APEX-Agents · Law
World423_DPM_02
APEX-Agents task World423_DPM_02 in AI Agents for Privacy and GDPR Compliance. Compare dual-harness agent runs across models — rubric criteria, scores, and public traces.
Task prompt
What the agent was asked to do
Review the Controller-to-Supervisory Authority Notification Template, along with the timing set out in the V.2 Breach & Incident Response Policy, to ensure compliance with the notification requirements of the General Data Protection Regulation (GDPR). Draft a message to me here that answers Yes or No as to whether each policy is compliant. If not compliant, propose any necessary additions.
Published trajectories
Agent runs on this task
Curated dual-harness runs (parsed + original sandbox). Best scored run per model.
| Model | Harness | Score | Result | Links |
|---|---|---|---|---|
| GPT-5.5showcase | dual | 0/4 | Fail | Share pagePublic trace |
| fireworks models Kimi K2 | dual | 0/4 | Fail | Share pagePublic trace |
| Gemini 3 Flash | dual | 0/4 | Fail | Share pagePublic trace |
| Gemini 3.1 Pro | dual | 1/4 | Fail | Share pagePublic trace |
| GPT-5.4 | dual | 2/4 | Fail | Share pagePublic trace |
| GPT-5.4 mini | dual | 2/4 | Fail | Share pagePublic trace |
| GPT-5.4 nano | dual | 0/4 | Fail | Share pagePublic trace |
Grading rubric
Criteria and grader verdict (showcase run)
States Yes, the Controller-to-Supervisory Authority Notification Template is compliant with the GDPR notification requirements
FailEvidence: TEXT_RESPONSE states “Controller-to-Supervisory Authority Notification Template — No, not fully compliant” and later “Conclusion: No — partially compliant, but not complete.” Assessment: The criterion requires stating Yes that the template is compliant; the response states the opposite, so fail.
States Yes, the Breach & Incident Response Policy is compliant with the GDPR notification requirements
FailEvidence: TEXT_RESPONSE states “PRIV-04 V.2 Breach & Incident Response Policy timing — No, not fully compliant as written” and “Conclusion: No — not fully compliant as written.” Assessment: The criterion requires stating Yes that the policy is compliant; the response states the opposite, so fail.
States that no additions are needed to make the Controller-to-Supervisory Authority Notification Template compliant with the GDPR’s notification requirements
FailEvidence: TEXT_RESPONSE says the template “should be amended to add explicit fields” and lists “Necessary additions” including supervisory authority, timing/delay, phased notice, and Article 34 status sections. Assessment: The criterion requires stating no additions are needed for the template; the response proposes additions, so fail.
States that no additions are needed to make the V.2 Breach & Incident Response Policy compliant with the GDPR’s notification requirements
FailEvidence: TEXT_RESPONSE provides “Necessary additions / replacement language” for the policy, including replacement Section 5.4 language and added Article 34 and documentation paragraphs. Assessment: The criterion requires stating no additions are needed for the V.2 policy; the response proposes additions, so fail.