What is special category data?
Article 9(1) of the GDPR lists the categories of personal data whose processing is prohibited by default: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, together with genetic data, biometric data used for identification, health data, and data concerning a person's sex life or sexual orientation. The structure of the article matters as much as the list. Processing of these categories "shall be prohibited" unless one of a small set of exceptions applies, each construed narrowly. The compliant default is not careful collection. It is non-collection.
Which traveller attributes fall under Article 9?
More than most programmes assume. Sexual orientation and health data are named directly. Disability and neurodivergence are health data. So is the medication a traveller carries: a prescription is a diagnosis in physical form, and Article 9 covers data revealing a category, not only the category stated outright. A dietary requirement can reveal a religion. An assistance request transmitted through a booking system reveals a disability to every node that handles it. The attribute does not need to be written in a field called "orientation" or "condition" to be special category data; it needs only to be derivable from what was recorded.
Does ISO 31030 require collecting it?
ISO 31030, the international travel risk management standard, directs organisations to consider "the specific needs of individual travellers" and threats that vary with personal risk factors. For an employee whose characteristics are criminalised or surveilled at the destination, an assessment that ignores those characteristics is not an assessment; it is an average. So the standard creates an obligation of individualised assessment. What it does not create is any requirement to collect and retain the attributes centrally. The obligation is to assess. The habit is to collect. The distance between those two words is where most programmes are exposed.
Can consent close the gap?
Article 9(2)(a) permits processing with the data subject's explicit consent, and it is the exception most travel programmes reach for. It is weaker than it looks. Consent under the GDPR must be freely given, and European regulators treat consent in the employment relationship with scepticism precisely because the power imbalance makes free refusal doubtful. It must also be as easy to withdraw as to give, which means an architecture built on consent is built on a foundation any employee can remove at any time. Consent can be a lawful basis. It is a poor load-bearing wall.
What happens when organisations collect it anyway?
Two documented failure modes. The first is structural breach: in 2020 the Hamburg data protection authority fined H&M €35.3 million after managers accumulated informal records of employees' health, beliefs, and family circumstances over five years, exposed not by an attacker but by a configuration error. The pattern, well-intentioned records accumulating outside any lawful basis, is what we call the Shadow HR liability, and it is present in most multinationals with a diverse workforce. The second failure mode is quieter: the people the register exists to protect decline to be in it. A majority of neurodivergent employees do not disclose to their employer, with fear of career harm among the leading reasons. A protection system premised on disclosure misses most of the population it was built for, and retains a liability about the rest.
Is individualised assessment possible without the attribute?
Yes, because the two halves of a travel risk assessment live on opposite sides of a line. The risk layer is public: which jurisdictions criminalise which characteristics, which medications are controlled where, which carriers damage mobility equipment at which rates, which environments impose which sensory loads. None of that is personal data. The attribute layer is personal, and it is only needed at the moment of assessment, not afterwards. An architecture that holds the risk layer, lets the attribute meet it transiently, and retains only proof that assessment occurred gives the organisation its ISO 31030 evidence while the attribute never enters its systems. The employer keeps the audit trail. The person keeps themselves. The full argument, with forty sourced claims behind it, is in the Beyond Disclosure whitepaper.
The question to ask your own programme
Where, today, is the list of your travellers who would be endangered by their own personnel file, and who can read it? If the answer is a named system with a lawful basis, documented purpose limitation, and retention controls, you are ahead of the H&M pattern. If the answer is a spreadsheet, an inbox, or a well-meaning manager's memory, the exposure is already on foot.