically distributed to suppliers, partners and publishers. This work is carried out in cooperation with the Procurement Department (see Section 4.3.10). [ESRS 2 MDR-A]
The Privacy-by-Design policy incorporates issues related to the use of artificial intelligence (AI) in processes and various systems, so that responsibilities are clear, with rigorous oversight and strong governance. The regulatory environment around AI is constantly evolving, with many countries having introduced specific laws for AI, as has Europe with the AI Act. The Groupe has taken a number of measures to ensure that employees are trained in these new uses and the resulting challenges. The legal teams pay particular attention to the terms contained in contracts with both clients and suppliers.
At Publicis Groupe, information security is everybody’s responsibility. The security program is led by a dedicated team from the Global Security Office (GSO), which brings together highly experienced professionals whose expertise is certified, for example: CISSP, CISA, CISM and CRISC.
The GSO is responsible for data security policies, guidelines and standards applied throughout the Groupe. The security program is based on a logic of continuous improvement, with an ongoing assessment of security risks and monitoring the application of security policies. The work of the GSO is managed and monitored by the Groupe’s Top Management.
The GSO oversees several programs such as security compliance, risk management, vulnerability testing, technical reviews, continuity plans and educating employees about these security risks. Particular attention is paid to training all teams using different communication methods (blogs, articles, videos, tests, graphics, etc.) with content available in six languages (French, English, Spanish, Chinese, Portuguese, German) to build a culture of security across the entire Groupe.
All employees must complete mandatory training on data security upon joining the Groupe, followed by annual updates. In addition, other training courses are available on request, depending on responsibilities. The GSO coordinates regular communication to reinforce best practices and highlight emerging threats. [ESRS 2 MDR-A]
