{{ toastMessage }}
ARETE
Connecting…

ARETE — European Data Protection Supervisor Personal Data Breach · Risk Assessment

Training {{ COURSE_META.venue }} {{ COURSE_META.date }}
Some course content could not be loaded. Please reload the page in a moment — if this message keeps appearing, contact the facilitation team (Contact page in the sidebar). (technical detail: {{ arete_content_error }})
Programme overview

{{ training_trainee_name ? 'Welcome, ' + training_trainee_name + '.' : 'Welcome to ARETE' }}

ARETE will help you to carry out a robust personal data breach risk assessment in line with Articles 34 and 35 EUDPR. This page is your home for everything related to the programme — pre-work, agenda, scenarios, reference library, and follow-up.

{{ pf_primaryCtaSub }}

1 Before the workshop

Get the foundations on your own, at your own pace (~35 min): short readings and a first breach scenario to work through.

  • Readings {{ pf_prework_done_count }}/{{ pf_prework_total }}
  • Scenario 1 — case study
You are here
2 Workshop day

In person on {{ COURSE_META.date }}: group-based work on a live scenario with your facilitator — you apply everything from the pre-work.

  • Scenario 2 — team exercise
🔒 Opens on the workshop day
You are here
3 After the workshop

Close the loop: test yourself on the risk classification quiz, dig into the further reading, and keep practising with real EDPB cases.

  • Risk classification quiz
  • Further reading — papers & practitioners' insights
  • Additional practice — 7 EDPB cases
🔒 Opens at the close of the workshop
You are here
Chatham House rule The session is non-attribution. Mistakes raised during exercises are framed as learning opportunities, not compliance failures.

Practical details — date, venue, agenda, what to bring, the facilitation team — are on the Logistics page.

Programme overview

Logistics

Everything practical for the workshop day — when, where, what to bring, and who is running it.

Logistics

📅 Date
{{ COURSE_META.date }}
📍 Venue
{{ COURSE_META.venue }}
⏱ Duration
Half-day · 08:00 – 13:15 · ~4 h of active content time
👥 Format
In-person
📋 What to bring
Your printed pre-work paper template, a pen, and your name card, and some good humour
🌐 Language
English, plain language. No idioms; pace accommodates non-native speakers

Agenda

TimeBlock
{{ row.time }} {{ row.block }}

Facilitation team

  • {{ f.name }} {{ f.role }}

Privacy Notice

How your personal data is processed for this training. Please read it before the workshop.

📄 Open the Privacy Notice (PDF) ↗

Contact the facilitation team at {{ COURSE_META.contactEmail }}.

Programme overview

Why ARETE exists

ARETE originates from a clearly identified problem, supported by evidence from the EDPS analysis of breach notifications and the 2024 Data Breach Management Awareness project, and the yearly delivered PATRICIA Exercise on Personal Data Breach Awareness in Cybersecurity Incident Handling. Three recurring patterns surfaced in how EUIBAs perform breach risk assessment:

1

Incomplete risk analysis

Risk assessments submitted in breach notifications regularly fall below the expected standard — the surface of attack is under-defined, highly data-centric adverse effects are vague, and the rationale for the risk score is missing or not sufficiently granular.

2

Risk centred on the organisation, not on data subjects

Organisational risk concerns crowd out the risk to data subjects — which is what Article 34 EUDPR actually requires controllers to assess.

3

High tolerance to risk

Controllers consistently lean toward under-evaluating risk, often to avoid the obligation to notify or to communicate. Some EUIBAs even use risk matrices that split "high risk" into notify / don't-notify paths — contradicting the three-tier framework in the law.

Programme overview

What you'll learn

By the end of ARETE, you will be able to:

LO1

Differentiate organisational risk from data subject risk

You will distinguish between organisational impacts and adverse effects on data subjects, correctly identifying at least three specific data subject risks (identity theft, loss of control over personal data, reputational harm, …) that must be prioritised in an EUDPR-compliant assessment.

Addresses Finding 2.

LO2

Apply the EDPS risk assessment body of knowledge with reasoned rationale

Following the pre-work and the guided scenario, you will apply the body of knowledge to a breach scenario — identifying the key risks to data subjects, assigning correctly Unlikely / Risk / High Risk score, and writing a rationale that maps the surface of attack to specific increasing or decreasing risk factors.

Addresses Findings 1 and 2.

LO3

Determine notification obligations

Given a complex breach use case, you will decide whether the breach requires notification to the EDPS under Article 34 and/or communication to data subjects under Article 35, justifying the decision with reference to the three-tier risk framework and the 72-hour deadline.

Addresses Finding 3.

Stage 1 of 3 · Before the workshop

Before the workshop readings {{ pf_prework_done_count }}/{{ pf_prework_total }}

Get the foundations on your own, online and at your own pace — two steps, ~35 minutes in total. Please complete them before the workshop day: the first 30 minutes of the session activate this material rather than re-deliver it.

1 Read the essentials ~15 min

Five short readings — the assessment method first, then the legal framework. Tick each one as you finish. (The scientific papers and practitioners' insights move to After the workshop.)

{{ pf_prework_done_count }}/{{ pf_prework_total }} read
2 Scenario 1 — The Encrypted Gateway ~30 min

Your first realistic breach case, worked offline. You read the case file, score it on the paper template, then record your risk decision online — it locks once recorded.

✓ completedcase file + paper template
Stage 1 of 3 · Before the workshop · Step 1
1

Read the essentials

~15 min

Five short readings curated from the reference library, in the same subsections you will find there. Tick each as you finish. Start with the method — everything else hangs off it. (The scientific papers and practitioners' insights are now further reading for after the workshop.)

The method
  • 📄 Open the Introduction Reading (PDF) ↗
Legal framework
  • {{ a.num }} — {{ a.title }}
  • No terms match “{{ ref_glossary_filter }}”.
    {{ e.term }} · {{ e.ref }} {{ e.def }}
Stage 3 of 3 · After the workshop
🧪

Risk classification quiz ✓ {{ prework_diagnostic.score }}/{{ ARETE_DIAGNOSTIC.length }} correct🔒 locked

~7 min · {{ ARETE_DIAGNOSTIC.length }} cases

Seven short breach cases. For each one, commit to a risk classification for the data subjects — then submit to reveal the reference answer and the reasoning behind it. Use it to test the judgement you built during the workshop. The cases are deliberately varied, and a couple are genuinely debatable.

🔒 Your facilitator opens this at the close of the workshop — it unlocks here automatically, nothing to type or refresh. If it stays locked once the day is over, email the facilitation team.

Commit to a classification for each case. After you submit, you'll see the reference answer and a short explanation for every case — and your score.

  1. Q{{ i + 1 }}. {{ q.stem }}
    {{ diagIsCorrect(q.id) ? '✓ Correct.' : '✗ Reference answer: ' + diagAnswerLabel(q) + '.' }} {{ q.rationale }}
Stage 1 of 3 · Before the workshop · Step 2
2

Scenario 1 — The Encrypted Gateway

~30 min

You work this first scenario on your own, offline: read the case file, score it on the paper template, then record your pre-work risk decision here. Follow the three steps below — your committed risk decision is the pre-work deliverable. Bring the completed paper template to the workshop.

  1. Read the case file. Open the Case file above — it holds everything you work from: the institution and the data involved, the record of processing (RoPA), the data-processing agreement (DPA), the incident-response procedure and the incident timeline. Read it through before you score anything.
  2. Fill in the paper template. Work through the Paper template step by step, recording your scoring from the case file as you go — whose data was affected, the CIA dimensions, the root cause, the data sensitivity and volume, the likely consequences and harms, and the containment measures.
  3. Record your pre-work risk decision. When the template is complete, commit your own call in the panel below (button ): likelihood and severity in words, a risk score, a one-paragraph rationale, and your Art. 34 / Art. 35 decisions. It locks once recorded — that is your deliverable.
Record your risk decision

Both decisions are recorded. Bring your paper template to the workshop. is your pre-work deliverable — record it before the workshop. unlocks in the room, after your facilitator presents Inject 1. Inject 1 is live — weigh it against your pre-work call and record your revised decision in .

{{ section_locks.s1_reassessment ? 'LOCKED' : 'OPEN' }} Button ② — “In-class risk (Inject 1)”
Stage 2 of 3 · Workshop day

Workshop day

In person on {{ COURSE_META.date }}: team-based work on a live breach scenario with your facilitator — you apply everything from the pre-work and debate your judgement. Practical details are on the Logistics page.

1 Scenario 2 — HR Recruiter Workstation Compromise

The main team exercise: a live, evolving breach. Your team gathers the facts, weighs likelihood and severity, commits to a judgement and defends it.

🔒 Locked for students · click to preview🔒 Opens on the workshop dayopen
Facilitator — open for students: Assessment tool Prep downloads Inject 1 tool
Stage 2 of 3 · Workshop day

Scenario 2 — HR Recruiter Workstation Compromise

The in-room scenario for the workshop. Your pre-work (Scenario 1) is the preparation. Materials below unlock when your facilitator shares the code.

S2

Scenario 2 — HR Recruiter Workstation Compromise

🎛️ Facilitator — what students can see on this page
{{ training_unlocked_scenarios.arete_s2 ? 'OPEN' : 'LOCKED' }} Assessment tool (the Scenario 2 wizard)
{{ section_locks.s2_downloads ? 'LOCKED' : 'OPEN' }} Prep downloads (paper template + workshop pack)
{{ training_unlocked_scenarios.arete_s2_inject1 ? 'OPEN' : 'LOCKED' }} Assessment tool — Inject 1 (a separate, pre-loaded copy of the wizard)
{{ section_locks.s2_result ? 'HIDDEN' : 'REVEALED' }} Automatic result on the result screen (your judgement vs the calculation) — applies to S2 and the Inject 1 tool

🔒 Your facilitator opens the assessment tool at the start of the workshop — it unlocks here automatically; nothing to type or refresh. You can download the paper template and workshop pack now to prepare.

📥 Paper templatehidden from students 📥 Workshop packhidden from students 🔒 Your facilitator will share the prep downloads.
S2·i1

Scenario 2 — Inject 1 (re-assessment)

A second, separate copy of the assessment tool for the in-room Inject 1. Once the facilitator presents the new information, your team re-runs the assessment here — your initial Scenario 2 assessment stays untouched, so you can compare the two.

🎛️ Facilitator — the Inject 1 tool
{{ training_unlocked_scenarios.arete_s2_inject1 ? 'OPEN' : 'LOCKED' }} Assessment tool — Inject 1 (separate wizard, pre-loaded like Scenario 2)

🔒 Your facilitator opens the Inject 1 tool in the room once Inject 1 is presented — it unlocks here automatically; nothing to type or refresh.

Compare — your initial call vs after Inject 1

How your team's risk judgement changed once Inject 1 arrived. Highlighted rows are the ones that moved.

Initial analysisAfter Inject 1
{{ row.label }} {{ row.a }} {{ row.b }}moved
Initial rationale

{{ wiz_s2_comparison.initial.rationale || '—' }}

After Inject 1

{{ wiz_s2_comparison.inject1.rationale || '—' }}

Stage 3 of 3 · After the workshop

After the workshop

Close the loop: test your judgement on the risk classification quiz, dig into the further reading, and keep practising at your own pace with real EDPB worked cases.

1 Risk classification quiz

Seven short breach cases — commit to a risk classification for each, then see the reference answer and the reasoning behind it. A quick way to test the judgement you built during the day.

🔒 Locked for students · click to preview✓ submitted🔒 Opens at the close of the workshopopen
2 Further reading

Scientific papers on breach-harm research and practitioners' insights — to deepen your understanding after the workshop.

🔒 Locked for students · click to preview🔒 Opens at the close of the workshop🔒 opened by your facilitatoropen
3 Additional practice

Seven EDPB worked examples, from misdirected emails to a hacked whistleblower database — practise the method and compare your call with the official outcome.

🔒 Locked for students · click to preview🔒 Opens at the close of the workshopopen
Stage 3 of 3 · After the workshop
📑

Further reading 🔒 locked

Optional deeper reading to take the method further after the workshop: current research on breach harm, and how breaches are assessed and communicated in practice. Tick each as you finish.

🔒 Your facilitator opens this at the close of the workshop — it unlocks here automatically, nothing to type or refresh.

Scientific papers
Practitioners' insights
Stage 3 of 3 · After the workshop

Additional practice — 7 EDPB worked examples

Seven additional breach scenarios from the EDPB and EDPS guidelines. Each one has an established expected outcome — apply the body of knowledge and compare your reasoning against the reference rationale.

🎛️ Facilitator — open practice cases for students
{{ training_unlocked_scenarios[key] ? 'OPEN' : 'LOCKED' }} {{ sc.title }}
+7

Additional practice — 7 EDPB worked examples

~15 min each

Sent by email roughly one week after the workshop. You will apply the body of knowledge to seven additional cases from the EDPB and EDPS guidelines, each with an established expected outcome you can compare your reasoning against.

Unlocked. Choose any case to begin:

Data Breach Risk Assessment Tool — Training

Training Sandbox👨‍🏫 Instructor mode
⚠ {{ t('warn_inc') }} {{ vaultName.length > 20 ? vaultName.slice(0,17) + '...' : vaultName }} ({{ vaultLastSaved }}) {{ saveStatus === 'saving' ? 'Saving\u2026' : saveStatus === 'pending' ? 'Unsaved' : saveStatus === 'error' ? 'Save failed' : saveStatus === 'saved' ? 'Saved' : 'Idle' }}
📌 Instructor note · {{ wiz_step }}

{{ train_instructor_note }}

📋 Discussion guide — {{ train_scenario.title }}

Questions to debate as a team while working through the assessment. These do not feed the engine — they are prompts for the team's reasoning.

{{ block.title }}
  1. {{ q }}
⚠ {{ train_injects.length > 1 ? 'Inject ' + (training_inject_idx + 1) + ' of ' + train_injects.length : 'Inject' }}

{{ train_injects[training_inject_idx].label }}

Revised question: {{ train_injects[training_inject_idx].revised_question }}
Revised questions:
  • {{ q }}
{{ pi + 1 }} {{ p.label }}
{{ s.label }}

Let's walk through your data breach assessment

This guided mode will ask you questions in plain language and translate your answers into the EUDPR / EDPB risk categories. It's intended for staff dealing with a breach for the first time, or who want a structured walk-through.

Expect about 10–15 minutes. You can step back at any point. At the end you'll see the calculated risk and which legal obligations apply.

ⓘ Tip: The questions below are the same ones a DPO works through in a real incident. They follow the four phases of the assessment method you saw in the pre-work — gather the facts, weigh the likelihood, weigh the severity, then weigh the circumstances and judge. The ribbon above the progress bar shows which phase you are in. Before the result is revealed you will commit to your own judgement, and then compare it with the automatic calculation.

What this assessment is based on
The questions follow the risk-assessment doctrine in EDPB Guidelines 9/2022 v2.0 and the EDPS Guidelines on personal data breach notification (2018): the likelihood that data subjects suffer adverse effects, weighed against the severity of those effects, with three resulting risk levels (LOW / RISK / HIGH RISK) matching the Art. 34 / Art. 35 thresholds in Regulation (EU) 2018/1725 (EUDPR). Per–data–subject–category assessment is preserved — you'll assess one category in detail, then we'll ask whether other categories of affected people would fare differently.

Step 1 · Identification

Some basic details for the report header. None of these affect the risk calculation, but they appear at the top of the final report and several are referenced by the EDPS notification template.

Internal identifier used to track this breach across documents.

When ticked, the controller's notification and DS-communication obligations are governed by Arts. 92, 93 and 94 — not Arts. 34 and 35. The risk calculation is identical for both scopes; only the legal references in the report differ. Most EU institutions leave this unchecked.

List the RoPAs relevant to the breach. You'll attach one to each DS category in Step 6. If you don't have RoPAs to reference, skip this section.

Step 1 · What happened?

Describe what happened in your own words. Don't worry about technical terms — write as if explaining to a colleague who wasn't involved. We'll ask the technical follow-ups in the next steps.

Examples: "A laptop containing a list of training participants was stolen from a meeting room." · "An email with attendees' personal data was sent to the wrong distribution list." · "Our HR system was hit by ransomware; backups are intact and forensics found no exfiltration."
{{ (state.breach.desc || '').length }} / 3000 characters · This text will appear at the top of the report.

Step 1 · What did the breach affect?

A breach can affect data in three different ways. Tick all that apply — many breaches affect more than one.

What this maps to (technical)
These three options correspond to the CIA triad — Confidentiality, Integrity, Availability. A breach must affect at least one. The combination determines which Likelihood factors apply later (e.g. L1 only matters if Confidentiality is in scope).

Step 1 · What caused the breach?

Pick the option that best describes how the breach happened.

Step 2 · When did this happen?

Five dates matter. The most important is Date of Awareness — that's what starts the 72-hour clock under Art. 34(1) EUDPR. The notification dates can be left blank if you haven't notified yet; the wizard surfaces a warning if the deadline has passed.

When IT first saw an alert, a user reported a problem, or a third party informed you. Optional.
The date the institution had reasonable certainty personal data was involved. Starts the 72-hour clock.
72-hour deadline: {{ wiz_deadlineDisplay }} ✔ EDPS notified within the 72-hour deadline EDPS notified late — provide the reason below already past the deadline and EDPS not yet notified — less than 24h left to notify
Date when the institution submitted the Art. 34 notification to the EDPS. Leave blank if not notified yet.
Date of Art. 35(1) communication. Only mandatory for HIGH RISK breaches.
Mandatory under Art. 34(1) EUDPR when notifying late.
Why detection and awareness can differ
EDPB Guidelines 9/2022 §28: detection is when the controller becomes aware of an incident; awareness is when the controller has reasonable certainty that a personal-data breach has occurred. A short investigation period between the two is acceptable.

Step 3 · Whose data was affected, and how vulnerable are they?

Pick the most representative category from the institution's DS register. Then confirm or adjust the inherent vulnerability for this specific case. If multiple categories are affected you'll add the others later as variations.

The DS register is empty. Pick Custom below or set up the register first.
For custom categories you set the vulnerability level manually below.

About the population, not the incident. The level is pre-filled from the chosen category — adjust if this specific case warrants a different one (for example, a politically sensitive subset of an otherwise general-public category).

You have adjusted the vulnerability away from the register default ({{ wiz_i0Labels[wiz_primary.i0Suggested] }}). Document the rationale in the DPO confirmation field after the wizard.
What inherent vulnerability captures
Inherent vulnerability raises the severity for data subject categories that are more exposed — Standard, Slightly elevated, High or Critical — independent of the incident itself. It is about the data subject category, not the data. Special-category status (Art. 10/11 EUDPR) is captured separately, under data sensitivity.
No RoPAs added yet. Go back to Step 1 · Identification to register one, or leave this empty.

Step 4 · Could the data be read by whoever has it?

If someone unauthorised got hold of the data, can they actually identify the people in it?

Step 4 · Where did the data end up?

After the breach, who had access, or what happened to the data?

Step 4 · Was this an accident or a deliberate attack?

A deliberate attack is more likely to lead to data being misused. Asking about intent and exploitation.

Step 4 · Did the data actually leave our environment?

Different from "where did it end up" — here we want to know whether the data was physically extracted from your systems by an attacker, or whether it remained inside even though access happened.

ⓘ Note — device vs data: the question is about extraction of usable data, not about whether a device physically left the premises. A stolen laptop with intact strong encryption leaves the device but the bytes are unintelligible — that case answers No here, and the encryption status is captured separately at the L1 step.

How widely did the data spread?

Why this matters for the score

Confirmed exfiltration forces Likelihood ≥ 4 because once data has left your perimeter you cannot put it back — the worst-case must be assumed. Plausible/unknown with an external attack pushes Likelihood ≥ 3.

None is the only value that enables the null-impact downgrade later (which can take a RISK breach down to LOW). Pick "none" only when you have positive evidence — not just absence of evidence.

Step 4 · What kind of data was affected?

Different data carries different risk if exposed. Pick the most sensitive kind affected, even if only part of the dataset.

Step 4 · How many people are affected?

Volume affects how widely the harm could spread. The Expert tab and the EDPS Art. 34 notification form distinguish between individuals (distinct people) and records (distinct data items — one person can have several). Fill what you know; the engine cross-validates against the band you pick below.

Distinct data subjects across all categories.
Distinct records / data items. Often higher than individuals (one person, many records).

Then pick the closest band — scale is recorded as part of the assessment and weighed qualitatively alongside the sensitivity of the data (EDPB Guidelines 9/2022 §4.6.2; the EDPS notes that more individuals does not automatically mean more risk per individual). If the exact number is unknown, leave the inputs blank and pick a band based on best estimate.

Step 4 · What could happen to the affected people?

Realistic worst-case consequences, given everything you've described.

Step 4 · What specific harms could the people experience?

Tick every harm realistically possible. If none apply, leave them all unticked and confirm below.

Step 5 · How is the breach being contained and handled?

A few questions about the institution's response. These don't change the inherent risk of the breach, but they affect which downgrades apply, and they also fill in the report fields that the EDPS expects to see.

When in doubt, pick the most pessimistic that's compatible with the facts.
"Full" is required (alongside other conditions) to allow a RISK→LOW downgrade.
How long until full restoration?
"Resolved" is required for the RISK→LOW downgrade. Pick "ongoing" if the situation is still developing.
Required for cybersecurity incidents under Reg. (EU) 2023/2841. If the breach has a cybersecurity dimension, CERT-EU should also be in the loop.
How the engine uses these answers

Containment / recovery / persistence together with exfiltrationStatus = 'none' and harmsConfirmed = true can trigger a one-step risk downgrade (RISK→LOW or HIGH RISK→RISK) for benign incidents — see EDPB Cases 01, 09, 15.

The operational status flags (managed/contained, investigation ongoing, CERT-EU notified) don't change the score but generate the cross-validation warnings the EDPS expects to see in the final report. Leaving them unset will trigger warnings like "breach is not marked as contained and no investigation is ongoing".

Step 5 · Are other categories of people also affected?

You've scored this for {{ wiz_primaryCategoryLabel }}. The same breach can affect other categories with a different risk profile (e.g. employees + minors).

For each additional category, only mark the factors that differ from your primary scoring. Everything else is inherited.

Which factors might differ between categories — and how to decide

Most often, only the three Severity factors change. The breach mechanics (how data was lost, where it ended up, whether it was an attack) are properties of the incident itself, so they're inherited. What can legitimately differ is who the affected people are and what the consequences mean for them.

Inherent vulnerability — how vulnerable is this category before any breach? About the population, not the incident. When does it differ? When the new category has a different vulnerability profile — e.g. you scored for general staff (Standard) but the breach also affected minors (High) or whistleblowers (Critical).

Data nature and sensitivity (I1) — what kind of data was exposed, and does the combination of fields itself enable harm? When does it differ? When the breach exposed different fields for different categories — e.g. names & addresses for visitors (Basic) but health records for patients (Special category) — or when one category's data combines into a harm pattern (e.g. name + location patterns ⇒ surveillance).

Consequences (I2) — what could realistically happen to these specific people? When does it differ? Same data can have different impact — e.g. a leaked address is annoying for most but life-threatening for an abuse survivor.

If unsure, leave the select on inherit. You can refine in Expert mode after the wizard.

No additional categories yet. Pick a category from the DS register to add one.
DS category Inherent vulnerabilityhow vulnerable as a population Data nature & sensitivitywhat kind of data was exposed Consequencesrealistic worst case for them Notes

Your judgement · commit before the calculation

You have gathered the facts, weighed the likelihood and the severity, and reviewed the mitigating circumstances. Before the tool shows its automatic calculation, record your own professional judgement — exactly as you would if you had no tool. On the next screen you will compare the two.

🔒 Your judgement is locked. It was recorded before the calculation was revealed, so the comparison stays honest. Continue to the result to see how it compares.

1. How likely is it that data subjects suffer adverse effects?

2. How severe would those effects be?

3. Your overall risk classification

Weigh the two answers above together with the mitigating and aggravating circumstances you reviewed. There is no arithmetic here — this is your call, the same call Art. 34/35 EUDPR asks of the controller.

This breach affects more than one group of data subjects. Classify the risk for each group — the notification obligations follow the most-at-risk group.

{{ grp }}

5. Your notification decisions

ⓘ Once locked, your judgement cannot be edited — the point of the exercise is an honest before/after comparison, not a polished answer.

Result · your judgement vs the automatic calculation

Your judgement · recorded

The tool has assessed the same facts you just judged. Compare the two columns — where they agree, you have independent confirmation; where they differ, one of you has seen something the other has not. That difference is the most valuable thing on this screen: bring it to the debrief.

🔒 Your judgement has been recorded and locked. The tool's automatic calculation stays hidden until your facilitator reveals it to the room — once they do, the comparison appears here automatically (nothing to refresh).

🧠 Your judgement
{{ grp }}: {{ wiz_judgeLabel('band', wiz_judgement.bands[grp]) }}
Likelihood: {{ wiz_judgeLabel('likelihood', wiz_judgement.likelihood) }} · Severity: {{ wiz_judgeLabel('severity', wiz_judgement.severity) }}
Notify EDPS: {{ wiz_judgement.notify === 'yes' ? 'Yes' : 'No' }} · Communicate to data subjects: {{ wiz_judgement.communicate === 'yes' ? 'Yes' : 'No' }}
{{ wiz_judgeLabel('band', wiz_judgement.band) }}
Likelihood: {{ wiz_judgeLabel('likelihood', wiz_judgement.likelihood) }} · Severity: {{ wiz_judgeLabel('severity', wiz_judgement.severity) }}
Notify EDPS: {{ wiz_judgement.notify === 'yes' ? 'Yes' : 'No' }} · Communicate to data subjects: {{ wiz_judgement.communicate === 'yes' ? 'Yes' : 'No' }}
{{ wiz_judgement.rationale }}
No judgement was recorded for this run.
⚙️ Automatic calculation
{{ levelLabel(wiz_overallRisk) }}
🔒 Calculation hidden
Your facilitator will reveal the tool's automatic calculation to the room. Your own judgement is already recorded — the comparison appears here the moment they reveal it.
{{ section_locks.s2_result ? '🔒 STUDENTS: CALCULATION HIDDEN' : '🔓 STUDENTS: CALCULATION REVEALED' }} You always see the calculation below — this controls only what students see.

Why the calculation landed there

{{ r.label }} (primary){{ levelLabel(r.calc.fin, true) }}
  • {{ n.text }}
No single circumstance dominates — the classification follows from the combined weight of likelihood and severity as entered.
Internal record only — no notification required. The breach has been classified as "Unlikely to result in risk" (Art. 34(1) negative threshold). Under Art. 34(6) EUDPR you must still keep an internal record of the breach.

Want to see how this compares with EDPB guidance?

{{ train_scenario.discussion_blocks.length ? 'Want to see the discussion guide for this scenario?' : 'Want to see the expected outcome band for this scenario?' }}

This scenario is based on a real example from the EDPB Guidelines / EDPS Annex 2 with an established expected outcome. You can review the pedagogical analysis now (rationale, per-field comparison, lessons) — or close this exercise and try another scenario.

This scenario does not have a single "correct" answer — it is designed to be debated as a team. You can review {{ train_scenario.discussion_blocks.length ? 'the discussion prompts and the expected outcome band' : 'the expected outcome band and its rationale' }} now, or close this exercise and try another.

📋 Pedagogical analysis — {{ train_scenario.title }}

Your final outcome
{{ train_outcome.yours }}
Expected outcome band (EDPS guidance)
{{ train_scenario.expected_band }}

Why this band

{{ train_scenario.expected_band_rationale }}

Discussion prompts your team should have covered

{{ block.title }}
  1. {{ q }}

📋 Pedagogical analysis — {{ train_scenario.title }}

Your final outcome
{{ train_outcome.yours }}
vs
EDPB classification
{{ train_outcome.edpb }}
{{ train_outcome.match ? '✓ Aligned' : '⚠ Different' }}

EDPB rationale for this scenario

{{ train_scenario.edpb_reasoning }}

Source: {{ train_scenario.edpb_source }}

Step-by-step review of your decisions

The EDPB values are blurred by default so you can review your own choices first.

FieldYour valueEDPB valueVerdict
CIA dimensions{{ train_display(train_compare('cia').trainee) }}{{ train_display(train_compare('cia').edpb) }}{{ train_compare('cia').verdict }}
Root cause{{ train_display(train_compare('cause').trainee) }}{{ train_display(train_compare('cause').edpb) }}{{ train_compare('cause').verdict }}
Identifiability (can the data be read?){{ train_levelLabel('l1', train_compare('l1').trainee) }} (sub: {{ train_compare('l1sub').trainee }}){{ train_levelLabel('l1', train_compare('l1').edpb) }} (sub: {{ train_compare('l1sub').edpb }}){{ train_compare('l1').verdict }}
Exposure (where did it end up?){{ train_levelLabel('l2', train_compare('l2').trainee) }}{{ train_levelLabel('l2', train_compare('l2').edpb) }}{{ train_compare('l2').verdict }}
Cause (accident or deliberate?){{ train_levelLabel('l3', train_compare('l3').trainee) }}{{ train_levelLabel('l3', train_compare('l3').edpb) }}{{ train_compare('l3').verdict }}
Vulnerability (who the people are){{ train_levelLabel('i0', train_compare('i0').trainee) }}{{ train_levelLabel('i0', train_compare('i0').edpb) }}{{ train_compare('i0').verdict }}
Data sensitivity{{ train_levelLabel('i1', train_compare('i1').trainee) }}{{ train_levelLabel('i1', train_compare('i1').edpb) }}{{ train_compare('i1').verdict }}
Consequences{{ train_levelLabel('i2', train_compare('i2').trainee) }}{{ train_levelLabel('i2', train_compare('i2').edpb) }}{{ train_compare('i2').verdict }}
Volume (documentary){{ train_levelLabel('vol', train_compare('vol').trainee) }}{{ train_levelLabel('vol', train_compare('vol').edpb) }}{{ train_compare('vol').verdict }}
Harms{{ train_display(train_compare('harms').trainee) }}{{ train_display(train_compare('harms').edpb) }}{{ train_compare('harms').verdict }}
Harms taxonomy reviewed{{ train_display(train_compare('harmsConfirmed').trainee) }}{{ train_display(train_compare('harmsConfirmed').edpb) }}{{ train_compare('harmsConfirmed').verdict }}
Recipient{{ train_display(train_compare('recipientType').trainee) }}{{ train_display(train_compare('recipientType').edpb) }}{{ train_compare('recipientType').verdict }}
Exfiltration{{ train_display(train_compare('exfiltrationStatus').trainee) }}{{ train_display(train_compare('exfiltrationStatus').edpb) }}{{ train_compare('exfiltrationStatus').verdict }}
Spread{{ train_display(train_compare('spreadStatus').trainee) }}{{ train_display(train_compare('spreadStatus').edpb) }}{{ train_compare('spreadStatus').verdict }}
Response actions{{ train_display(train_compare('dec').trainee) }}{{ train_display(train_compare('dec').edpb) }}{{ train_compare('dec').verdict }}

💡 Lessons from this scenario

{{ train_scenario.title }}
Screen {{ training_prework_step }} of 8
{{ training_prework_step === 7 ? 'Pre-work risk decision' : 'In-class re-assessment' }}

Welcome to your pre-work exercise

You are about to walk through {{ train_scenario.title }} step by step. This is your pre-work for the in-person ARETE workshop.

📋 What you'll do — and what to hand in

  • Read the case one piece at a time — the context, the technical findings, then a threat check.
  • Capture your scoring on the paper template as you go. Short prompts at the bottom of each screen tell you exactly what to write.
  • On the final screens you commit your pre-work risk decision online: likelihood and severity in words, an overall band, a written rationale, and your Art. 34 / Art. 35 calls. That is your deliverable — it locks once you record it.
  • A second, in-class decision comes later: in the workshop your facilitator presents new information (Inject 1) and you revise your call. That part stays locked until the day.

📥 Before you start — get your two documents

Keep two files open in front of you as you read:

  • Paper template — where you record your scoring step by step. Download the paper template.
  • Case file — the supporting evidence you draw on to justify your answers: the record of processing (RoPA), the data-processing agreement (DPA), the incident-response procedure and the incident timeline. Download the case file.

🎯 The one-message to keep in mind

Risk to data subjects — not risk to the institution — drives breach notification decisions. As you read, keep asking yourself: what does this mean for the 1,750 external experts whose data is on that laptop?

Estimated time for the briefing: 20–30 minutes. You can leave at any point — when you come back, the briefing continues from the screen where you stopped.

The context

Before we get to the incident itself, here is who's involved and what data is being processed.

The institution

SocialWorld EU is an EU institutional body operating under Regulation (EU) 2018/1725 (EUDPR). It runs UnionGate, an online competence and knowledge hub bringing together experts in social-affairs policy, which periodically hosts technical workshops. SocialWorld EU has well-defined internal IT security procedures, a regulatory compliance framework, a Data Protection Officer (DPO), a Local Cybersecurity Officer (LCO), and a documented incident response procedure.

The processor

SocialWorld EU uses an external consultant to animate the UnionGate community and organise its workshops. The consultant operates under a service contract with a Data Processing Agreement (DPA) under Art. 29 EUDPR. The DPA requires:

  • Use of the SocialWorld EU corporate laptop (full-disk encryption) — the only device permitted to access or store SocialWorld EU data.
  • Use of SocialWorld EU's VPN for remote system access.
  • Offline work is permitted; data may be stored temporarily on the laptop's local drive for justified tasks, subject to the storage-limitation policy.
  • Immediate notification to the SocialWorld EU IT Security team of any security incident.

The data

About 1,750 external technical experts (PhD researchers, university professors, policy makers, journalists, NGOs, sociologists, MEPs and national ministry experts) — first and last name, job title, professional email and professional postal address — invited to a recent UnionGate workshop. No special-category data (no health, no political, no financial). The original list is also held on SocialWorld EU's secured internal servers (i.e. a backup exists): the controller has no permanent availability loss.

✍️ Capture on your paper template

Find Step 4 · Whose data was affected? in your template. What is the DS category? Note also: who is the controller, and who is the processor in this case? Is this a personal data breach as defined in Art. 3(16) EUDPR? You can consult the Reference library (the 📚 button above) if you need to look up these definitions.

The incident — how it unfolded

Here is the chronology of how the institution learned about the incident.

✍️ Capture on your paper template

Find Step 1 · When did this happen? in your template. Note the key dates. Critical question: at what precise moment does SocialWorld EU become "aware" of a personal data breach for the purposes of the 72-hour notification deadline under Art. 34(1) EUDPR — when the consultant calls the Head of Unit on Day 1, or when IT Security is informed (Day 4) / completes its assessment (Day 5)? Justify your answer in one or two sentences.

(Tip from the Reference library: "awareness" means reasonable degree of certainty that a security incident has resulted in personal data being compromised — NOT just the moment IT first sees an alert.)

Initial technical findings (Day 5, 13:30 UTC)

The IT Security team has completed its first technical assessment. Here is what they have established so far.

Device security

  • The laptop had full-disk encryption (BitLocker) enabled, as required by the DPA.
  • The consultant confirms they used a strong, unique passphrase (20+ characters, mixed case, numbers and symbols, not a dictionary word, not reused for other services).
  • The IT Security team has issued a remote-wipe command via the Mobile Device Management (MDM) platform. The command is marked "sent". Execution is pending — it requires the device to connect to the internet, which it has not done since the theft.

Data involved

  • The laptop contained a local copy of the workshop dataset: first and last name, job title, professional email and professional postal address of approximately 1,750 external experts.
  • The DPA permits temporary local storage on the corporate laptop for justified tasks, subject to a storage-limitation policy. The dataset was downloaded 10 days before the theft to prepare name badges and a registration list; the workshop took place the day before the theft; the local copy had not yet been deleted or re-synced to the servers.
  • No special-category data on the device.

Availability and backups

  • SocialWorld EU maintains up-to-date backups of all project data on internal secured servers. The data is not lost to SocialWorld EU — no permanent availability issue for the controller.

Threat assessment

  • No evidence the passphrase has been compromised; no brute-force attempts on other accounts; no phishing linked to the burglary; no known vulnerabilities in the BitLocker implementation on this device's OS version.
  • The nature of the theft (stolen from a hotel room while travelling; other electronics also taken) suggests opportunistic theft rather than a targeted cyber-attack to acquire data.
  • Police report filed. No forensic evidence the laptop was specifically targeted.

✍️ Capture on your paper template

Now you have the technical facts. Find these steps in your template and fill them in based on what you've read:

  • Step 2 · CIA dimensions — which of Confidentiality / Integrity / Availability are in scope?
  • Step 3 · Root cause — what category?
  • Step 6 — can the data be read by whoever has it? Think carefully — the encryption is intact today, but the remote wipe is pending. What stance do you take?
  • Step 7 — where did the data end up?
  • Step 8 — accidental or deliberate?

Don't fill in data sensitivity, consequences or harms yet — there's more to come on the next screen.

Pause — complete your first-pass scoring

You now have everything you need for an initial assessment. Take 5–10 minutes to fill in the remaining steps on your paper template.

✍️ Complete these on your template now

  • Step 9 — how sensitive is the data? (name, job title, professional email, professional postal address)
  • Step 10 · Volume — how many people? (1,750)
  • Step 11 — what consequences could the affected people experience?
  • Step 12 · Harms — which catalogued harms plausibly apply?
  • Step 13 · Containment — what's been done so far?

Then turn to the Your judgement page of your template and commit to your own call:

  • Likelihood, in words — how likely is it that the people affected suffer adverse effects? (unlikely / possible / likely / very likely)
  • Severity, in words — how bad would those effects be? (negligible / limited / serious / severe)
  • Your overall classification — unlikely to result in risk / risk / high risk. There is no arithmetic: weigh the two answers above together with the mitigating circumstances, the way Art. 34/35 EUDPR asks the controller to.
  • Your one-paragraph rationale in your own words: which facts drive your call?
  • Your initial notification decision: Notify EDPS under Art. 34? Communicate to data subjects under Art. 35?

Take your time. When you're done, click Continue — before you commit your judgement, one more thing to think through.

🧭 BEFORE YOU JUDGE — threat assessment

What could actually happen to these people?

A risk band is only as good as the threats behind it. Before you commit your judgement, think through who is exposed and to what — the way the EDPS Guidelines ask a controller to.

✍️ Think it through (note it on your template)

  • Threats to the data subjects. Given the profiles (academics, policy makers, journalists, NGOs, MEPs, ministry experts) and the processing activity, what could a holder of this list realistically do with it — and how does intact, strong encryption change that answer?
  • Same risk across the data dimensions? You decided which of Confidentiality / Integrity / Availability are in scope. Would the risk score be the same for each dimension, or do they differ here?
  • A one-off, or a moving picture? A breach risk assessment is an instant-T snapshot. If a new fact arrives later (say, the laptop connects to the internet), the finalised assessment has to be revisited. What single new fact would most change your call?

You don't score anything new here — you just sharpen the reasoning behind the judgement you're about to commit.

Your judgement · commit your final call

You have read the full case, scored it on your paper template, and thought through the threats. Now record your final pre-work judgement here. It is saved with your account and locks once you commit it — at the workshop you will defend it, compare it with your colleagues' calls, and revise it when new information arrives in the room.

🔒 Your judgement is recorded and locked. Bring your paper template to the workshop — the discussion starts from the call you just committed.

1. How likely is it that data subjects suffer adverse effects?

2. How severe would those effects be?

3. Your overall risk classification

Weigh the two answers above together with the mitigating and aggravating circumstances. There is no arithmetic here — this is your call, the same call Art. 34/35 EUDPR asks of the controller.

5. Your notification decisions

ⓘ Once locked, your judgement cannot be edited — the workshop debrief works from an honest, committed position, not a polished answer. New information will arrive in the room, and you will get a separate chance to revise your call there.

In-class re-assessment ✓ submitted

New information has arrived. Weigh it against your locked pre-work judgement and record your revised call. Where nothing changed, say so — holding your position under pressure is as valid as moving, as long as the rationale carries it.

⚠ {{ train_scenario.inject.label }}

Revised question: {{ train_scenario.inject.revised_question }}

🔒 Your re-assessment is recorded and locked. The facilitator's debrief compares the room's first and revised calls.

Your pre-work judgement (locked)

Likelihood: {{ wiz_judgeLabel('likelihood', s1_judgement.likelihood) }} · Severity: {{ wiz_judgeLabel('severity', s1_judgement.severity) }} · Classification: {{ wiz_judgeLabel('band', s1_judgement.band) }}
Notify EDPS: {{ s1_judgement.notify === 'yes' ? 'Yes' : 'No' }} · Communicate to DS: {{ s1_judgement.communicate === 'yes' ? 'Yes' : 'No' }}

1. Likelihood, after the new information

2. Severity, after the new information

3. Your revised risk classification

5. Your revised notification decisions