2022 Universal Registration Document

Business risks/Data
Risk identification	Risk management
The data collected and processed by L’Oréal or its partners, the volume of which is increasing with the growth in digital activities, particularly personalised services for consumers, could be altered, lost, illegitimately copied or transferred or even fraudulently used. Furthermore, personal data protection regulations are being reinforced throughout the world. In particular, the European General Data Protection Regulation (EU) 2016/679 of 27 April 2016, which entered into force on 25 May 2018, (GDPR) provides for major sanctions in Europe, as does the CCPA in California, the LGPD in Brazil or the PIPL in China and the POPI Act in South Africa. The increasing adoption of various laws aimed at limiting and controlling the transfer of data is also a growing risk factor to which L’Oréal is exposed. Any breach of data integrity or confidentiality, notably personal data processed by L’Oréal or its partners, for exogenous or endogenous reasons (including intrusions, malicious acts, etc.) could have a significant impact on its reputation and consumer confidence and thus on the Group’s business activities.	The Group constantly and progressively deploys policies, training and data management tools as well as the associated organisational and technical measures. The Global IT Department has introduced strict rules about data security (back-up, protection of, and restrictions on access to confidential data). The Group’s principles governing the processing of personal data have been rolled-out all over the world to raise the awareness of all employees about respect for ethical principles, and legal and regulatory requirements in the matter. An organisation has been set up based on a Global Data Privacy Office at Group level, comprising a legal unit and a programme unit. A Group Data Protection Officer was appointed in 2018 and a network of 44 Country DPOs has been created, for all countries in the European Zone and gradually in other regions of the world. The governance set up is based on a Global Strategic Committee, a Steering Committee by region, as well as a network of Heads of Data Privacy within the Métiers and Zones, responsible for the protection of personal data. They provide support to all operational stakeholders involved. This governance notably aims to monitor the Group’s compliance with different laws, by ensuring the mobilisation of all stakeholders and by adapting customer, supplier and business line processes to the Group’s rules and to applicable laws.

Business risks/Data

Risk identification

Risk management

The data collected and processed by L’Oréal or its partners, the volume of which is increasing with the growth in digital activities, particularly personalised services for consumers, could be altered, lost, illegitimately copied or transferred or even fraudulently used.

Furthermore, personal data protection regulations are being reinforced throughout the world. In particular, the European General Data Protection Regulation (EU) 2016/679 of 27 April 2016, which entered into force on 25 May 2018, (GDPR) provides for major sanctions in Europe, as does the CCPA in California, the LGPD in Brazil or the PIPL in China and the POPI Act in South Africa. The increasing adoption of various laws aimed at limiting and controlling the transfer of data is also a growing risk factor to which L’Oréal is exposed.

Any breach of data integrity or confidentiality, notably personal data processed by L’Oréal or its partners, for exogenous or endogenous reasons (including intrusions, malicious acts, etc.) could have a significant impact on its reputation and consumer confidence and thus on the Group’s business activities.

The Group constantly and progressively deploys policies, training and data management tools as well as the associated organisational and technical measures. The Global IT Department has introduced strict rules about data security (back-up, protection of, and restrictions on access to confidential data).

The Group’s principles governing the processing of personal data have been rolled-out all over the world to raise the awareness of all employees about respect for ethical principles, and legal and regulatory requirements in the matter.

An organisation has been set up based on a Global Data Privacy Office at Group level, comprising a legal unit and a programme unit. A Group Data Protection Officer was appointed in 2018 and a network of 44 Country DPOs has been created, for all countries in the European Zone and gradually in other regions of the world.

The governance set up is based on a Global Strategic Committee, a Steering Committee by region, as well as a network of Heads of Data Privacy within the Métiers and Zones, responsible for the protection of personal data. They provide support to all operational stakeholders involved.

This governance notably aims to monitor the Group’s compliance with different laws, by ensuring the mobilisation of all stakeholders and by adapting customer, supplier and business line processes to the Group’s rules and to applicable laws.

Business risks/Market and innovation
Risk identification	Risk management
L’Oréal is subject to constant pressure from many competitors in all countries due to: its size and the positioning of its brands in various markets in which major international groups operate; local brands and new players coming from the digital economy; rapid technological changes in emerging fields of research by new operators. If the Group fails to anticipate or respond to changes in consumer expectations, especially in the areas of natural beauty, health, personalised services, connected things and environmental commitments, with innovative and adapted product offerings, its sales and growth could be affected	The Group continually adapts its innovation model and is constantly increasing its investments in research and digital services. L’Oréal’s Research teams innovate to respond to the infinite diversity of beauty aspirations all over the world. The Consumer & Market Insights Department, within the Innovation Department, is constantly monitoring changes in consumer expectations by product category and major regions of the world. All of these research programmes, which are part of a long-term vision, allow L’Oréal to meet the challenges of innovation (see section 1.2.8.). The Digital and Marketing Department is responsible for accelerating the Group’s digital transformation by helping the brands create enriched spaces for expression and helping teams to establish more interactive, close-knit and bespoke relationships with consumers. Consumer expectations with regard to sustainability are also at the heart of the L’Oréal for the Future programme (see chapter 4). These are taken into account in developing the Group’s brand and product portfolio. The Group’s acquisition strategy always takes into account changes in the competitive environment.

Business risks/Market and innovation

Risk identification

Risk management

L’Oréal is subject to constant pressure from many competitors in all countries due to:

its size and the positioning of its brands in various markets in which major international groups operate;
local brands and new players coming from the digital economy;
rapid technological changes in emerging fields of research by new operators.

If the Group fails to anticipate or respond to changes in consumer expectations, especially in the areas of natural beauty, health, personalised services, connected things and environmental commitments, with innovative and adapted product offerings, its sales and growth could be affected

The Group continually adapts its innovation model and is constantly increasing its investments in research and digital services. L’Oréal’s Research teams innovate to respond to the infinite diversity of beauty aspirations all over the world. The Consumer & Market Insights Department, within the Innovation Department, is constantly monitoring changes in consumer expectations by product category and major regions of the world.

All of these research programmes, which are part of a long-term vision, allow L’Oréal to meet the challenges of innovation (see section 1.2.8.).

The Digital and Marketing Department is responsible for accelerating the Group’s digital transformation by helping the brands create enriched spaces for expression and helping teams to establish more interactive, close-knit and bespoke relationships with consumers.

Consumer expectations with regard to sustainability are also at the heart of the L’Oréal for the Future programme (see chapter 4). These are taken into account in developing the Group’s brand and product portfolio.

The Group’s acquisition strategy always takes into account changes in the competitive environment.

Business risks/Business ethics
Risk identification	Risk management
As L’Oréal is an international group of over 87,000 employees, which operates in 80 countries at more than 400 sites (excluding stores and point-of-sales outlets of distributor customers), it cannot exclude potential violations of its ethical commitments (Code of Ethics based on the four Ethical Principles – Integrity, Respect, Courage and Transparency –, its Human Rights policy, support of the United Nations Global Compact and the United Nations Sustainable Development Goals, etc.), whether directly by its employees, or indirectly because of the activities of its partners, particularly its suppliers and subcontractors. In addition, civil society is expressing higher expectations with regard companies’ integrity and transparency and the way in which they manage scientific and technological innovations. Such non-compliance with its commitments or the lack of a response to new ethical questions could have an adverse impact on the Group’s reputation and expose it to criminal or administrative sanctions.	The Group’s policies on sustainable development, social and societal responsibility, compliance and philanthropy are based on the Ethical Principles. The role and the resources granted to the Chief Ethics Officer allow him to succeed in his mission by relying on all the teams and resources of the Group (see section 3.2.1.). Specific training of management teams, regular dialogue with stakeholders and the establishment of internal working groups, facilitate the inclusion of Ethics in the Group’s new policies and strategic decisions. The ethical risks are mapped and regularly updated, including for suppliers and subcontractors (see section 3.4.5.2.). The deployment of the Code of Ethics throughout the Group, mandatory e-learning training and ongoing communication campaigns via an Ethics Day, ensure that employees are aware of the ethical standards. A network of 78 Ethics Correspondents around the world and regular meetings of the Chief Ethics Officer with the Countries, ensure close contact with these employees. Regular audits of the Group’s sites and those of its suppliers and subcontractors (see section 3.4. “Vigilance Plan”), the Group’s whistleblowing line (www.lorealspeakup.com) opened in 2018 accessible to all Group stakeholders, as well as a procedure to collect and process reports, allow to manage potential violations.

Business risks/Business ethics

Risk identification

Risk management

As L’Oréal is an international group of over 87,000 employees, which operates in 80 countries at more than 400 sites (excluding stores and point-of-sales outlets of distributor customers), it cannot exclude potential violations of its ethical commitments (Code of Ethics based on the four Ethical Principles – Integrity, Respect, Courage and Transparency –, its Human Rights policy, support of the United Nations Global Compact and the United Nations Sustainable Development Goals, etc.), whether directly by its employees, or indirectly because of the activities of its partners, particularly its suppliers and subcontractors. In addition, civil society is expressing higher expectations with regard companies’ integrity and transparency and the way in which they manage scientific and technological innovations. Such non-compliance with its commitments or the lack of a response to new ethical questions could have an adverse impact on the Group’s reputation and expose it to criminal or administrative sanctions.

The Group’s policies on sustainable development, social and societal responsibility, compliance and philanthropy are based on the Ethical Principles. The role and the resources granted to the Chief Ethics Officer allow him to succeed in his mission by relying on all the teams and resources of the Group (see section 3.2.1.). Specific training of management teams, regular dialogue with stakeholders and the establishment of internal working groups, facilitate the inclusion of Ethics in the Group’s new policies and strategic decisions. The ethical risks are mapped and regularly updated, including for suppliers and subcontractors (see section 3.4.5.2.). The deployment of the Code of Ethics throughout the Group, mandatory e-learning training and ongoing communication campaigns via an Ethics Day, ensure that employees are aware of the ethical standards. A network of 78 Ethics Correspondents around the world and regular meetings of the Chief Ethics Officer with the Countries, ensure close contact with these employees. Regular audits of the Group’s sites and those of its suppliers and subcontractors (see section 3.4. “Vigilance Plan”), the Group’s whistleblowing line (www.lorealspeakup.com) opened in 2018 accessible to all Group stakeholders, as well as a procedure to collect and process reports, allow to manage potential violations.

2022 Universal Registration Document

Chapter 3 : Risk factors and risk management