Annual Report 2024

Topics filter

In today’s digital landscape, safeguarding consumer privacy and ensuring the ethical use of data are fundamental to sustaining trust and building long-term relationships. The aim of data protection is to guarantee the individual’s right to self-determination in terms of information. With HUGO BOSS placing a strong emphasis on further digitalizing its business model, the importance of data protection continues to grow. Leveraging customer data, particularly from our own online business and our customer loyalty program, is essential for the future success of HUGO BOSS. Any breach of data protection laws or data privacy violations poses a risk to the data subjects affected, while also representing considerable compliance, financial, and reputational risks for HUGO BOSS.

Policies related to consumers and end-users

HUGO BOSS is committed to protecting personal data in compliance with the EU General Data Protection Regulation (GDPR) and other applicable legal standards. The Company’s privacy policies inform consumers and end-users about the collection and processing of personal data from our own online store hugoboss.com, our customer loyalty program, mobile applications, and our Group website. This includes data such as contact details, purchase history, and browsing behavior, which are used to process orders, enhance customer service, and support marketing communications. The policies also outline the use of cookies and tracking technologies to enhance user experience and analyze website activities, given that consumers and end-users provide respective consent for such data processing. To safeguard personal data against unauthorized access, loss, or alteration, HUGO BOSS fosters the implementation of technical and organizational measures. Customers are informed of their rights under the GDPR, including the rights to access, rectification, erasure, restriction of processing, data portability, and the right to object. Procedures for handling data breaches and complaints are clearly defined, with our Data Protection Officer acting as the primary point of contact. Our privacy policies reflect the latest legal and organizational standards and are regularly reviewed to ensure compliance, with the most recent update completed in 2024.

Our Data Protection Policy, binding across all Group entities, provides a framework to ensure the secure and lawful processing of personal data, addressing identified risks through clear guidance. It adheres to key principles such as transparency, purpose limitation, data minimization, accuracy, and confidentiality, while establishing strict guidelines, in line with the GDPR and the German Federal Data Protection Act (BDSG). The policy applies to all personal data processed across the Group, including that of employees, customers, suppliers, and partners, ensuring secure and compliant data processing across the value chain. While anonymized data is excluded, the policy places a strong emphasis on protecting data subjects’ rights in a timely manner, including access, rectification, erasure, restriction of processing, data portability, and the right to object.

Our Data Breach Complaint Policy provides a structured framework for managing personal data breaches in compliance with the GDPR and other legal requirements. The policy outlines processes to detect, report, and respond to data breaches promptly, minimizing potential harm to affected individuals and entities. Complaints are handled with clearly defined procedures, reinforcing trust and accountability.

Our privacy policies, the Data Protection Policy, and the Data Breach Complaint Policy are accessible in our online store and on the Group website, respectively. Our Data Protection Officer, reporting directly into the CFO/COO, is responsible for monitoring compliance with these policies, serving as the primary contact for all data protection matters.

Engaging with consumers and end-users

HUGO BOSS addresses data protection risks through structured risk assessments and transparent communication. Threshold analyses are conducted for each instance of customer data processing to determine the potential risk level. If a high risk is identified, a detailed data protection impact assessment (DPIA) is carried out. To document and streamline this process, HUGO BOSS has implemented a dedicated tool that tracks risk assessments and related measures. By prioritizing structured risk management, we aim to promote trust and maintain good corporate governance while adhering to regulatory requirements.

Particular attention is given to high-risk processes, such as our customer loyalty program “HUGO BOSS XP,” which involves particularly sensitive data. Prior to the introduction of new processes, a comprehensive risk assessment is completed, and necessary technical or organizational measures are implemented. Supported by an interdisciplinary team that includes both IT specialists and the data protection department, this process shall ensure full compliance with data protection regulations. HUGO BOSS relies on internal analyses and indirect insights to align its data protection practices with customer expectations. The effectiveness of these measures is evaluated through a combination of structured monitoring processes, incident analyses, and the handling of data breach complaints. To drive continuous improvement, identified incidents are thoroughly analyzed, and corrective actions are implemented to prevent recurrence. These actions are overseen by the Data Protection Officer through structured monitoring processes. In the event of an incident, HUGO BOSS ensures timely complaint resolution and conducts detailed incident analysis to mitigate further risks.

Grievance mechanisms and remediation processes

Consumers and end-users can report data breaches or suspected incidents through multiple secure channels, including contacting the Data Protection Officer directly, submitting concerns via email, or contacting an external ombudsperson, with the option of anonymous reporting. These mechanisms are accessible via a dedicated data privacy section in our online store as well as via the Speak Up Channel on our Group website. Complaints are processed by the Compliance department that evaluates incidents to determine the risk to the rights of individuals. If a material negative impact is identified, remedial action is taken, thoroughly documented, and communicated within a specified time frame.

The effectiveness of these channels is assessed by monitoring how complaints are handled and resolved. Each case is tracked, analyzed, and reviewed to evaluate its resolution and identify areas for improvement. HUGO BOSS aims to build stakeholder trust in its grievance mechanisms through transparent communication across its platforms. In addition, policies are in place to protect individuals from retaliation when raising concerns, further reinforcing confidence in the system. Further details on our grievance mechanisms and remediation processes can be found in the “Governance” section. Governance

Targets related to consumers and end-users

HUGO BOSS aims to rule out any contraventions of applicable data protection laws as far as possible.

In fiscal year 2024, as in the prior year, the Company was not aware of any data protection violations established by authorities or courts. Toward the end of 2024, the German competent supervisory authority initiated an investigation following a customer complaint alleging the receipt of marketing content without sufficient legal basis. The investigation is expected to conclude in 2025.

Actions related to consumers and end-users

HUGO BOSS uses an information security and analysis system to collect and analyze relevant data in real time. This approach shall enable the Company to anticipate potential incidents, data breaches, and cyberattacks, thereby enhancing information security across the Company. HUGO BOSS has established specific criteria for establishing, maintaining, and continuously improving its information security management system, in line with its ISO/IEC 27001 certification. The latter confirms that HUGO BOSS has implemented robust measures to safeguard the confidentiality, integrity, and availability of information assets, including sensitive customer and employee data. Additionally, our Security Operation Center (SOC) ensures permanent monitoring of the respective IT systems, aimed to guarantee continuous system security.

In 2023, HUGO BOSS further advanced its software systems for monitoring international data protection and cybersecurity regulations, aimed to minimize the risk of non-compliance. Building on these efforts, in 2024, the Company conducted a comprehensive review of applicable data protection laws across all its jurisdictions. A tailored risk assessment matrix, aligning with the Company’s specific business structures in each country, shall support a focused and effective approach to managing regulatory risks.

All internal processes and systems for handling personal data are continuously monitored and refined to ensure compliance with legal data protection guidelines. These ongoing improvements aim to prevent data misuse and theft. We have also implemented contingency plans to enable the prompt implementation of both technical and organizational countermeasures in the event of legal violations.

Our employees are educated on data protection by means of general and role-specific training, complemented by regular documentation of digital confidentiality obligations. Employees handling the personal data of EU data subjects are required to complete a comprehensive e-learning program on data protection. This program, designed to enhance awareness of handling personal data in compliance with the GDPR, must be completed every two years.