Executive Decision Lab™ · For Global Leadership, Legal, Privacy & HR

The Context Notes

A well-meaning HR practice quietly became unlawful surveillance — on two continents. Now GDPR and US law point in opposite directions, and your EU and US teams have to decide together, fast. A 90-minute Lab run as two simultaneous tables.

The Scenario Is Just the Vehicle

A return-to-work HR documentation practice that spread across the EU and a US subsidiary — and crossed a legal line in both.

What This Lab Is Really About

Whether anyone in your organization can see personal data as it moves across borders, and who is allowed to decide what to do when two countries’ laws point in opposite directions.

The real discussion is not about an HR template or a shared folder. It is about visibility and authority: who notices when a practice quietly becomes unlawful, and who has the power to make a privacy call that binds both sides of the Atlantic.

The Scenario

Velsenhoff Medical is a European medical device manufacturer with offices across Germany, France, the Netherlands, and Poland — and a US subsidiary, Velsenhoff North America, in San Diego. To support people returning from medical or family leave, an HR director rolled out a “return-to-work check-in” template. It included a field for context notes: a manager’s personal observations about an employee’s health, family situation, religious observance, and readiness to return.

Over eighteen months, the practice spread — including to the San Diego office, which adopted the same template. The completed notes were stored in a shared management folder on the company’s US-based cloud platform, accessible to dozens of managers and administered by the San Diego IT team. Then a departing employee in the German office filed a data subject access request — and the privacy team opened the folder for the first time.

“Nobody here would ever spy on employees. We were trying to support them.”

Exactly — and that’s how it happens. No one set out to surveil anyone. The practice began as duty of care: check in after leave, write a few notes to be thorough, share them so managers stay aligned. Every step felt responsible. The violation accrued from reasonable-feeling decisions in two countries that no one ever connected. The question isn’t whether your people mean well. It’s whether anyone is watching the point where “thorough” becomes “unlawful.”

The Three Rounds

In each round, the two tables work their own decision — then hit a forced cross-Atlantic sync, because the decisions collide.

Round 1 · The Discovery

The EU table opens the folder behind the DSAR and finds managers across four countries recording health, family, and religious observations — special-category data — readable by dozens of people. At the same moment, the US table realizes the folder lives on the San Diego cloud platform, that US admins have standing access, and that San Diego adopted the same template, sweeping in California-resident and dual-role employees. Sync: the tables compare notes and discover the problem is bigger than either side knew — and that it crossed the Atlantic.

Round 2 · Delete or Preserve

The EU table feels the pull to stop processing and delete the unlawful data, with a 30-day DSAR clock running. The US table has just been told that a US employee may bring a claim — counsel imposes a litigation hold requiring the same records to be preserved. Sync: You cannot both delete and preserve the same files. Deleting in the EU could spoliate US evidence; preserving in the US could deepen the GDPR violation. Who decides — and on what basis?

Round 3 · Notify, and to Whom

Is US admin access to and data stored on US servers a reportable breach — starting a 72-hour clock? Across four member states, is there one lead supervisory authority or several? The US table weighs CCPA exposure for California residents and what to tell US employees and the parent board. Sync + authority: who owns the global decision, and must the statements made to EU and US regulators be consistent, knowing each can be discovered by the other? The clocks are running on both sides.

Two Tables, One Crisis

What makes this Lab rare is that the EU and US teams decide at the same time, and their decisions are entangled.

Default · Two Simultaneous Tables

Split the room into an EU table and a US table. Each works its own decision under its own law and clock — then the facilitator forces a sync point where the two must reconcile a genuine conflict. Neither side can act alone. This is the version that surfaces how cross-border privacy decisions actually break down: two reasonable teams, two legal frameworks, one set of records.

Fallback · One Integrated Room

If you don’t have both EU and US leaders present, the same kit runs as a single global leadership team, with the facilitator voicing the other side’s moves and the regulators’ demands. Same scenario, same decisions — staffed for the room you actually have.

What This Lab Surfaces

When a well-meaning practice spreads across borders, who is accountable for noticing it crossed a legal line — and in which jurisdiction?

Do your EU and US teams actually know what personal data the other holds, hosts, or can access about the same people?

When GDPR and US obligations point in opposite directions — delete versus preserve — who has the authority to make the call that binds both sides?

The Room

Eight seats across two tables. Pre-named role cards, or your own leaders play themselves.

EU Table

Group Data Protection Officer — opened the folder, owns the GDPR exposure, and the 30-day and 72-hour clocks.

EU HR Director — rolled out the return-to-work template. Meant to help. Now, the origin of the problem.

EU General Counsel — supervisory-authority strategy, which leads the regulator, and what goes in writing, while facts are moving.

EU Managing Director — runs the European business and never knew the folder existed.

US Table (San Diego)

US General Counsel — CCPA/CPRA exposure, the litigation hold, and US employment risk.

US HR Lead — adopted the EU template locally; owns the US employee relationships that are about to be affected.

US CISO / Head of IT — hosts the platform, granted the admin access, and just learned EU special-category data has been living on US servers.

US Subsidiary President — runs San Diego and answers to the parent board.

The open question above both tables: there is no single named person whose job is to make the call that binds both the EU and the US. Discovering that — live — is part of the Lab.

How the Session Runs

90 minutes, led by your own facilitator (an experienced outside facilitator is available as an option).

Set the room (10 min) — split into EU and US tables, assign seats, establish the situation.

Three rounds (60 min) — each round: independent table work, then a forced cross-Atlantic sync the facilitator runs against the clock.

Debrief and commitments (20 min) — name the gaps and assign written owners.

Every Kit Includes Seven Deliverables

What Comes in the Kit

Licensed to your organization, with unlimited internal use. A single facilitator guide and deck run both the two-table and single-room modes.

Facilitator Guide — full run-of-show, including how to manage the two tables and the sync points.
Executive Slide Deck — the session deck, with the round reveals and the regulator/clock injects.
Role Cards — the eight seats across both tables, pre-named and ready to assign.
Injection Cards — the three rounds plus the cross-Atlantic sync prompts and regulator demands.
After-Action Review — structured capture of what each table decided and where they collided.
Executive Summary Template — a one-page readout for the board.
30-Day Follow-Up Template — to confirm the data-mapping and authority gaps actually got closed.

What the Room Leaves With

Written commitments with named owners. Most teams leave having decided, often for the first time: who is accountable for noticing when a practice crosses a privacy line; how the EU and US sides will know what data the other holds and hosts; and who has the authority to make a binding call when two jurisdictions conflict.

And one uncomfortable homework item it tends to produce: a real review of what management documentation and shared folders already exist across the organization — before a regulator or a DSAR finds them first.

Designed For

Any multinational processing personal data across the EU and the US — especially organizations with EU operations and a US subsidiary or US-hosted cloud, and any company where HR, Legal, Privacy, and IT would have to coordinate across borders in a crisis. Particularly resonant in regulated industries like medical devices, life sciences, and financial services.

Build the cluster underneath it

This Lab pressure-tests at the executive level. For the front-line decision moments that lead here, see the GDPR training and the growing library of GDPR scenarios.

Find the folder before a regulator does

Bring The Context Notes to your leadership team and find out whether your EU and US sides can actually decide together under pressure.

Talk to Xcelus →

This Lab is a fictional composite created for training and discussion. Any resemblance to a specific company or enforcement action is coincidental, and nothing here is legal advice. © 2005–2026 Xcelus LLC. All rights reserved. Executive Decision Lab™ and Decision-Ready Employees™ are trademarks of Xcelus LLC.

© 2005–2026 Xcelus LLC. All rights reserved. This content is for training and discussion only and is not legal advice; consult qualified counsel about your organization’s specific obligations.