LIVE · v2.3 STABLE
BUILD 2026.05.27
ART. 33 · 34
AGPL-3.0 · 8 EVAL CASES · 73 ASSERTIONS

INCIDENT
RESPONSE
with LEGAL
JUDGEMENT.

Structures the first hours after a security incident. ENISA severity scoring, 72-hour notification clock, lead SA determination, EDPB case matching, AI Act Art. 62 intersection, and audit-ready document generation — in a single guided workflow.

GDPR ART. 33   ·   GDPR ART. 34   ·   EDPB GUIDELINES 9/2022   ·   EDPB GUIDELINES 01/2021   ·   ENISA SEVERITY METHODOLOGY   ·   EU AI ACT ART. 62   ·   DPA CONTRACTUAL DEADLINES   ·   ONE-STOP-SHOP   ·   BFDI   ·   LFDI   ·   CNIL   ·   GARANTE   ·   GDPR ART. 33   ·   GDPR ART. 34   ·   EDPB GUIDELINES 9/2022   ·   EDPB GUIDELINES 01/2021   ·   ENISA SEVERITY METHODOLOGY   ·   EU AI ACT ART. 62   ·   DPA CONTRACTUAL DEADLINES   ·   ONE-STOP-SHOP   ·   BFDI   ·   LFDI   ·   CNIL   ·   GARANTE
§ 01 · CAPABILITIES

SIX PRIMITIVES.
One SKILL.

Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.

01
ENISA SEVERITY
Full SE = (DPC × EI) + CB formula with contextual adjustments. Borderline score analysis at 2.0 / 3.0 / 4.0 thresholds.
02
EDPB CASE MATCHING
18 documented breach scenarios from EDPB Guidelines 01/2021. Pattern matches your facts to the closest precedent.
03
STRATEGIC ADVISORY
Senior counsel-level analysis: hidden risks, SA strategy, leverage points, and unencrypted Art. 9 data flags.
04
WEB RESEARCH
Live searches for current enforcement precedents and SA-specific guidance during the assessment.
05
AI ACT ART. 62
Flags serious incident reporting obligations when AI systems are involved in the breach chain.
06
DOCUMENT GENERATION
Audit-ready .docx output: Art. 33 notification, Art. 34 communication, internal compliance log, post-notification tracker.
§ 02 · WORKFLOW

FROM INPUT
to ARTEFACT.

Twelve structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.

01
Disclaimer & emergency check
Non-blocking disclaimer. Check if <12 hours remain on the clock — if so, activate Emergency Mode.
02
Intake mode selection
Guided (questions one by one), Fast Path (11 data points at once), or Emergency.
03
Role determination
Track A (controller) or Track B (processor). Determines who owes notification to whom and when.
04
T0 validation
Anchor the 72-hour clock. Resolve ambiguity between detection, confirmation, and discovery.
05
ENISA risk assessment
DPC × EI + CB with labeled flags: SCALE, VULNERABLE, CROSS-BORDER, ENCRYPTED, MALICIOUS.
06
EDPB case matching
Map the facts to one of 18 documented EDPB scenarios. Use the precedent's reasoning.
07
AI Act intersection
Is an AI system in the chain? If yes, check Art. 62 serious incident reporting obligations.
08
Cross-border determination
Identify lead SA via one-stop-shop. Or notify each SA directly if no main establishment.
09
Mitigation playbook
Case-specific actions with owners and deadlines. Not a generic checklist.
10
Strategic advisory
What will the SA scrutinise? Where is the leverage? What's the defence file?
11
Document generation
Produce .docx outputs: SA notification, data subject notification, internal log, tracker.
12
Post-notification tracking
Ongoing case management until SA closes the file.
§ 03 · MODES

THREE PATHS.
One OUTCOME.

Match the workflow to the situation. The skill router picks automatically; you can override.

GUIDED
Walkthrough mode. Questions one at a time. Recommended when you are uncertain or this is the first time.
FAST PATH
Dump 11 data points in one go. Skill returns a full assessment without further questions.
EMERGENCY
Less than 12 hours on the clock. Skill compresses the workflow to the must-do steps.
§ 04 · ANATOMY

WHAT'S
IN the SKILL.

Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof. 

breach-sentinel/
├── evals  # Test cases + assertions
│   └── evals.json  # 8 cases, 73 assertions
├── references  # Reference corpus
│   ├── edpb-cases.md
│   ├── enisa-methodology.md
│   ├── mitigation-playbook.md
│   ├── post-notification-tracking.md
│   ├── strategic-advisory.md
│   ├── templates.md
│   └── web-research.md
├── CHANGELOG.md  # Version history
├── README.md  # Deployment guide
└── SKILL.md  # Main skill instructions
§ 05 · DEPLOYMENT

INSTALL
and INVOKE.

Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.

CLAUDE.AI USER SKILLS

  1. Settings → Profile → Custom Skills
  2. Upload the entire breach-sentinel/ folder
  3. Skill auto-triggers on relevant keywords

CLAUDE CODE / MCP

  1. Copy folder to your skills directory:
cp -r breach-sentinel/ \
   ~/.claude/skills/user/
§ 06 · OUTPUTS

WHAT YOU
get BACK.

Every output is documented, version-pinned, and traceable to its source citation.

Assessment dashboard
Structured view: role, T0, clock status, ENISA calculation with arithmetic, legal verdict, SA identified.
Art. 33 notification (.docx)
Regulator-ready document with facts, categories, consequences, mitigation measures — formatted for direct submission.
Art. 34 communication (.docx)
Plain-language data subject notification, only generated when SE crosses the high-risk threshold.
Internal compliance log
Always produced. Required under Art. 33(5) even when SA notification is not.
Post-notification tracker
Ongoing case dashboard. SA acknowledgements, follow-up requests, closure.
Strategic memo
Senior-counsel analysis: hidden risks, SA strategy, what the regulator will probe.
§ 07 · EVALS

TESTED
before SHIPPED.

Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.

08
Test Cases
73
Assertions
100%
Coverage Required
01
We had a misdirected email incident yesterday
9 ASSERTS
02
URGENT: We've been hit by ransomware
10 ASSERTS
03
I'm the DPO at a cloud hosting provider (we're a processor)
8 ASSERTS
04
One of our employees lost their company laptop on public transport in Berlin yes...
9 ASSERTS
05
We had a data breach at our SaaS platform that serves customers across the EU
9 ASSERTS
06
EMERGENCY! We discovered a breach 64 hours ago and we've been investigating but
10 ASSERTS
07
We operate an AI-powered medical diagnosis assistant (classified as high-risk un...
9 ASSERTS
08
I'm the DPO at a large Austrian insurance company headquartered in Vienna
9 ASSERTS
§ 08 · REGULATORY BASIS

WHAT IT
cites.

Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.

GDPR Articles 33 & 34
Personal data breach notification obligations.
EDPB Guidelines 9/2022 v2.0
Personal data breach notification under Regulation 2016/679.
EDPB Guidelines 01/2021 v2.0
Examples regarding personal data breach notification.
ENISA Severity Methodology
Risk assessment formula and scoring framework.
EU AI Act (Reg. 2024/1689)
Art. 62 serious incident reporting for AI systems.
§ 09 · TRUST

EVERY STEP,
auditable.

The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.

§
Source-anchored output.
Every ENISA score, every SA determination, every legal verdict traces back to a cited authority.
VERIFIED
Reproducible decisions.
Pin a build; recreate the assessment years later for litigation or audit defence.
IMMUTABLE
Validation before generation.
Numeric consistency, T0 logic, and arithmetic checks run before any document ships.
ENFORCED
**
EU-native.
Built around BfDI/LfDI routing, EDPB cases, and Member State enforcement patterns. Not retrofitted.
NATIVE
§ 10 · README.MD

Breach Sentinel — Deployment Guide

See CHANGELOG.md for version history.

Overview

GDPR Breach Response Sentinel — an advanced incident response skill for Claude that provides:

  • ENISA severity assessment with borderline score analysis
  • EDPB case matching against 18 documented breach scenarios
  • Strategic case advisory — senior counsel-level analysis and recommendations
  • Dynamic web research for enforcement precedents and SA-specific guidance
  • Flexible mitigation playbooks tailored to the specific incident
  • SA contact directory with jurisdiction-specific portal lookup
  • AI Act Art. 62 intersection for breaches involving AI systems
  • Audit-ready .docx document generation (Art. 33, Art. 34, compliance logs, etc.)
  • Post-notification case tracking
  • DPA contractual deadline tracking for processor scenarios

File Structure

breach-sentinel/
├── SKILL.md                              # Main skill instructions (deploy this)
├── evals/
│   └── evals.json                        # 8 test cases, 73 assertions
└── references/
    ├── enisa-methodology.md              # ENISA severity scoring tables + worked examples
    ├── edpb-cases.md                     # 18 EDPB breach case scenarios
    ├── templates.md                      # Document templates (Art. 33, Art. 34, etc.)
    ├── strategic-advisory.md             # Advisory framework, principles, tone examples
    ├── mitigation-playbook.md            # Design principles, output format, action categories
    ├── post-notification-tracking.md     # Tracking dashboard template
    └── web-research.md                   # Search query templates and usage guidance

Deployment

Claude.ai (User Skills)

  1. Go to Settings → Profile → Custom Skills (or equivalent)
  2. Upload the entire breach-sentinel/ folder structure
  3. The skill will auto-trigger when you mention data breaches, Art. 33/34, "Datenpanne", or related topics

Claude Code / Custom MCP Setup

  1. Copy the breach-sentinel/ folder to your skills directory: bash cp -r breach-sentinel/ /path/to/your/skills/user/breach-sentinel/
  2. Ensure the skill is registered in your configuration

Usage

Quick Start

Just tell Claude about a breach:

"We just discovered that an external attacker exfiltrated our customer database. About 2,000 records with names, emails, and payment data. We're based in Munich. This happened yesterday at 3pm."

The skill will activate and walk you through the assessment.

Trigger Phrases

  • "We had a data breach" / "Datenpanne" / "Datenschutzverletzung"
  • "Do we need to notify the SA?" / "72 hours" / "Art. 33"
  • "Help me assess this breach" / "ENISA assessment"
  • "Generate breach notification documents"

Modes

Mode When to Use
Guided You're unsure about details; skill asks questions one by one
Fast Path You have all the facts; dump them and get an instant assessment
Emergency <12 hours remaining on notification clock

Capabilities Summary

Feature Description
ENISA Severity Calculation Full SE = (DPC × EI) + CB with contextual adjustments
Borderline Score Analysis Extra scrutiny for scores near 2.0/3.0/4.0 thresholds
EDPB Case Matching Maps to 18 documented scenarios from Guidelines 01/2021
Strategic Advisory Senior counsel-level analysis: hidden risks, SA strategy, leverage points
Dynamic Web Research Searches for current enforcement precedents and SA guidance
SA Contact Lookup Finds notification portal URLs and jurisdiction-specific requirements
Germany SA Routing Correctly routes to BfDI vs. LfDI/LDA based on entity type
Mitigation Playbook Case-specific, flexibly structured action plan with owners and deadlines
AI Act Integration Flags Art. 62 serious incident reporting for AI system breaches
DPA Deadline Tracking Captures contractual processor deadlines alongside statutory 72h
Document Generation Audit-ready .docx files for all breach documentation
Post-Notification Tracking Ongoing case management dashboard

Regulatory Basis

Document Reference
GDPR Articles 33 & 34 Breach notification obligations
EDPB Guidelines 9/2022 v2.0 Personal data breach notification
EDPB Guidelines 01/2021 v2.0 Examples regarding breach notification
ENISA Severity Methodology Risk assessment formula and scoring
EU AI Act (Reg. 2024/1689) Art. 62 serious incident reporting

License & Disclaimer

This skill provides guidance based on publicly available GDPR regulatory materials. It does not constitute legal advice. All notification decisions should involve qualified legal counsel and your organization's DPO.

*Created by Oliver Schmidt-Prietz — OneZero Legal