- Data Protection Policy
Click here to read the Havas N.A. Data Protection Policy.
1. Havas is committed to protecting your privacy and personal data
Havas is committed to protecting your privacy and personal data. This Group Policy informs you of our data processing practices and how your personal data is collected and used by Havas. Please read it all the way through. This policy is available on our homepage and at the bottom of each page of the www.havasgroup.fr website. Havas is committed to protecting the right to privacy and data protection, as well as complying with national and international data protection laws. Havas is committed to maintaining the confidentiality of any personal data and to strictly limiting its disclosure in accordance with national laws and current regulations.
This policy is applicable to Havas Group subsidiaries acting in their capacity as data controller.
The terms below have the following meaning, in both the singular and plural:
• “personal data” means any information relating to an identified or identifiable natural person, directly or indirectly, within the meaning of the regulations
• “data subject” means a natural person whose personal data is processed by Havas
• “regulations” means the regulations in force in France, applicable to the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”) and Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties as amended
• “data controller” means a natural or legal person who determines the means and purposes of the processing of personal data within the meaning of the Regulations
• “processor” means a natural or legal person who processes data on behalf of the data controller in connection with a service
• Website means the Havas Group website accessible at the URL: www.havasgroup.com (the “Website”)
• “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. How do we process your personal data?
This policy is applicable in all Havas Group subsidiaries in their capacity as data controller, unless national legislation provides for specific rules.
When you browse and interact with the Website and in general during your interactions or exchanges with the Havas Group, Havas may collect and process your data in order to manage activities conducted on its own account, as data controller.
Havas respects the right of each individual, employee, applicant, customer, supplier, partner, administrator, subscriber, prospect or internet user to have their personal data protected. Havas observes the principles defined by the regulations:
1. Processing your personal data fairly, lawfully and in a transparent manner.
2. Collecting your personal data for explicit, specified and legitimate purposes, and not processing them further in ways incompatible with those purposes.
3. Ensuring that the personal data collected is relevant, proportionate and not excessive with regard to the purposes for which they are collected and processed. Personal data may be anonymised when feasible and appropriate, depending on the nature of the data and the risks associated with the intended uses.
4. Keeping your personal data accurate and up-to-date if necessary. We will take reasonable steps to rectify or delete inaccurate or incomplete data.
5. Personal data will be kept for the time necessary for the purposes for which they are collected and processed.
6. Personal data will be processed in accordance with the rights of individuals.
7. Technical, physical and organisational measures are taken to secure your data and prevent unauthorised access, unlawful processing and unauthorised or accidental loss, destruction or damage of personal data.
8. Processing your personal data in accordance with the legal bases for processing, including the collection of consent when required.
4. What types of personal data are collected?
In its capacity as data controller, Havas collects and processes your personal data after informing you accordingly. Personal data is any information relating to an identified or identifiable natural person. An identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity. This Policy does not cover data rendered anonymous, i.e. when individuals are no longer identifiable or are identifiable only with a disproportionately large expense in time, cost and labour. If anonymous data becomes identifiable, or if pseudonyms are used and allow individuals to be identified, then this Policy will apply. It is up to you whether or not to disclose personal data to us. However, if you choose not to do so, we reserve the right not to register you as a user or not to provide you with the requested service.
In general, your personal data is collected directly from you, but they may also be collected from third parties.
The types of personal data we process include:
• your identification data (your first name, last name, pseudonym, gender, email address, postal address, telephone number, if applicable photograph, social media profile)
• your professional data (your educational and professional background for job applicants, your job title, home company)
• your login data: your IP address, if applicable, your online ID, your Havas online user password
• your browsing data and expressed preference: traffic and browsing history on Havas websites, data from cookies and trackers on Havas websites
Except for specific legal obligations, we do not collect so-called “sensitive” personal data or special categories of personal data.
In general, and with some exceptions, the use of Havas websites and Havas pages on social networks is reserved for adults.
5. What is the purpose, the legal basis for the collection of your data and the retention period?
In accordance with the regulations, the personal data we collect is used for the purposes for which they have been collected for the period of time indicated in the table below.
The processing operations carried out by Havas have the following purposes, legal bases and retention periods:
|Purposes||Legal basis||Retention period|
|Customer relationship management||Performance of the contract|
Legal obligation (accounting/tax
|Term of the contract plus applicable limitation periods|
|Partner and supplier relationship management||Performance of the contract|
Legal obligation (accounting/tax
|Term of the contract plus applicable limitation periods|
|Application management||Legitimate interest of Havas||2 years|
|Product and institutional communication management (website and social networks)||Legitimate interest of Havas||Duration of the communication plus applicable limitation periods|
|Administrative and legal formalities and the fight against fraud||Legal and regulatory obligation||Duration of applicable legal requirements|
|Subscription to newsletters||Consent||Duration of subscription to the newsletter|
|Management of cookies and other website trackers||Consent|
Legitimate interest of Havas (technical cookies)
|Periods specified in the website cookies policy|
|Management and follow-up of contact requests||Legitimate interest of Havas||Time required to process the request|
|Reporting and securing access to websites||Legitimate interest of Havas||6 months to 1 year maximum|
|Exercising your personal data rights||Legal and regulatory obligation||1 year or 6 years from the request to exercise the right, according to the right exercised|
In the event of litigation/proceedings, particularly legal proceedings, initiated before the end of the above periods and which require the retention of personal data, particularly with a view to the establishment, exercise or defence of rights, such personal data shall be retained for the duration of said proceedings and until the exhaustion of the legal remedies.
6. Who are the recipients of your data?
Your personal data may be disclosed to staff in the following departments, according to their powers and authorisations and only if necessary for their activity, according to the purposes strictly pursued:
Internal recipients: General Secretariat, Communication, Legal, Finance and Accounting, Purchasing, Business Development, Digital, IT, General Services and Human Resources departments.
External recipients: The hosting providers of our websites, our auditors and statutory auditors, our legal advisers, our insurers, our duly authorised partners, service providers and subcontractors which we may use to carry out our activities, tax and social security bodies, public authorities, court officers and ministerial officers where applicable.
Please browse the Havas Group website www.havasgroup.fr for further information on the Havas Group.
7. Data transfer
Havas prioritises the transfer of personal data within Europe. However, your personal data collected and processed for the purposes described above may in certain cases be transmitted to companies outside the European Union.
Some of these countries have an adequate level of data protection.
In other cases, please note that the transfers of your personal data to other entities outside the European Union are governed by the implementation of appropriate safeguards to ensure the confidentiality and security of the transferred data.
Havas may, in this regard, conclude contractual clauses with the recipients of such data in accordance with the recommendations of the European Commission to ensure that appropriate safeguards are taken regarding the protection of said data. In addition, and where the legislation of the third country does not provide protection equivalent to that offered by the regulations, we shall ensure that additional measures are implemented to guarantee a level of protection of your personal data essentially equivalent to that provided for in the European Union and to ensure that this protection is effective.
You are also advised that transfers of personal data outside the European Union are lawful if in particular (i) the transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject, if (ii) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person, or if (iii) the data subject has given explicit consent to the proposed transfer, after having been informed of the risks that the transfer could entail for him or her due to the absence of an adequacy decision and appropriate safeguards.
8. Security and subcontracting
Havas places particular importance on the security of your personal data.
Therefore, Havas has implemented technical and organisational measures tailored to the nature of the personal data, in order to ensure the integrity and confidentiality of such personal data and to protect them against malicious intrusion, loss, alteration or disclosure to unauthorised third parties.
Nevertheless, the security and confidentiality of personal data depend on everyone’s best practices and you are encouraged to remain vigilant regarding this issue.
When Havas uses a processor, we only disclose personal data to it after having obtained a commitment and guarantees from said processor regarding its ability to meet the security and confidentiality requirements and entered into a written contractual commitment with it.
9. Third-party websites and social networks
10. Cookie management
11. What are your personal data rights?
HAVAS is particularly concerned about respecting the rights granted to you in connection with the data processing it implements, to guarantee fair and transparent processing with regard to the particular circumstances and context in which your personal data are processed.
Your right of access
In this respect, you have the right to obtain confirmation as to whether or not your personal data is being processed and when it is being processed. You have the right to request a copy of your data and information concerning:
• the purposes of the processing
• the categories of personal data concerned
• the recipients or categories of recipients and, where applicable, if such disclosure were to be made, the international organisations to which the personal data have been or will be disclosed, in particular recipients established in third countries
• where possible, the envisaged retention period of the Personal Data or, where this is not possible, the criteria used to determine that period
• the existence of the right to request from the data controller rectification or erasure of your Personal Data, the right to request a restriction of the Processing of your personal data and the right to object to such Processing
• the right to lodge a complaint with a supervisory authority
• information relating to the source of the Data when they are not collected directly from you
• the existence, where appropriate, of automated decision-making, including profiling, and, in the latter case, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.
Your right to have your data rectified
You can ask us for your personal data to be corrected or completed if they are inaccurate, incomplete, ambiguous and/or outdated, as the case may be.
Your right to have your data erased
You can ask us to erase your personal data in the cases provided for by the regulations.
Please note that the right to erasure of data is not a general right and that it can only be granted if one of the reasons provided for in the applicable regulations is present.
Your right to restrict data processing
You may request the processing of your personal data to be restricted in the cases provided for by the regulations.
Your right to object to data processing
You have the right to object at any time, on grounds relating to your particular situation, to a processing operation concerning your personal data whose legal basis is the legitimate interest pursued by the data controller.
If you exercise such a right to object, we will ensure that we no longer process your personal data in relation to the processing operation concerned unless we can demonstrate that we can have compelling legitimate grounds for maintaining such processing operation. These grounds must override your interests and rights and freedoms, or the processing must be justified for the establishment, exercise or defence of legal claims.
Your right to data portability
You have the right to data portability with regard to your personal data. Please note that this is not a general right. Indeed, all the data of all processing operations are not portable and this right only concerns automated processing, excluding manual or paper processing operations.
This right is limited to processing operations whose legal basis is your consent or the performance of pre-contractual measures or a contract.
Your right to withdraw consent
When the data processing operations we implement are based on your consent, you can withdraw it at any time. We then stop processing your personal data without the previous operations to which you had given your consent being called into question.
Your right to lodge a complaint
You have the right to lodge a complaint with the supervisory data protection authority in your country of residence, without prejudice to any other administrative or judicial remedy.
Your right to define post-mortem instructions (France)
In accordance with the French Data Protection Act of 6 January 1978, as amended, you have the right to define instructions relating to the retention, erasure and disclosure of your personal data after your death in accordance with the procedures set out below.
How to exercise your rights
You can exercise your rights with the Havas Group DPO:
at the email address: email@example.com
or by post to: Havas Group Data Protection Officer, 29/30, quai de Dion Bouton, Puteaux Cedex 92800 France.
We will reply as soon as possible and in any event within one month of receipt of the request. We may, as necessary, extend this period by two months, taking into account the complexity and number of requests, and we will specifically inform you of this.
Havas reserves the right to amend this policy if necessary, for example, to comply with a change in law, regulations, Havas practices and procedures or requirements imposed by data protection authorities. The new policy will be published on the Website.
Please check it regularly.
If you have any questions or comments about this policy, please contact our Group DPO whose contact details can be found in Article 11 above.
Last updated: October 2022.