In an increasingly digital environment, safeguarding consumer privacy and ensuring the ethical use of data are critical to maintaining trust and long-term customer relationships. Data protection upholds the individual’s right to their personal information and is therefore a central requirement for our digital business model, especially as costumer data grows in importance. Any breach of data protection laws or data privacy violations can directly affect the data subjects, and may pose significant compliance, financial, and reputational risks for HUGO BOSS.
In line with the EU “quick-fix” relief for fiscal year 2025, the Company applies selected reporting reliefs under ESRS S4. Accordingly, although S4 has been assessed as material, this chapter presents summarized disclosures focusing on key policies, actions, targets and metrics.
Policies related to consumers and end-users
HUGO BOSS is committed to protecting personal data in compliance with the EU General Data Protection Regulation (GDPR) and other applicable legal standards through dedicated privacy policies, including the group-wide Data Protection Policy and the Data Breach Compliant Policy. These policies inform consumers and end-users about the collection and processing of personal data via our own online store hugoboss.com, our customer loyalty program, mobile applications, and our Group website, and outline GDPR rights such as access, rectification, erasure, restriction of processing, data portability, and the right to object. The policies, accessible in our online store and on the Group website, apply to all personal data processed across our Company. Consumers and end-users can report potential data breaches through secure channels, including contacting our Data Protection Officer directly, submitting concerns via email, or contacting an external ombudsperson, with the option of anonymous reporting. Our Data Protection Officer reports to the Chief Compliance Officer, who reports directly to the CFO/COO. He monitors compliance with these policies and serves as the primary contact for all related matters.
Targets related to consumers and end-users
HUGO BOSS aims to rule out any contraventions of applicable data protection laws as far as possible. In fiscal year 2025, one data protection-related matter in Germany was confirmed by the competent authorities or courts, without resulting in any sanctions. This review was initiated by the responsible German supervisory authority in 2024 following a customer complaint relating to the receipt of marketing content and was concluded in 2025 without further action. No other data protection-related matters were identified by courts or authorities.
Actions related to consumers and end-users
To strengthen information security, HUGO BOSS uses an information security and analysis system that enables real-time monitoring of potential incidents and data breaches. The Company maintains an ISO/IEC 27001 certified information security management system and operates a Security Operation Center (SOC) to ensure continuous monitoring of its IT-landscape. HUGO BOSS also regularly reviews applicable data protection laws across all relevant jurisdictions. A tailored risk assessment matrix, aligned with the Company’s business structures in each country, shall support a targeted and efficient approach to managing regulatory risks.
Internal processes and systems for handling personal data are continuously monitored and refined to ensure compliance with legal data protection requirements. These ongoing improvements aim to prevent data misuse and theft. Contingency plans are in place to enable the prompt implementation of technical and organizational countermeasures in the event of legal violations. Employees handling personal data receive regular training, including a mandatory GDPR e-learning program for those processing the personal data of EU data subjects, ensuring continued awareness of data protection responsibilities.