Data Protection Policy

1. OVERVIEW

   Havas is committed to protecting its information assets from illegal or damaging actions by individuals, either knowingly or unknowingly.

   This Data Protection Policy defines for Havas employees the proper labelling and handling of information and will ultimately help Havas to manage and minimize risk of the occurrence of the actions mentioned above.

2. PURPOSE

   The purpose of this policy is to describe the classification of data at Havas and explain access controls and procedures which protect information based on these classifications. All employees should familiarize themselves with the classifications in this policy.

3. SCOPE

   This policy applies to all information, both physical and digital, under control of Havas. This policy applies to all Havas employees, contractors, vendors and representatives with access to Havas systems. Confidential and sensitive information entrusted to business partners, suppliers and any other third party entities must be protected by the classifications set forth within this policy. All employees are responsible for taking the appropriate steps, as defined below, to comply with this policy and ensure the protection of all data assets.

4. POLICY STATEMENT

   Havas data classification system, as defined in this document, are based upon the concept of ‘need to know’. As such, information is not disclosed to any person who does not have a legitimate and demonstrable business need to receive the information. Enforcement of this policy, be it by technical or procedural methods, will protect the company information from unauthorized disclosure, use, modification, and deletion.

   Consistent use of this data classification system is essential if confidential and sensitive information is to be protected. Without the consistent use of this data classification system, Havas risks loss of customer relationships, loss of public confidence, internal operation disruption, excessive costs, and other competitive disadvantages. This policy consistently protects confidential information in any form, regardless of the technology used to process it, the party or individual handles handling it, the location where the information resides, or the stage in the information’s life cycle.

5. DATA CLASSIFICATION

   5.1. Classification Labels

   Havas has categorized its data into four distinct classification labels, as follows:

   HIGHLY CONFIDENTIAL: This classification label applies to private information that is intended for use strictly within Havas by agents of Havas. Its unauthorized disclosure could seriously and adversely impact the company, its customers, its business partners, and its suppliers. Examples include human resources data; corporate level strategic plans; litigation strategy memos; financial data, personally identifiable information (PII). This information is intended for those who have a need to work with this information to fulfil business requirements for the company and or a client.

   SENSITIVE: This classification label applies to data that is received from Havas customers. The intent of this classification is to safeguard information critical to Havas business relationships and to comply with industry regulations. This information is restricted at Havas to those with an immediate need to know requirement. Other employees of Havas with no requirement to access such data are not to be granted privileges to this data. Hard copies of confidential data must be shredded when no longer needed.

   HAVAS INTERNAL ONLY: This classification label applies to all other information that does not clearly fit into the previous two classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact Havas or its employees, suppliers, business partners, or its customers. Examples include the Havas employee telephone directory, procedural documents, new employee training materials, and internal rule manuals and policies.

   PUBLIC:This classification applies to information that has been approved by Havas or its customers for release to the public. There is no such thing as unauthorized disclosure of this information as it may be disseminated without potential harm. Examples include product and service brochures, advertisements, and press releases.

   Default Classification: Information without a label is by default classified as Internal Use Only or Confidential.

   Users must use electronic labelling when available, for instance on Microsoft Office 365 programs, to ensure that documents and emails are classified correctly and handled appropriately by Havas security systems. To learn more about Office 365 labelling, search “sensitivity labels” on Microsoft Office 365 support site.

   5.2. Data owners

   The data owner is the creator of the data or in terms of data received into Havas the first recipient. In the case of several recipients, someone must be appointed as data owner and responsible for data labelling.t. Owners do not legally own the information entrusted to their care. They act as stewards and supervise the ways in which confidential and sensitive information is used and protected. Data owners are explicitly appointed or implicitly vested by their business role. Data can be acquired via supplier, created internally, acquired from the public or other sources, aggregated from other data… But in all cases, a data owner exists either formally or implicitly.

   Three examples of data ownership follow:

   – A client provides a database with the names and email addresses of some of its customers. In this case, the client account manager is the data owner.

   – A financial application is used at an agency to handle the financial operations. The CFO is the data owner of the information stored and processed in the application.

   – A creative department member produces a set of banners for a campaign. The Creative Manager of the agency is the owner of the data.

   The data owner should decide the classification under which the data falls. IT can certainly provide guidance, but the final determination for the classification is the data owner’s responsibility. The legal department must be involved always for personally identifiable information handling, to adhere to the local regulations in this matter.

   The data owner is responsible for allowing specific people (or roles) to access, modify and delete the data, always to accomplish business needs and based on the concept of ‘need to know’. Another responsibility is that the information is labelled correctly.

   Data owners should review their data’s classification at least annually to ensure that data remains properly classified.

   5.3. Data custodians

   Data Custodians are responsible for the safe custody, transport, storage of the data and implementation of business rules when the Data Owner is not able to do it for technical reasons. The Custodian by definition does not know the importance of the data to business, how it will be used or what roles should access the data. The Data Owner when not able by himself expresses to the Custodian these parameters. The Custodian then implements the security on the data to match the criteria set by the Data Owner.

   Traditionally, IT acted as Data Custodian, however with the ability of users of labelling and giving rights over data and systems outside of the IT scope (for example, Pulse, Concur, TalentSpace,…), the custodian generally is no longer the IT department.

   5.4. Labelling

   If information is confidential or sensitive from the time it is created until the time it is destroyed or declassified, it must be labelled with an appropriate data classification designation. Confidential digital information should not be transferred to hard copy unless necessary. Actual markings must appear on all manifestations of the information, such as hard copies, optical media. All printed, handwritten, or other paper manifestations of confidential or sensitive information must have a clearly evident label on each page. If bound, all paper manifestations of such information must have an appropriate sensitivity label on the front cover. The cover sheet for faxes containing such information must also contain the appropriate classification label.

   5.5. Shipping and Handling

   The following measures should be adhered to in safeguarding data, labelled confidential or sensitive:

   • Making additional photocopies or printing extra copies are forbidden without permission of management. information
   • Printers must not be left unattended if confidential or sensitive information is being printed. The persons attending the printer must be authorized to examine the printed information.
   • Prior to sending any confidential or sensitive information to a third party for copying, printing, formatting, or other handling, the third party must sign a non- disclosure agreement (NDA).
   • All confidential or sensitive information manifested in paper form must indicate both the current and the last page with page numbering.
   • All confidential or sensitive information stored for backup purposes outside company offices must be in encrypted form.
   • Confidential computer system output must be personally delivered to the designated recipients. Such output must not be delivered to an unattended desk or left out in the open in an unoccupied office.
   • Confidential company information must not be removed from office premises and data centers unless there has been prior approval from the management. This policy includes unencrypted portable computers, iPhones, Androids, external drives, CD/DVDs, hard-copy output, and paper memos.
   • Confidential information in hardcopy form must be stored in a secured area (locked drawer, cabinet or office). If for technical reasons information cannot be encrypted, all confidential information must be locked in a safe or other container approved by the Information Security department.
   • Whenever a hardcopy version of confidential information is removed from company premises, it must be carried in a locked case or container when not in use. Such information must not be left in an unattended vehicle, hotel room, office, or some other location, even if the vehicle or room is locked.
   • Computer links established over cellular phones or other airwave broadcast systems must not include the transfer of confidential information unless the link is encrypted.

   5.6. Destruction and Disposal

   All Havas confidential and sensitive information must be destroyed when deemed no longer needed by the Data Owner, or when the client or data subject instructs Havas to destroy the information. To support this policy, Data Owners must review the continued value and usefulness of information on a periodic basis. Owners also must review the data retention schedule related to compliance with local and international laws and contractual obligations as per General Council to determine the minimum and maximum periods that information must be retained.

   Data Custodians are responsible for the proper disposal of confidential or sensitive data no longer needed for business activities.

   Simple file erasing or formatting does not qualify as proper deletion of digital material. Mechanical drives must be data wiped using approved software before leaving the premise. If data wipe is not available, physical destruction of the drives must be done. Proof of destruction should be kept on file.

   Hard copy output such as received faxes or printouts that contain confidential data must be shredded.

   5.7. Physical Security

   Every office, computer room, and work area containing confidential information must be considered Restricted access zone or Highly Restricted access zone, as described in “IS- POL- 2103P-Physical and Environmental Security”. Every office, computer room, and work area containing sensitive information must be at least Office access zone, as described in “IS-POL-2103P-Physical and Environmental Security” When left in an unattended room, confidential and sensitive information must be locked in appropriate locked containers and not left easily accessible.

6. SECURITY CONTROLS

   The following table defines required safeguards for protecting data and data collections based on their classification. Data security requirements for Proprietary Data are determined by the contracting agency and are therefore not included in the table below.

    

   Security Control Category	Data Classification
   	Public	Havas internal only	Sensitive	Confidential
   Access Controls	No restriction for viewing.	Viewing and modification restricted to Havas employees or authorized parties acting on behalf of Havas.	Viewing and modification restricted to authorized individuals as needed for business- related roles.   Authentication and authorization required for access	Viewing and modification restricted to authorized individuals as needed for business- related roles.   Authentication and authorization required for access.   Confidentiality agreement required.
   Copying/Printing (applies to both paper and electronic forms)	No restrictions.	Printed copies must be limited to Havas employees or authorized parties acting on behalf of Havas.   Data should not be left unattended on a printer.	Data should only be printed when there is a legitimate need.   Copies must be limited to individuals with a need to know.   Data should not be left unattended on a printer.	Data should only be printed when there is a legitimate need.   Copies must be limited to individuals authorized to access the data and have signed a confidentiality agreement.   Data should not be left unattended on a printer.   Copies must be labelled “Confidential”.
   Network Security	May reside on a public network. Protection with a firewall recommended. IDS/IPS protection recommended.	Protection with a network firewall required. IDS/IPS protection required. Servers hosting the data should not be visible to entire Internet.	Protection with a network firewall required. IDS/IPS protection required. Servers hosting the data should not be visible to entire Internet.	Protection with a network firewall using “default deny” ruleset required. IDS/IPS protection required.   Servers hosting the data cannot be visible to the entire Internet, nor to unprotected subnets like the guest wireless networks.
   System Security	Must follow general best practices for system management and security.Host-based software firewall recommended.	Must follow general best practices for system management and security.Host-based software firewall required.	Must follow general best practices for system management and security.Host-based software firewall required.	Must follow general best practices for system management and security.Host-based software firewall required.   Host-based software IDS/IPS recommended.
   Physical Security	System must be locked or logged out when unattended.   Host-based software firewall recommended.	System must be locked or logged out when unattended.   Hosted in a secure location required; a Secure Data Center is recommended.	System must be locked or logged out when unattended.   Hosted in a secure location required; a Secure Data Center is recommended	System must be locked or logged out when unattended.   Hosted in a Secure Data Center required.
   Remote Access to systems hosting the data	No restrictions.	Access restricted to local network or general Havas Virtual Private Network (VPN) service.   Remote access by third party for technical support limited to authenticated,temporary via secure protocols over the Internet.	Access restricted to local network or general Havas Virtual Private Network (VPN) service.   Remote access by third party for technical support limited to authenticated,temporary via secure protocols over the Internet.	Restricted to local network or secure VPN group.   Unsupervised remote access by third party for technical support not allowed.   Two-factor authentication recommended.
   Data Storage	Storage on a secure server recommended.   Storage in a secure Data Center recommended.	Storage on a secure server recommended.   Storage in a secure Data Center recommended.   Storage media must be encrypted	Storage on a secure server recommended.   Storage in a secure Data Center recommended.   Should not store on an individual’s workstation or a mobile device.   Storage media must be encrypted	Storage on a secure server required.   Storage in Secure Data Center required.   Paper/hard copy: do not leave unattended where others may see it; store in a secure location.   Storage media must be encrypted
   Transmission	No restrictions.	No requirements	No requirements	Encryption required (e.g., via SSL or secure file transfer protocols).   Cannot transmit via e-mail unless encrypted and secured with a digital signature.
   Backup/Disaster Recovery	Backups required; daily backups recommended.	Daily backups/secure copy required.   Off-site storage recommended.	Daily backups/secure copy required.   Off-site storage recommended.	Daily backups/secure copy required.   Off-site storage in a secure location required.

 
7. ROLES AND RESPONSIBILITIES

   User: all Havas employees, including all personnel affiliated with third parties.

   Responsibility: Be compliant with the policy. Inform HR of any significant noncompliance. IT: staff of Havas IT.

   Responsibilities: Be compliant with the policy. Inform users about their responsibilities. Implement whenever is possible mechanisms that enforce the policy. Inform HR of any significant noncompliance.

8. EFFECTIVE DATES

   This policy will be effective for the defined scope starting on 07/09/2020. This policy is due to be reviewed on 20/08/2021.

9. INFORMATION AND ASSISTANCE

   For further information on the policy, its implementation, compliance and control please contact:havas.ciso@havasit.com

10. APPROVAL

    This policy was approved by the Havas Information Security Committee on 04/09/2020.

11. AUDIT AND CONTROL

    The compliance policy controls for the statements of this document are defined in the document “IS-DAC-4001C – Data Protection Policy Controls”. This is complemented by the spreadsheet “IS-POL-2001C – Acceptable Use Policy Controls template” to help in the evaluation of controls.