The ISO 31030 and GDPR Article 9 Catch-22

Back to thirdrailsystems.ee
MAY 2026 · v1.1Analytical Brief
Companion essay on LinkedIn

The Shadow HR Liability.

Why every multinational with a diverse workforce is sitting on the next €35 million GDPR fine, and the architectural pattern that resolves it.

How to cite this page

Cite individual sections by their stable anchor. Claims in this brief are sourced; the consolidated library is at thirdrailsystems.ee/beyond-disclosure/sources. Verified June 2026.

Third Rail Systems OÜ · Tallinn8-minute readv1.1 · May 2026
Hamburg precedent
€35.3M · Oct 2020

Hamburg DPA fine against H&M for internal special-category accumulation. Five years of Welcome Back Talks, exposed by a five-hour configuration error.

Disclosure collapse
76% do not fully disclose

Neurodivergent employees, per the City & Guilds Neurodiversity Index 2023. HRC 2026: 47.5% of LGBTQ+ adults less out than a year ago.

Enforcement live
€355M cumulative

Employee-data category alone, across 162 EU enforcement actions through March 2025. Uber: €290M, July 2024.

Executive Summary

In October 2020, the Hamburg Data Protection Authority fined H&M €35.3 million for a violation that involved no external attack, no data breach in the conventional sense, and no malicious actor. The breach was structural. Middle managers had been quietly accumulating digital dossiers on their employees, covering health information, religious beliefs, and family circumstances, over five years, stored on an internal network drive and generated through well-intentioned manager conversations. The data became visible to the wider company only because of a configuration error.

This document argues that the H&M case is not an outlier. It is the visible instance of a structural pattern that is present in virtually every multinational employer with a marginalised-cohort workforce, that has grown larger and more concentrated since 2020, and that is now operating inside a regulatory environment actively configured to find and penalise it. The pattern is called Shadow HR. The exposure is calculated against the full marginalised population, not the disclosed subset.

The architectural pattern that resolves it, minimum-disclosure stateless synthesis, is the only approach that survives both the duty-of-care obligation and the data-protection prohibition simultaneously. Five operational diagnostic questions appear at the close. A General Counsel, Chief Privacy Officer, or Chief Security Officer who can answer all five with documented evidence is likely in compliant operating territory. One who cannot is likely sitting on undocumented exposure of the type the Hamburg DPA found at H&M.

Part 1

The H&M Precedent

The H&M Hennes & Mauritz fine, issued on 1 October 2020 by the Hamburg Commissioner for Data Protection and Freedom of Information, set the operational template that European DPAs have followed since. Understanding the case in detail matters because the violation mechanism is the violation mechanism that is operating, undetected, in most multinationals today.

What happened at the Nuremberg service centre

H&M operated a service centre in Nuremberg where, beginning in 2014, team leaders conducted what were internally called Welcome Back Talks with employees returning from sick leave or vacation. The stated purpose was to maintain personal connection and identify support needs. Over five years, the content of these conversations was systematically recorded by managers and stored on an internal network drive. The records included specific health diagnoses, family difficulties, religious beliefs, and details about employees' vacation experiences and personal circumstances. The records were used to inform employment decisions including evaluations and contract renewals.

The data was not exposed because of an external breach. The data was exposed because in October 2019, a technical configuration error made the network drive readable across the wider H&M corporate network for approximately five hours. Employees noticed. Internal complaints followed. The Hamburg DPA opened an investigation.

Hamburg's characterization

Prof. Dr. Johannes Caspar, the Hamburg Commissioner at the time, characterised the H&M conduct as constituting:

“A particularly intensive encroachment on employees' civil rights.”

— Hamburg Commissioner for Data Protection, 1 October 2020

Three elements of the Hamburg analysis matter for understanding the broader pattern:

  • The data collection was undertaken with no documented legal basis under GDPR Article 6 or Article 9. The managers were not acting maliciously, but they were also not operating under any framework that authorized the processing.
  • The accumulation pattern, not the configuration error, was the violation. The fine would have been issued even if the configuration error had never occurred. The configuration error simply made the underlying violation visible.
  • The penalty calculation was based on the population whose data had been processed, not on the subset whose data had been temporarily exposed. The exposure was incidental. The processing was the offence.
Why this precedent matters
The €35.3M figure was, at the time, the largest GDPR penalty ever issued by a German DPA. It established the principle that informal employee data accumulation, conducted by middle managers under no formal legal framework, is GDPR-actionable at penalty levels typically associated with technical security failures or deliberate misuse.
Part 2

The Shadow HR Pattern, Named

The H&M case names a pattern that exists in most multinational organisations. Once identified, the pattern becomes visible everywhere. Once made visible, it cannot be unseen by a sophisticated General Counsel.

The structural origin

Modern duty-of-care frameworks, including ISO 31030 for travel risk, the Corporate Sustainability Due Diligence Directive (CSDDD) for supply chain and workforce obligations, the Worker Protection Act 2024 in the United Kingdom, the Equality Act jurisprudence on reasonable adjustments, and parallel European employer-liability evolution, all demand that employers protect specific marginalised employees from specific identity-aware harms. Generic protection is inadequate. Tailored protection is required.

Modern data protection frameworks, including GDPR Article 9 on special category data, the EU AI Act prohibition on demographic-attribute training inputs in employment contexts, and sector-specific regulation on health and disability data, all prohibit employers from centrally recording the attributes that would let them deliver that tailored protection.

These two regimes were authored by different legislators, operating on different timescales, optimising for different harms. They are both correct, individually. They are catastrophically incompatible, together.

How the pattern manifests

Managers in multinational organisations live inside the resulting incompatibility every day. They know they have a duty-of-care obligation. They know the official systems cannot legally hold the data that would let them discharge it. So they build unofficial systems. In practice, Shadow HR manifests as:

  • Spreadsheets maintained by individual managers or HR business partners tracking employee accommodations, dietary requirements, medical conditions, family circumstances, religious observances, or identity factors relevant to travel and assignment decisions.
  • Network drives where ERG (Employee Resource Group) coordinators store membership lists for LGBTQ+ networks, disability networks, neurodiversity networks, veteran networks, and parent networks, typically without DPIA, without explicit consent for the processing purpose, and without documented retention policy.
  • HRIS custom fields that someone in middle management began populating without explicit corporate authorization, capturing accommodation needs, medical restrictions, or identity factors in free-text or structured form.
  • Email threads and chat archives where managers and HR staff have discussed individual employees' personal circumstances in detail, with the threads retained indefinitely under default corporate retention policies.
  • OHS (Occupational Health and Safety) files containing medical disclosure information that is then referenced informally by line managers for non-OHS purposes.
  • Travel-risk vendor platforms that have accumulated traveller profile data including health conditions, dietary restrictions, and emergency contact relationships, all of which constitute special-category data under Article 9.

Each of these is special-category personal data under GDPR Article 9, processed without proper legal basis, without DPIA, without documented purpose limitation, without retention controls, and typically without the data subject's specific knowledge of the processing scope. None of it was created with malicious intent. All of it was created by people trying to discharge their organizational obligations under duty-of-care frameworks that gave them no architectural alternative.

Part 3

The Disclosure-Collapse Multiplier

Shadow HR would be a static problem if voluntary employee disclosure rates were stable. They are not. Disclosure rates across every marginalised cohort with available data are collapsing, and the collapse changes the risk math materially.

The data

The Human Rights Campaign Foundation's 2026 Corporate Equality Index documented that 47.5% of LGBTQ+ adults are less out in at least one area of their lives than they were 12 months ago. The HRC characterised this as a measurable retreat from workplace identity disclosure under the current political and regulatory environment.

The City & Guilds Foundation Neurodiversity Index for 2023 found that 76% of neurodivergent employees chose not to fully disclose their condition to their employer. The 2024 CIPD Neuroinclusion at Work Report found that 31% of neurodivergent employees have not told their manager or HR anything at all. The Understood.org and Harris Poll Neurodiversity at Work Survey in May 2025 found that 64% of neurodivergent employees believe disclosure would harm them, and 77% of all adults agreed that neurodivergent employees feel pressure to mask their conditions at work.

Across LGBTQ+, neurodivergent, disability, and other marginalised cohorts, the direction of travel is consistent: fewer employees are telling their employers what they are. The regulatory rollback of DEI infrastructure in the United States, accelerating since early 2025, has made disclosure feel actively dangerous in ways it did not feel two years ago.

Why this makes the exposure worse

Most Chief Privacy Officers would assume that declining disclosure reduces Shadow HR exposure. The opposite is true. As voluntary disclosure to official channels collapses, managers operating under duty-of-care pressure do not stop tracking. They track informally instead. The spreadsheet replaces the HRIS field. The ERG private chat replaces the corporate membership list. The personal note replaces the corporate record.

The total population of employees about whom special-category data is being processed does not shrink as disclosure collapses. The population stays the same. The proportion of that processing that happens in undocumented, unsanctioned, unmonitored systems grows. And the regulatory liability is calculated on the total population, not on the proportion being tracked through official channels.

The 15 to 20 percent dimension

The most underappreciated dimension of this problem is scale. Neurodivergent individuals, those with autism, ADHD, dyslexia, dyspraxia, and related conditions, account for an estimated 15 to 20% of the global adult population. A multinational with 50,000 employees has approximately 7,500 to 10,000 neurodivergent workers. Approximately 24% have formally disclosed (per CIPD 2024). The disclosed subset is tracked somewhere, in HRIS accommodation fields, ERG membership lists, manager notes, or OHS files. Each of those tracking locations is processing special-category health data under Article 9. A configuration error of the H&M variety, exposing one of these tracking locations, would generate a penalty calculated against the entire employed neurodivergent population, not against the subset whose data was incidentally exposed. Hamburg established that principle in 2020. It has been confirmed in every subsequent enforcement action.

Part 4

The Enforcement Trajectory

The argument that the H&M case was an outlier requires ignoring everything that has happened since. The European DPA enforcement environment is not stable around employee data. It is intensifying.

The Uber precedent

In July 2024, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) fined Uber €290 million for the unlawful transfer of European driver data to the United States. The fine was not about a breach. It was about the routine processing of driver-identity data through pathways that did not satisfy GDPR transfer requirements.

The case extended the H&M principle. It is not necessary for data to be exposed for the processing itself to constitute the violation. The Uber decision specifically reaffirmed that the population whose data was processed forms the calculation basis for the penalty, regardless of how many of those individuals experienced actual harm.

The cumulative trend

The CMS GDPR Enforcement Tracker Report for 2025 documented cumulative European enforcement of €355 million across 162 enforcement actions in the employee-data category alone, through March 2025. The trajectory of monthly enforcement is accelerating, not flat. Three factors are driving the acceleration:

  • DPAs have improved their investigatory technique for finding informal data accumulation. The H&M case taught the regulatory community how to recognise the Shadow HR pattern. Subsequent cases have refined that recognition.
  • Employee complaints have become more common as workforce awareness of GDPR rights has matured. The complaint pathway from employee to DPA is now well-established across most member states.
  • DPAs have aligned on the principle that penalty severity should be calibrated to the failure to design for compliance, not just to the harm caused. This means well-intentioned violations receive penalties commensurate with their structural scope, not with their motive.

The insurance underwriting dimension

D&O (Directors and Officers) liability insurance underwriters and cyber liability underwriters have begun requiring documented compliance with ISO 31030 (Travel Risk Management) and demonstrable GDPR Article 35 DPIA coverage on employee-data processing as conditions for competitive renewal pricing. The insurance market is establishing what the regulatory market is enforcing. Organisations that cannot document their employee-data architecture against both frameworks are facing premium increases and coverage exclusions that compound the direct regulatory exposure.

Part 5

The Architectural Resolution

The Shadow HR problem cannot be solved by policy. Stronger manager training, clearer compliance documentation, more frequent DPIAs. All are useful, none are sufficient. Managers will continue to receive duty-of-care obligations they cannot legally discharge using sanctioned data infrastructure, and they will continue to build informal alternatives in response. The problem is solvable only by architectural change. Specifically, by removing the underlying need for centralised special-category data accumulation in the first place.

The minimum-disclosure principle

A minimum-disclosure architecture delivers the bespoke risk mitigation that duty-of-care frameworks demand without requiring the employer to centrally retain the demographic attributes that data-protection frameworks prohibit. The architectural pattern has three properties:

1. Edge-bound identity

Identity attributes that would constitute Article 9 special-category data are held on the employee's edge device, behind biometric authentication, never transmitted to enterprise systems.

2. Stateless synthesis

Risk assessment is performed by stateless synthesis against destination or assignment context. The demographic input is destroyed at the boundary of the synthesis enclave. No retained identity record exists to attach the output to.

3. Decoupled audit

The audit trail required for ISO 31030 and EU AI Act compliance captures the assessment outputs and decision logic, not the demographic inputs. The compliance evidence exists. The Article 9 exposure does not.

Implementation status
This pattern is implementable. Third Rail Systems OÜ has built a working implementation called the ISI Platform. The KTH Royal Institute of Technology in Stockholm has independently validated the architecture at IRL 5 (Technology Readiness Level).

Why this is the only pattern that survives

Centralised data brokerage, the architectural pattern that defines the legacy travel-risk-management industry, cannot survive the current regulatory environment. The enforcement trajectory is too steep, the disclosure-collapse multiplier is too aggressive, and the population-based penalty calculation is too punitive. Privacy-by-design architecture is not an aesthetic preference. It is the only structural pattern that satisfies both regulatory regimes simultaneously and that scales with a workforce whose disclosure rates will continue to decline through the remainder of the decade.

Part 6

Five Diagnostic Questions

A General Counsel, Chief Privacy Officer, or Chief Security Officer evaluating organizational exposure to Shadow HR liability can begin with five operational diagnostic questions. The questions are not exhaustive. They are calibrated to surface the categories of exposure most consistently present in multinational organisations. An organisation that can answer all five questions with documented evidence is likely in compliant operating territory. An organisation that cannot answer one or more is likely sitting on undocumented exposure of the type the Hamburg DPA found at H&M in 2020.

Q1

Legal basis documentation

Can you produce, within 72 hours, the documented legal basis under GDPR Article 6 and Article 9 for every employee accommodation, ERG membership, or identity-related data field currently held in any system, official or informal, within your organisation? If the answer requires consultation with multiple HR business partners, ERG coordinators, or line managers to compile, the documentation does not exist in the form GDPR requires.
Q2

Informal accumulation discovery

When was the last time your DPO or Privacy Office conducted a systematic discovery exercise to identify Shadow HR accumulation in spreadsheets, network drives, chat archives, and email threads across the organisation? If the answer is never, or if the answer is more than 18 months ago, the accumulation is likely present and growing.
Q3

Manager training content

Do your line manager training materials contain explicit, named guidance against informal tracking of employee accommodations, identity factors, or personal circumstances, with examples of what does and does not constitute Article 9 special-category data? Generic GDPR training does not satisfy this question. The guidance must be specific to the Shadow HR pattern.
Q4

DPIA coverage on ERG data

When was the last DPIA (Data Protection Impact Assessment) conducted on the data processing performed by your ERG coordinators in the course of maintaining membership lists, organising events, and supporting members in their professional development? If the answer is never, your ERG coordinators are likely processing Article 9 data without the legal infrastructure GDPR requires.
Q5

Travel risk vendor data classification

Has your Privacy Office conducted a classification audit of the data your current travel-risk-management vendor (International SOS, SAP Concur, Crisis24, Everbridge, or similar) holds about your employees, with specific attention to which fields constitute Article 9 special-category data? If the vendor holds health information, dietary requirements, emergency contact relationships, or accommodation needs, the vendor is processing Article 9 data on your behalf. Your DPA with that vendor must specifically authorize Article 9 processing under documented legal basis. Most current vendor DPAs do not.

If This Brief Maps to Your Organisation

The Shadow HR pattern is recognizable once named. Most General Counsels who read this brief in full will recognise at least two of the five diagnostic questions as ones they cannot answer with documented evidence. Some will recognise all five.

Third Rail Systems OÜ is conducting confidential architectural diagnostics with a limited number of multinational organisations through Q3 2026. The diagnostic is not a sales engagement. It is a 60-minute structured conversation between your Privacy, Security, and HR leadership and our architectural team, focused on whether your current employee-data architecture can survive a Hamburg DPA inspection. The diagnostic produces a written assessment of exposure points and architectural alternatives. There is no obligation to engage further. Organisations that determine, after the diagnostic, that their current architecture is sound have received a documented validation that may be useful for D&O insurance underwriting conversations. Organisations that determine, after the diagnostic, that architectural change is warranted have a reference framework for the change.

Evaluation criteria

Diagnostic requests are evaluated against three criteria:

  • Organizational scale: multinational with 5,000+ employees.
  • Workforce composition: substantive marginalised-cohort population, including but not limited to LGBTQ+, neurodivergent, and disability cohorts.
  • Current exposure: organisation is processing employee data through travel-risk vendors, ERG infrastructure, or accommodation-tracking systems.
Request a diagnostic
60-minute structured conversation. Confidential. No HRIS integration required.
Read companion essay
Forward
Share with your General Counsel

Copy the in-site link or share the LinkedIn companion essay with one click.

Further reading: the Exposure series

Sources & Citations

  • Hamburg Commissioner for Data Protection and Freedom of Information, press release, 1 October 2020 (H&M Hennes & Mauritz Online Shop AB & Co. KG fine).
  • Autoriteit Persoonsgegevens (Dutch Data Protection Authority), Uber fine announcement, July 2024.
  • CMS GDPR Enforcement Tracker Report 2025, Employment and Employee Data category.
  • CIPD Neuroinclusion at Work Report, February 2024.
  • City & Guilds Foundation Neurodiversity Index, 2023 edition.
  • Understood.org and Harris Poll Neurodiversity at Work Survey, May 2025.
  • Human Rights Campaign Foundation Corporate Equality Index 2026.
  • CSDDD (Corporate Sustainability Due Diligence Directive), Official Journal of the European Union, 5 July 2024; Omnibus I amendments 24 February 2026.
  • GDPR Article 9 and Article 83, Regulation (EU) 2016/679.
  • ISO 31030:2021 Travel Risk Management: Guidance for Organizations, International Organization for Standardization.
  • KTH Royal Institute of Technology, Deeptech Startup Network IRL Framework Evidence Report, Third Rail Systems OÜ, March 2026.
This document is published by Third Rail Systems OÜ. The analysis is provided for informational purposes and does not constitute legal advice. Organisations evaluating their exposure under GDPR, ISO 31030, the EU AI Act, or related frameworks should consult qualified legal counsel.

© 2026 Third Rail Systems OÜ · Tallinn, Estonia · Registry 17488655 · v1.1 · May 2026

v1.0 · Tallinn · EU-Native