5. Personal data confidentiality
Description of the risk
Advertising and communication activities involve the processing of a significant volume of personal data. Laws and regulations governing personal data protection are complex, constantly evolving, differ from one country to another and entail significant and increasing compliance costs. Supervisory authorities are showing heightened scrutiny and are imposing increasingly substantial financial sanctions. Enforcement policies, regulators’ interpretations of applicable regulations, as well as constraints relating to cross-border data transfers, are becoming more stringent. As part of its digital strategy, the European Union has introduced regulations affecting the advertising and marketing industry, with the objective of steering the European Union toward a single digital market and “creating a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses”. These include the Digital Services Act, the Digital Markets Act and the Data Governance Act.
Following the General Data Protection Regulation (EU) 2016/679 (GDPR), a growing number of countries have adopted personal data protection regulations. In the United States, in the absence of federal regulations, many states, such as California, Virginia, Colorado, Connecticut, Iowa, Montana and Utah, have enacted data protection laws. Other states such as Indiana, Kentucky, and Rhode Island will follow in 2026. These laws strengthen the requirements in connection with how companies are authorized to use consumers’ personal data. Other U.S. states have adopted or are in the process of proposing their own data protection bills which, if enacted, would further increase complexity by further fragmenting the legislative landscape. In addition, some US states have introduced new laws governing the processing of sensitive data. It is likely that other US states will follow this approach in the near future.
Many other countries have enacted data protection laws, including Brazil, the People’s Republic of China, India, Australia, the United Arab Emirates and Saudi Arabia.
The supervisory authorities of these jurisdictions may adopt a broad interpretation of the applicable legislation.
As the Groupe processes an increasing volume of personal data, it may be subject to heightened scrutiny by supervisory authorities. In addition, the inappropriate use of personal data by AI systems may also generate risks of bias or unauthorized use of personal data. Any breach of applicable laws and regulations could, in addition to liability claims and sanctions imposed on the Groupe, including financial penalties, result in a loss of client trust and have an adverse impact on the Groupe’s reputation and business. Furthermore, any loss or unauthorized disclosure of personal data may cause significant harm for the persons concerned and expose the Groupe liability.
Risk management
The Groupe has implemented a structured governance framework to ensure compliance and strengthen data protection. The GDPO (Global Data Privacy Office) is part of the Groupe’s Legal Department, which reports to the Groupe Secretary General. Its role is to oversee the data protection program, advise agencies on data protection matters and support them in risk management. From an operational standpoint, the GDPO relies on its Global Data Privacy Operations Team (GDPOps), including Privacy Leads and Data Privacy Stewards in the various countries, in charge of implementing and monitoring the data protection compliance program. The GDPO and GDPOps teams work closely with the GSO (Global Security Office) whenever data security matters are involved.
Data protection policies are based on various privacy principles, including the principle of "Privacy-by-Design", and are intended to ensure compliance with applicable laws and best practices. The internal procedures and guidelines governing these aspects are available on the Groupe’s website. This Privacy-by-Design policy provides guidelines on the use of artificial intelligence (AI) in processes and systems, ensuring clear accountability, rigorous oversight and strong governance.
Suppliers are subject to an initial review aimed at assessing their processes and policies in terms of both data protection and data security, verifying their compliance and understanding their practices. The GDPO, GDPOps and GSO teams work together on these initial reviews.
A Groupe-wide Incident Response Process is in place to manage cybersecurity incidents and data breaches.
All employees receive annual training, including reminders on data protection laws such as the GDPR and the California Consumer Privacy Act (CCPA), as well as on data security. Additional ad hoc training sessions are provided as needed.