Implementation of this policy is based on the following governance structure:
This diagram presents the dedicated governance structure for respecting privacy and protecting personal data at L'Oréal, organised across three hierarchical levels.
Global Strategy Committee — Internationally: define the personal data protection strategy, inform and advise General Management.
Region Steering Committee — At Region level: ensure deployment of personal data protection program.
Country Personal Data Protection Committee — Within each country: implement the roadmap.
L'Oréal has developed a strong, multilayered governance structure to ensure consistent and effective personal data protection around the world. This governance structure plays an important role in implementing the Group's policy and programme:
- the Group Strategy Committee, which includes the Ethics, Risks and Internal Control Department, the Legal and Compliance Department, the Internal Audit Department and the Purchasing, IT, Cybersecurity, Digital and Marketing, Human Relations, Data Governance and Research & Innovation Departments. The Committee meets twice a year or as required to analyse risks, provide strategic recommendations to General Management and define the overall data protection strategy;
- the Steering Committee at Region level, which coordinates the implementation of the programme in the Group's different countries, ensures compliance with local legislation, such as the GDPR in Europe, the CCPA in California, the PIPL in China, and the LGPD in Brazil. The Committee ensures that the programme is implemented consistently and assesses the impact of regulatory developments in each Region; and
- the personal data protection committee at country level, which, under the supervision of the country chief executive officer, brings together all stakeholders involved in personal data processing. The Committee ensures that projects comply with personal data protection programme guidelines and plays a key role in raising awareness of the issue.
These governance bodies are supported by a wider community of personal data protection officers and experts who encourage collaboration, share knowledge and ensure consistent application of personal data protection principles worldwide.
4.8.3 Action plans in place
In order to embed privacy and personal data protection ever more deeply in the Group's culture, L'Oréal is rolling out various initiatives:
- adhering to a common framework: L'Oréal has drawn up the 10 Key Points on Personal Data Protection charter and a Group-wide GDPR-inspired policy – Data Privacy at L'Oréal – which employees in all countries must adhere to;
- maintaining a network of personal data protection professionals: at every level of the organisation (Group, business, Region, Country), a dedicated network coordinates and monitors personal data protection compliance;
- rolling out a global programme: L'Oréal has set up a Group-wide programme to support employees in the application of personal data protection regulations, including tools and user guides that integrate personal data protection into projects by design;
- regularly reviewing procedures: privacy policies and personal data protection procedures are regularly updated to ensure that they comply with local laws and regulations;
- encouraging supplier compliance: L'Oréal requires its suppliers to comply with personal data protection and cybersecurity standards, supported by certifications and maturity assessments;
- providing training on personal data protection: the Group runs training programmes to inform internal teams of their personal data protection responsibilities, holding regular sessions, workshops, online courses and events;
- conducting controls and audits: L'Oréal conducts internal audits to assess compliance with personal data protection laws and internal policies, and tracks action plans using dashboards. These audits are included in its annual audit plan submitted to General Management and the Audit Committee for approval. The audit plan takes into account the findings of earlier audits and local risk assessments by Region managers and Data Privacy experts; and
- setting up an easily accessible point of contact: L'Oréal has set up a dedicated email address that consumers and employees can use to ask questions of Data Privacy Officers regarding the protection of their personal data.