Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: DSFA — VVT-Verknüpfung + Residual Risk + Bundesland-Blacklists

Browse Source 
1. VVT-Verknüpfung: Dropdown "Verknüpfte VVT-Aktivität" in Step 1,
   lädt Aktivitäten via API, auto-fills Verarbeitungstätigkeit bei Auswahl

2. Residual Risk: Neuer Step 5 im Wizard — Bewertung des Restrisikos
   nach Maßnahmen. Bei hoch/kritisch → Art. 36 Vorabkonsultation Warnung

3. Bundesland-Blacklists (Art. 35 Abs. 4): 16 Landesbehörden mit
   DSK-Muss-Liste (10 gemeinsame Kriterien) + länderspezifische
   Ergänzungen (Bayern: Whistleblower/Drohnen, NRW: Social-Media-
   Monitoring, Berlin: Mieterbonitätsprüfung). Automatische Prüfung
   gegen Scope-Antworten. Blacklist-Matches im DSFA-Banner angezeigt.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-05-04 21:48:59 +02:00
parent 84b21cad08
commit 2b4ff9f422
4 changed files with 228 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin-compliance/app/sdk/dsfa/_components/GeneratorWizard.tsx
+71 -4
View File
@@ -19,7 +19,21 @@ export function GeneratorWizard({ onClose, onSubmit, prefill }: GeneratorWizardP
const [selectedCategories, setSelectedCategories] = useState<string[]>(prefill?.dataCategories || [])
const riskMap2: Record<string, 'low' | 'medium' | 'high' | 'critical'> = { niedrig: 'low', mittel: 'medium', hoch: 'high', kritisch: 'critical' }
const [riskLevel, setRiskLevel] = useState<'low' | 'medium' | 'high' | 'critical'>(riskMap2[prefill?.riskLevel || ''] || 'low')
const [residualRisk, setResidualRisk] = useState<'low' | 'medium' | 'high' | 'critical'>('low')
const [selectedMeasures, setSelectedMeasures] = useState<string[]>(prefill?.measures || [])
const [linkedVvtId, setLinkedVvtId] = useState('')
const [vvtActivities, setVvtActivities] = useState<Array<{ id: string; name: string }>>([])
// Load VVT activities for linking
React.useEffect(() => {
fetch('/api/sdk/v1/compliance/vvt')
.then(r => r.ok ? r.json() : [])
.then(data => {
const items = Array.isArray(data) ? data : data.activities || []
setVvtActivities(items.map((a: any) => ({ id: a.id, name: a.name || a.processing_name || a.title || 'Unbenannt' })))
})
.catch(() => {})
}, [])
const riskMap: Record<string, 'low' | 'medium' | 'high' | 'critical'> = {
Niedrig: 'low', Mittel: 'medium', Hoch: 'high', Kritisch: 'critical',
@@ -39,6 +53,8 @@ export function GeneratorWizard({ onClose, onSubmit, prefill }: GeneratorWizardP
...(prefill?.federalState ? { federal_state: prefill.federalState } : {}),
...(prefill?.involvesAi ? { involves_ai: true } : {}),
...(prefill?.legalBasis ? { legal_basis: prefill.legalBasis } : {}),
...(linkedVvtId ? { linked_vvt_id: linkedVvtId } : {}),
...(residualRisk !== 'low' ? { residual_risk_level: residualRisk } : {}),
} as Partial<DSFA>)
onClose()
} finally {
@@ -59,7 +75,7 @@ export function GeneratorWizard({ onClose, onSubmit, prefill }: GeneratorWizardP
{/* Progress Steps */}
<div className="flex items-center gap-2 mb-6">
{[1, 2, 3, 4].map(s => (
{[1, 2, 3, 4, 5].map(s => (
<React.Fragment key={s}>
<div className={`w-8 h-8 rounded-full flex items-center justify-center text-sm font-medium ${
s < step ? 'bg-green-500 text-white' :
@@ -71,7 +87,7 @@ export function GeneratorWizard({ onClose, onSubmit, prefill }: GeneratorWizardP
</svg>
) : s}
</div>
{s < 4 && <div className={`flex-1 h-1 ${s < step ? 'bg-green-500' : 'bg-gray-200'}`} />}
{s < 5 && <div className={`flex-1 h-1 ${s < step ? 'bg-green-500' : 'bg-gray-200'}`} />}
</React.Fragment>
))}
</div>
@@ -100,6 +116,20 @@ export function GeneratorWizard({ onClose, onSubmit, prefill }: GeneratorWizardP
className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
/>
</div>
{vvtActivities.length > 0 && (
<div>
<label className="block text-sm font-medium text-gray-700 mb-1">Verknuepfte VVT-Aktivitaet (Art. 30)</label>
<select value={linkedVvtId} onChange={e => {
setLinkedVvtId(e.target.value)
const selected = vvtActivities.find(a => a.id === e.target.value)
if (selected && !processingActivity) setProcessingActivity(selected.name)
}} className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 bg-white">
<option value=""> Keine Verknuepfung </option>
{vvtActivities.map(a => <option key={a.id} value={a.id}>{a.name}</option>)}
</select>
<p className="text-xs text-gray-400 mt-1">Ordnen Sie diese DSFA einer VVT-Verarbeitungstaetigkeit zu.</p>
</div>
)}
<div>
<label className="block text-sm font-medium text-gray-700 mb-1">Verarbeitungstaetigkeit</label>
<input
@@ -178,6 +208,43 @@ export function GeneratorWizard({ onClose, onSubmit, prefill }: GeneratorWizardP
</div>
</div>
)}
{step === 5 && (
<div className="space-y-4">
<label className="block text-sm font-medium text-gray-700 mb-2">Restrisiko nach Massnahmen</label>
<p className="text-xs text-gray-500 mb-3">
Bewerten Sie das verbleibende Risiko NACH Umsetzung der Schutzmassnahmen.
Bei hohem Restrisiko Art. 36 Vorabkonsultation der Aufsichtsbehoerde.
</p>
<div className="grid grid-cols-2 gap-2">
{[
{ value: 'low' as const, label: 'Niedrig', desc: 'Risiko ausreichend gemindert', color: 'border-green-300 bg-green-50' },
{ value: 'medium' as const, label: 'Mittel', desc: 'Akzeptables Restrisiko', color: 'border-yellow-300 bg-yellow-50' },
{ value: 'high' as const, label: 'Hoch', desc: 'Art. 36 Konsultation pruefen', color: 'border-orange-300 bg-orange-50' },
{ value: 'critical' as const, label: 'Kritisch', desc: 'Art. 36 Konsultation PFLICHT', color: 'border-red-300 bg-red-50' },
].map(r => (
<label key={r.value} className={`flex items-start gap-2 p-3 border-2 rounded-lg cursor-pointer ${
residualRisk === r.value ? r.color : 'border-gray-200 hover:border-gray-300'
}`}>
<input type="radio" name="residualRisk" value={r.value} checked={residualRisk === r.value}
onChange={() => setResidualRisk(r.value)} className="mt-0.5" />
<div>
<span className="text-sm font-medium">{r.label}</span>
<p className="text-xs text-gray-500">{r.desc}</p>
</div>
</label>
))}
</div>
{(residualRisk === 'high' || residualRisk === 'critical') && (
<div className="bg-red-50 border border-red-200 rounded-lg p-3">
<p className="text-sm text-red-700 font-medium">Vorabkonsultation erforderlich (Art. 36 DSGVO)</p>
<p className="text-xs text-red-600 mt-1">
Bei hohem Restrisiko muss die Aufsichtsbehoerde VOR Beginn der Verarbeitung konsultiert werden.
</p>
</div>
)}
</div>
)}
</div>
{/* Navigation */}
@@ -190,11 +257,11 @@ export function GeneratorWizard({ onClose, onSubmit, prefill }: GeneratorWizardP
{step === 1 ? 'Abbrechen' : 'Zurueck'}
</button>
<button
onClick={() => step < 4 ? setStep(step + 1) : handleSubmit()}
onClick={() => step < 5 ? setStep(step + 1) : handleSubmit()}
disabled={saving || (step === 1 && !title.trim())}
className="px-6 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors disabled:opacity-50"
>
{step === 4 ? (saving ? 'Wird erstellt...' : 'DSFA erstellen') : 'Weiter'}
{step === 5 ? (saving ? 'Wird erstellt...' : 'DSFA erstellen') : 'Weiter'}
</button>
</div>
</div>
admin-compliance/app/sdk/dsfa/page.tsx
+19 -1
View File
@@ -24,7 +24,10 @@ export default function DSFAPage() {
() => prefillDSFAFromScope(state.companyProfile || null, scopeAnswers),
[state.companyProfile, scopeAnswers]
)
const dsfaCheck = useMemo(() => isDSFARequired(scopeAnswers), [scopeAnswers])
const dsfaCheck = useMemo(
() => isDSFARequired(scopeAnswers, state.companyProfile?.headquartersState),
[scopeAnswers, state.companyProfile?.headquartersState]
)
const loadDSFAs = useCallback(async () => {
setIsLoading(true)
@@ -142,6 +145,21 @@ export default function DSFAPage() {
</li>
))}
</ul>
{dsfaCheck.blacklistMatches.length > 0 && (
<div className="mt-3 pt-3 border-t border-red-200">
<p className="text-xs font-medium text-red-800 mb-1">
Blacklist {dsfaCheck.authority || 'Aufsichtsbehoerde'} (Art. 35 Abs. 4):
</p>
<ul className="space-y-1">
{dsfaCheck.blacklistMatches.map(m => (
<li key={m} className="text-xs text-red-600 flex items-center gap-2">
<span className="w-1 h-1 bg-red-400 rounded-full flex-shrink-0" />
{m}
</li>
))}
</ul>
</div>
)}
</div>
)}
admin-compliance/lib/sdk/dsfa/bundesland-blacklists.ts
+113
View File
@@ -0,0 +1,113 @@
/**
* DSFA Bundesland-Blacklists — Verarbeitungen die IMMER eine DSFA erfordern.
*
* Jede Aufsichtsbehoerde fuehrt eine eigene Positiv-/Negativliste
* gemaess Art. 35 Abs. 4 DSGVO. Diese Listen definieren Verarbeitungen
* die UNABHAENGIG von der Schwellwertanalyse eine DSFA erfordern.
*
* Quellen: Offizielle Muss-Listen der LfDI/BfDI (oeffentlich zugaenglich).
* KEIN Normtext — eigene Zusammenfassung der Kriterien.
*/
export interface BlacklistEntry {
id: string
description: string
triggerKeywords: string[]
}
export interface BundeslandBlacklist {
state: string
stateCode: string
authority: string
authorityUrl: string
entries: BlacklistEntry[]
}
// Gemeinsame Kriterien die in ALLEN Bundeslaendern gelten (DSK-Liste)
const DSK_COMMON: BlacklistEntry[] = [
{ id: 'dsk-01', description: 'Umfangreiche Verarbeitung besonderer Kategorien (Art. 9)', triggerKeywords: ['art9', 'gesundheit', 'biometrie', 'genetik', 'religion', 'gewerkschaft'] },
{ id: 'dsk-02', description: 'Systematische umfangreiche Ueberwachung oeffentlicher Bereiche', triggerKeywords: ['videoueberwachung', 'kamera', 'oeffentlich', 'ueberwachung'] },
{ id: 'dsk-03', description: 'Scoring/Profiling mit rechtlicher Wirkung', triggerKeywords: ['scoring', 'profiling', 'bonitaet', 'kredit', 'automatisiert'] },
{ id: 'dsk-04', description: 'Verarbeitung von Daten Minderjaehriger fuer Marketing/Profiling', triggerKeywords: ['minderjaehrig', 'kinder', 'schueler', 'marketing'] },
{ id: 'dsk-05', description: 'Zusammenfuehrung von Daten aus verschiedenen Quellen', triggerKeywords: ['zusammenfuehrung', 'matching', 'datenfusion', 'big data'] },
{ id: 'dsk-06', description: 'Einsatz neuer Technologien (KI, Biometrie, IoT)', triggerKeywords: ['ki', 'kuenstliche intelligenz', 'biometrie', 'iot', 'gesichtserkennung'] },
{ id: 'dsk-07', description: 'Umfangreiche Verarbeitung von Standortdaten', triggerKeywords: ['standort', 'gps', 'tracking', 'bewegungsprofil'] },
{ id: 'dsk-08', description: 'Verarbeitung von Beschaeftigtendaten mit Ueberwachungscharakter', triggerKeywords: ['mitarbeiterueberwachung', 'keylogger', 'bildschirmaufnahme', 'leistungskontrolle'] },
{ id: 'dsk-09', description: 'Anonymisierung besonderer Kategorien', triggerKeywords: ['anonymisierung', 'art9', 'pseudonymisierung'] },
{ id: 'dsk-10', description: 'Verarbeitung von Kommunikationsinhalten oder -metadaten', triggerKeywords: ['kommunikation', 'email', 'telefon', 'metadaten', 'inhaltsdaten'] },
]
// Bundesland-spezifische Ergaenzungen
const BAYERN_EXTRA: BlacklistEntry[] = [
{ id: 'by-01', description: 'Betrieb von Whistleblower-Systemen mit Identifizierungsrisiko', triggerKeywords: ['whistleblower', 'hinweisgeber', 'meldesystem'] },
{ id: 'by-02', description: 'Einsatz von Drohnen mit Kamera in oeffentlichen Bereichen', triggerKeywords: ['drohne', 'uav', 'luftaufnahme'] },
]
const NRW_EXTRA: BlacklistEntry[] = [
{ id: 'nw-01', description: 'Social-Media-Monitoring von Mitarbeitern oder Bewerbern', triggerKeywords: ['social media', 'monitoring', 'bewerber', 'hintergrundcheck'] },
]
const BERLIN_EXTRA: BlacklistEntry[] = [
{ id: 'be-01', description: 'Automatisierte Mieterbonitaetspruefung', triggerKeywords: ['mieter', 'bonitaet', 'wohnung', 'schufa'] },
]
export const BUNDESLAND_BLACKLISTS: Record<string, BundeslandBlacklist> = {
BW: { state: 'Baden-Wuerttemberg', stateCode: 'BW', authority: 'LfDI BW', authorityUrl: 'https://www.baden-wuerttemberg.datenschutz.de', entries: [...DSK_COMMON] },
BY: { state: 'Bayern', stateCode: 'BY', authority: 'BayLDA', authorityUrl: 'https://www.lda.bayern.de', entries: [...DSK_COMMON, ...BAYERN_EXTRA] },
BE: { state: 'Berlin', stateCode: 'BE', authority: 'BlnBDI', authorityUrl: 'https://www.datenschutz-berlin.de', entries: [...DSK_COMMON, ...BERLIN_EXTRA] },
BB: { state: 'Brandenburg', stateCode: 'BB', authority: 'LDA BB', authorityUrl: 'https://www.lda.brandenburg.de', entries: [...DSK_COMMON] },
HB: { state: 'Bremen', stateCode: 'HB', authority: 'LfDI HB', authorityUrl: 'https://www.datenschutz.bremen.de', entries: [...DSK_COMMON] },
HH: { state: 'Hamburg', stateCode: 'HH', authority: 'HmbBfDI', authorityUrl: 'https://datenschutz-hamburg.de', entries: [...DSK_COMMON] },
HE: { state: 'Hessen', stateCode: 'HE', authority: 'HBDI', authorityUrl: 'https://datenschutz.hessen.de', entries: [...DSK_COMMON] },
MV: { state: 'Mecklenburg-Vorpommern', stateCode: 'MV', authority: 'LfDI MV', authorityUrl: 'https://www.datenschutz-mv.de', entries: [...DSK_COMMON] },
NI: { state: 'Niedersachsen', stateCode: 'NI', authority: 'LfD NI', authorityUrl: 'https://lfd.niedersachsen.de', entries: [...DSK_COMMON] },
NW: { state: 'Nordrhein-Westfalen', stateCode: 'NW', authority: 'LDI NRW', authorityUrl: 'https://www.ldi.nrw.de', entries: [...DSK_COMMON, ...NRW_EXTRA] },
RP: { state: 'Rheinland-Pfalz', stateCode: 'RP', authority: 'LfDI RP', authorityUrl: 'https://www.datenschutz.rlp.de', entries: [...DSK_COMMON] },
SL: { state: 'Saarland', stateCode: 'SL', authority: 'UDZ Saarland', authorityUrl: 'https://www.datenschutz.saarland.de', entries: [...DSK_COMMON] },
SN: { state: 'Sachsen', stateCode: 'SN', authority: 'SDB', authorityUrl: 'https://www.saechsdsb.de', entries: [...DSK_COMMON] },
ST: { state: 'Sachsen-Anhalt', stateCode: 'ST', authority: 'LfD LSA', authorityUrl: 'https://datenschutz.sachsen-anhalt.de', entries: [...DSK_COMMON] },
SH: { state: 'Schleswig-Holstein', stateCode: 'SH', authority: 'ULD SH', authorityUrl: 'https://www.datenschutzzentrum.de', entries: [...DSK_COMMON] },
TH: { state: 'Thueringen', stateCode: 'TH', authority: 'TLfDI', authorityUrl: 'https://www.tlfdi.de', entries: [...DSK_COMMON] },
}
/**
* Check scope answers against Bundesland blacklist.
* Returns matching entries that REQUIRE a DSFA.
*/
export function checkBlacklist(
stateCode: string,
scopeKeywords: string[],
): { matches: BlacklistEntry[]; authority: string; authorityUrl: string } {
const bl = BUNDESLAND_BLACKLISTS[stateCode]
if (!bl) return { matches: [], authority: 'BfDI', authorityUrl: 'https://www.bfdi.bund.de' }
const lowerKeywords = scopeKeywords.map(k => k.toLowerCase())
const matches = bl.entries.filter(entry =>
entry.triggerKeywords.some(tk => lowerKeywords.some(kw => kw.includes(tk) || tk.includes(kw)))
)
return { matches, authority: bl.authority, authorityUrl: bl.authorityUrl }
}
/**
* Derive keywords from scope answers for blacklist matching.
*/
export function scopeAnswersToKeywords(answers: Array<{ questionId: string; value: unknown }>): string[] {
const keywords: string[] = []
for (const a of answers) {
if (a.value === true || a.value === 'yes') {
keywords.push(a.questionId.replace(/_/g, ' '))
// Map specific question IDs to keywords
if (a.questionId === 'data_art9') keywords.push('art9', 'besondere kategorien')
if (a.questionId === 'data_minors') keywords.push('minderjaehrig', 'kinder')
if (a.questionId === 'proc_adm_scoring') keywords.push('scoring', 'profiling', 'automatisiert')
if (a.questionId === 'proc_video_surveillance') keywords.push('videoueberwachung', 'kamera')
if (a.questionId === 'proc_ai_usage') keywords.push('ki', 'kuenstliche intelligenz')
if (a.questionId === 'proc_employee_monitoring') keywords.push('mitarbeiterueberwachung')
}
if (Array.isArray(a.value)) {
for (const v of a.value) keywords.push(String(v).toLowerCase())
}
}
return keywords
}
admin-compliance/lib/sdk/dsfa/prefill-from-scope.ts
+25 -3
View File
@@ -173,11 +173,17 @@ export function prefillDSFAFromScope(
}
/**
* Check if DSFA is required based on scope answers (Art. 35 Abs. 3 triggers).
* Check if DSFA is required based on scope answers (Art. 35 Abs. 3 triggers)
* AND Bundesland-specific blacklist (Art. 35 Abs. 4).
*/
export function isDSFARequired(scopeAnswers: ScopeProfilingAnswer[]): {
export function isDSFARequired(
scopeAnswers: ScopeProfilingAnswer[],
headquartersState?: string,
): {
required: boolean
triggers: string[]
blacklistMatches: string[]
authority?: string
} {
const triggers: string[] = []
@@ -198,5 +204,21 @@ export function isDSFARequired(scopeAnswers: ScopeProfilingAnswer[]): {
triggers.push('Umfangreiche Datenverarbeitung (Art. 35 Abs. 3 lit. b)')
}
return { required: triggers.length > 0, triggers }
// Bundesland-Blacklist (Art. 35 Abs. 4)
let blacklistMatches: string[] = []
let authority: string | undefined
if (headquartersState) {
const { checkBlacklist, scopeAnswersToKeywords } = require('./bundesland-blacklists')
const keywords = scopeAnswersToKeywords(scopeAnswers)
const result = checkBlacklist(headquartersState, keywords)
blacklistMatches = result.matches.map((m: { description: string }) => m.description)
authority = result.authority
}
return {
required: triggers.length > 0 || blacklistMatches.length > 0,
triggers,
blacklistMatches,
authority,
}
}