|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Mar. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cyber risk management is an integral part of Global Blue’s IT risk management system. Cybersecurity risks such as data loss, intellectual property theft, third-party data transfer or other types of cyber-criminal activities such as ransomware attacks or business email compromise related to Global Blue’s business, are identified and addressed through a multi-faceted approach including, but not limited to, standardized Information Security operations, risk and compliance reviews and IT audits. Our IT risk management program also includes third-party cyber risks assessments to identify and mitigate risks from third-parties such as vendors, suppliers, and other business partners.
Global Blue also has and maintains a IT risk register which is regularly reviewed and assessed by the Global Blue Chief Technology Officer (“CTO”) and Chief Information Security Officer (“CISO”) to evaluate and assess the mitigation controls implemented.
To defend, detect and respond to cybersecurity incidents, we, among others: conduct cybersecurity reviews of systems and applications, audit corporate security policies, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee trainings, monitor emerging laws and regulations related to data protection and information security (including our consumer products) and design, and implement tailored changes.
In addition, Global Blue has implemented robust technical and organizational security controls to ensure confidentiality, integrity and availability (“CIA”) of its customers data is guaranteed at all times. Those CIA principles are supported by industry-recognized Information Security Standards such as PCI DSS.
Finally, all the aforementioned activities are supported by group-wide IT Risk Management processes following ISO27005 principles so that the identified cyber-risks are adequately assessed and addressed in accordance with Global Blue’s corporate risk acceptance criteria.
Incident Response management
Global Blue has implemented a security incident response process to ensure the adherence to effective security procedures. Ongoing enhancements and regular testing serve to fortify the foundations of Global Blue’s security incident response principles.Based on the information it has as of the date of this Annual Report on Form 20-F, Global Blue does not believe any cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, despite its efforts to identify and respond to cybersecurity threats, Global Blue cannot eliminate all risks from cybersecurity threats, or provide assurances that it has not experienced an undetected cybersecurity incident. For more information about these risks, see “Item 3. Key Information—D. Risk Factors—Global Blue’s business is subject to risks associated with data breaches, cybersecurity incidents and other failures or incidents involving Global Blue’s information technology systems or data (or information technology systems or data upon which Global Blue relies).”.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cyber risk management is an integral part of Global Blue’s IT risk management system. Cybersecurity risks such as data loss, intellectual property theft, third-party data transfer or other types of cyber-criminal activities such as ransomware attacks or business email compromise related to Global Blue’s business, are identified and addressed through a multi-faceted approach including, but not limited to, standardized Information Security operations, risk and compliance reviews and IT audits. Our IT risk management program also includes third-party cyber risks assessments to identify and mitigate risks from third-parties such as vendors, suppliers, and other business partners.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Finance & Audit Committee of the Board of Directors is responsible for the primary oversight of our information security programs, including relating to cybersecurity. The Finance & Audit Committee receives, on an occurrence basis, reports from our CTO on, among other things, our cyber risks and threats, the status of projects to
strengthen our information security systems, assessments of our security program, and our views of the emerging cybersecurity threat landscape. Our Head of Internal Audit reports directly to the Finance & Audit Committee and is responsible for reporting to the Finance & Audit Committee on our company-wide enterprise risk assessment, and that assessment also includes an evaluation of cyber risks and threats. The Chair of the Audit Committee regularly reports to the Board of Directors on matters reviewed by the Finance & Audit Committee, including cybersecurity, and all Board members have access to the materials for each Finance & Audit Committee meeting.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Finance & Audit Committee of the Board of Directors is responsible for the primary oversight of our information security programs, including relating to cybersecurity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Finance & Audit Committee receives, on an occurrence basis, reports from our CTO on, among other things, our cyber risks and threats, the status of projects to
strengthen our information security systems, assessments of our security program, and our views of the emerging cybersecurity threat landscape. Our Head of Internal Audit reports directly to the Finance & Audit Committee and is responsible for reporting to the Finance & Audit Committee on our company-wide enterprise risk assessment, and that assessment also includes an evaluation of cyber risks and threats. The Chair of the Audit Committee regularly reports to the Board of Directors on matters reviewed by the Finance & Audit Committee, including cybersecurity, and all Board members have access to the materials for each Finance & Audit Committee meeting.
|Cybersecurity Risk Role of Management [Text Block]
|
Given the quantity of traveler and shopper data Global Blue processes, the protection of personal data is one of Global Blue’s top priorities. We have therefore established a Data Governance & Security Council, one of the responsibilities of which is to regularly monitor and manage data driven cybersecurity risks.
The Data Governance & Security Council is headed by the General Counsel & Company Secretary, and includes executive members such as the CTO, CISO, the SVP Strategy and Chief Product Officer and VP representatives from Operations.
The Data Protection Officer is supported by the members of the Global Blue Data Governance & Security Council and, as a group, they are deemed to have sufficient qualifications and expertise in the areas of data protection and practices, well-founded IT knowledge, and knowledge of Global Blue’s products, technologies, processes and culture.
Global Blue’s CTO has served in several leadership positions as Chief Information Officer or IT Director with more than 25 years of experience within IT operations and development and extensive knowledge of day to day delivery. Global Blue’s CISO also has more than 25 years of experience within IT and Information Security, having held several leadership positions in IT and Information Security.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Given the quantity of traveler and shopper data Global Blue processes, the protection of personal data is one of Global Blue’s top priorities. We have therefore established a Data Governance & Security Council, one of the responsibilities of which is to regularly monitor and manage data driven cybersecurity risks.
The Data Governance & Security Council is headed by the General Counsel & Company Secretary, and includes executive members such as the CTO, CISO, the SVP Strategy and Chief Product Officer and VP representatives from Operations.
The Data Protection Officer is supported by the members of the Global Blue Data Governance & Security Council and, as a group, they are deemed to have sufficient qualifications and expertise in the areas of data protection and practices, well-founded IT knowledge, and knowledge of Global Blue’s products, technologies, processes and culture.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Data Protection Officer is supported by the members of the Global Blue Data Governance & Security Council and, as a group, they are deemed to have sufficient qualifications and expertise in the areas of data protection and practices, well-founded IT knowledge, and knowledge of Global Blue’s products, technologies, processes and culture.
Global Blue’s CTO has served in several leadership positions as Chief Information Officer or IT Director with more than 25 years of experience within IT operations and development and extensive knowledge of day to day delivery. Global Blue’s CISO also has more than 25 years of experience within IT and Information Security, having held several leadership positions in IT and Information Security.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Head of Internal Audit reports directly to the Finance & Audit Committee and is responsible for reporting to the Finance & Audit Committee on our company-wide enterprise risk assessment, and that assessment also includes an evaluation of cyber risks and threats.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef