feat(ucca): Pflichtendatenbank v2 (325 Obligations), Trigger-Engine, TOM-Control-Mapping
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-ai-compliance (push) Successful in 32s
CI / test-python-backend-compliance (push) Successful in 29s
CI / test-python-document-crawler (push) Successful in 20s
CI / test-python-dsms-gateway (push) Successful in 18s
All checks were successful
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-ai-compliance (push) Successful in 32s
CI / test-python-backend-compliance (push) Successful in 29s
CI / test-python-document-crawler (push) Successful in 20s
CI / test-python-dsms-gateway (push) Successful in 18s
- 9 Regulation-JSON-Dateien (DSGVO 80, AI Act 60, NIS2 40, BDSG 30, TTDSG 20, DSA 35, Data Act 25, EU-Maschinen 15, DORA 20) - Condition-Tree-Engine fuer automatische Pflichtenselektion (all_of/any_of, 80+ Field-Paths) - Generischer JSONRegulationModule-Loader mit YAML-Fallback - Bidirektionales TOM-Control-Mapping (291 Obligation→Control, 92 Control→Obligation) - Gap-Analyse-Engine (Compliance-%, Priority Actions, Domain Breakdown) - ScopeDecision→UnifiedFacts Bridge fuer Auto-Profiling - 4 neue API-Endpoints (assess-from-scope, tom-controls, gap-analysis, reverse-lookup) - Frontend: Auto-Profiling Button, Regulation-Filter Chips, TOM-Panel, Gap-Analyse-View - 18 Unit Tests (Condition Engine, v2 Loader, TOM Mapper) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
668
ai-compliance-sdk/policies/obligations/v2/bdsg_v2.json
Normal file
668
ai-compliance-sdk/policies/obligations/v2/bdsg_v2.json
Normal file
@@ -0,0 +1,668 @@
|
||||
{
|
||||
"regulation": "bdsg",
|
||||
"regulation_full_name": "Bundesdatenschutzgesetz (BDSG)",
|
||||
"version": "1.0",
|
||||
"obligations": [
|
||||
{
|
||||
"id": "BDSG-OBL-001",
|
||||
"title": "Videoueberwachung oeffentlicher Raeume",
|
||||
"description": "Videoueberwachung oeffentlich zugaenglicher Raeume ist nur zulaessig, wenn sie zur Aufgabenerfuellung oeffentlicher Stellen, zur Wahrnehmung des Hausrechts oder zur Wahrnehmung berechtigter Interessen erforderlich ist.",
|
||||
"applies_when": "organization uses video surveillance in public areas",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.video_surveillance", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 4 Abs. 1", "title": "Videoueberwachung oeffentlich zugaenglicher Raeume" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 4 BDSG" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "on_event", "event": "Vor Inbetriebnahme der Videoueberwachung" },
|
||||
"sanctions": { "max_fine": "50.000 EUR (§ 43 BDSG a.F.) bzw. DSGVO-Bussgeld" },
|
||||
"evidence": [{ "name": "Videoueberwachungskonzept", "required": true }, "Beschilderung/Hinweisschilder"],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.PHY.01", "TOM.GOV.03"],
|
||||
"breakpilot_feature": "/sdk/tom",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-002",
|
||||
"title": "Kennzeichnungspflicht Videoueberwachung",
|
||||
"description": "Der Umstand der Beobachtung und der Verantwortliche sind durch geeignete Massnahmen zum fruehestmoeglichen Zeitpunkt erkennbar zu machen.",
|
||||
"applies_when": "organization uses video surveillance",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.video_surveillance", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 4 Abs. 2", "title": "Kennzeichnungspflicht bei Videoueberwachung" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 4 Abs. 2 BDSG" }],
|
||||
"category": "Organisatorisch",
|
||||
"responsible": "Verantwortlicher",
|
||||
"deadline": { "type": "on_event", "event": "Vor Inbetriebnahme" },
|
||||
"sanctions": { "max_fine": "10 Mio. EUR oder 2% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Fotodokumentation Beschilderung", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.PHY.01"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-003",
|
||||
"title": "Loeschpflicht Videomaterial",
|
||||
"description": "Videoaufzeichnungen sind unverzueglich zu loeschen, wenn sie zur Erreichung des Zwecks nicht mehr erforderlich sind oder schutzwuerdige Interessen der Betroffenen entgegenstehen.",
|
||||
"applies_when": "organization stores video surveillance recordings",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.video_surveillance", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 4 Abs. 5", "title": "Loeschung von Videomaterial" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 4 Abs. 5 BDSG" }],
|
||||
"category": "Technisch",
|
||||
"responsible": "IT-Sicherheitsbeauftragter",
|
||||
"deadline": { "type": "relative", "duration": "P72H" },
|
||||
"sanctions": { "max_fine": "10 Mio. EUR oder 2% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Loeschkonzept Videodaten", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.PHY.01", "TOM.DEL.01"],
|
||||
"breakpilot_feature": "/sdk/loeschfristen",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-004",
|
||||
"title": "Verarbeitung besonderer Kategorien — Angemessene Massnahmen",
|
||||
"description": "Bei Verarbeitung besonderer Kategorien personenbezogener Daten sind angemessene und spezifische Massnahmen zur Wahrung der Interessen der betroffenen Person vorzusehen.",
|
||||
"applies_when": "organization processes special category data",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.special_categories", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 22 Abs. 1", "title": "Verarbeitung besonderer Kategorien personenbezogener Daten" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 22 BDSG" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Schutzkonzept besondere Datenkategorien", "required": true }, "DSFA"],
|
||||
"priority": "kritisch",
|
||||
"tom_control_ids": ["TOM.AC.01", "TOM.CRY.01", "TOM.GOV.04"],
|
||||
"breakpilot_feature": "/sdk/dsfa",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-005",
|
||||
"title": "Massnahmenkatalog § 22 Abs. 2",
|
||||
"description": "Der Verantwortliche hat technische und organisatorische Massnahmen nach § 22 Abs. 2 BDSG umzusetzen, darunter Pseudonymisierung, Verschluesselung, Zugriffskontrolle und Sensibilisierung.",
|
||||
"applies_when": "organization processes special category data under BDSG",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.special_categories", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 22 Abs. 2", "title": "Spezifische Massnahmen" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 22 Abs. 2 BDSG" }],
|
||||
"category": "Technisch",
|
||||
"responsible": "IT-Sicherheitsbeauftragter",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "TOM-Dokumentation § 22", "required": true }, "Pseudonymisierungskonzept"],
|
||||
"priority": "kritisch",
|
||||
"tom_control_ids": ["TOM.CRY.01", "TOM.CRY.02", "TOM.AC.01"],
|
||||
"breakpilot_feature": "/sdk/tom",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-006",
|
||||
"title": "Datenverarbeitung fuer Zwecke des Beschaeftigungsverhaeltnisses",
|
||||
"description": "Personenbezogene Daten von Beschaeftigten duerfen nur verarbeitet werden, wenn dies fuer die Begruendung, Durchfuehrung oder Beendigung des Beschaeftigungsverhaeltnisses erforderlich ist.",
|
||||
"applies_when": "organization processes employee data",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.has_employees", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 26 Abs. 1", "title": "Datenverarbeitung fuer Zwecke des Beschaeftigungsverhaeltnisses" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 26 BDSG" }, { "type": "case_law", "ref": "BAG Urt. v. 29.06.2023 – 2 AZR 296/22" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Personalleitung",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Beschaeftigtendatenschutzkonzept", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.HR.01", "TOM.GOV.01"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-007",
|
||||
"title": "Einwilligung im Beschaeftigungsverhaeltnis",
|
||||
"description": "Einwilligungen von Beschaeftigten sind nur wirksam, wenn sie auf Freiwilligkeit beruhen. Die Freiwilligkeit ist besonders zu dokumentieren und zu pruefen.",
|
||||
"applies_when": "organization collects consent from employees",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.has_employees", "operator": "EQUALS", "value": true }, { "field": "data_protection.employee_consent", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 26 Abs. 2", "title": "Einwilligung Beschaeftigte" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 26 Abs. 2 BDSG" }],
|
||||
"category": "Organisatorisch",
|
||||
"responsible": "Personalleitung",
|
||||
"deadline": { "type": "on_event", "event": "Vor Datenerhebung" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Einwilligungsformulare Beschaeftigte", "required": true }, "Freiwilligkeitsnachweis"],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.HR.01", "TOM.HR.02"],
|
||||
"breakpilot_feature": "/sdk/consent",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-008",
|
||||
"title": "Kollektivvereinbarungen Beschaeftigtendatenschutz",
|
||||
"description": "Verarbeitung von Beschaeftigtendaten kann auf Grundlage von Kollektivvereinbarungen (Betriebsvereinbarung, Tarifvertrag) erfolgen, sofern diese Art. 88 Abs. 2 DSGVO genuegen.",
|
||||
"applies_when": "organization has collective agreements for data processing",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.has_employees", "operator": "EQUALS", "value": true }, { "field": "organization.has_works_council", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 26 Abs. 4", "title": "Kollektivvereinbarungen" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 26 Abs. 4 BDSG" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Personalleitung",
|
||||
"deadline": { "type": "recurring", "interval": "jaehrlich" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Betriebsvereinbarung Datenschutz", "required": true }],
|
||||
"priority": "mittel",
|
||||
"tom_control_ids": ["TOM.HR.01", "TOM.GOV.01"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-009",
|
||||
"title": "Aufbewahrung Beschaeftigtendaten nach Verhaeltnisende",
|
||||
"description": "Personenbezogene Daten von Beschaeftigten sind nach Beendigung des Beschaeftigungsverhaeltnisses zu loeschen, soweit keine gesetzlichen Aufbewahrungspflichten bestehen.",
|
||||
"applies_when": "organization stores former employee data",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.has_employees", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 26 Abs. 1", "title": "Zweckbindung Beschaeftigtendaten" }, { "norm": "DSGVO", "article": "Art. 17", "title": "Recht auf Loeschung" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 26 BDSG" }],
|
||||
"category": "Organisatorisch",
|
||||
"responsible": "Personalleitung",
|
||||
"deadline": { "type": "on_event", "event": "Beendigung Beschaeftigungsverhaeltnis" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Loeschkonzept Personalakten", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.HR.01", "TOM.DEL.01"],
|
||||
"breakpilot_feature": "/sdk/loeschfristen",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-010",
|
||||
"title": "Informationspflicht gegenueber Betroffenen",
|
||||
"description": "Die betroffene Person ist ueber die Verarbeitung ihrer Daten gemaess §§ 32-33 BDSG zu informieren, sofern keine Ausnahmen nach § 29 greifen.",
|
||||
"applies_when": "always",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.processes_personal_data", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 29", "title": "Rechte der betroffenen Person und aufsichtsbehoerdliche Befugnisse" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 29 BDSG" }],
|
||||
"category": "Organisatorisch",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "on_event", "event": "Bei Datenerhebung" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Datenschutzerklaerung", "required": true }, "Informationsblaetter"],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.GOV.02"],
|
||||
"breakpilot_feature": "/sdk/dsr",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-011",
|
||||
"title": "Ausnahmen von Betroffenenrechten dokumentieren",
|
||||
"description": "Einschraenkungen der Betroffenenrechte nach § 29 BDSG (z.B. bei oeffentlichem Interesse, Strafverfolgung) muessen dokumentiert und begruendet werden.",
|
||||
"applies_when": "organization restricts data subject rights under BDSG § 29",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.restricts_data_subject_rights", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 29 Abs. 1", "title": "Beschraenkung Betroffenenrechte" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 29 BDSG" }],
|
||||
"category": "Dokumentation",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "on_event", "event": "Bei Einschraenkung der Rechte" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Dokumentation Rechteeinschraenkung", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.GOV.02", "TOM.GOV.03"],
|
||||
"breakpilot_feature": "/sdk/dsr",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-012",
|
||||
"title": "Recht auf Loeschung — BDSG-Einschraenkungen",
|
||||
"description": "Das Recht auf Loeschung kann nach § 35 BDSG eingeschraenkt sein, wenn die Loeschung wegen der besonderen Art der Speicherung nicht oder nur mit unverhaeltnismaessigem Aufwand moeglich ist.",
|
||||
"applies_when": "organization processes data where deletion is disproportionate",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.complex_storage", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 35 Abs. 1", "title": "Recht auf Loeschung" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 35 BDSG" }],
|
||||
"category": "Technisch",
|
||||
"responsible": "IT-Leitung",
|
||||
"deadline": { "type": "on_event", "event": "Bei Loeschantrag" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Nachweis unverhaeltnismaessiger Aufwand", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.DEL.01"],
|
||||
"breakpilot_feature": "/sdk/loeschfristen",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-013",
|
||||
"title": "Verarbeitungseinschraenkung statt Loeschung",
|
||||
"description": "Wenn die Loeschung nicht moeglich ist, tritt an die Stelle der Loeschung die Einschraenkung der Verarbeitung gemaess § 35 Abs. 1 BDSG.",
|
||||
"applies_when": "organization cannot delete data due to storage constraints",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.complex_storage", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 35 Abs. 1 S. 2", "title": "Verarbeitungseinschraenkung" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 35 BDSG" }],
|
||||
"category": "Technisch",
|
||||
"responsible": "IT-Leitung",
|
||||
"deadline": { "type": "on_event", "event": "Bei Loeschantrag" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Sperrkonzept/Einschraenkungskonzept", "required": true }],
|
||||
"priority": "mittel",
|
||||
"tom_control_ids": ["TOM.DEL.01", "TOM.AC.02"],
|
||||
"breakpilot_feature": "/sdk/loeschfristen",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-014",
|
||||
"title": "Benennung Datenschutzbeauftragter",
|
||||
"description": "Der Verantwortliche hat einen Datenschutzbeauftragten zu benennen, wenn mindestens 20 Personen staendig mit der automatisierten Verarbeitung personenbezogener Daten beschaeftigt sind.",
|
||||
"applies_when": "organization has 20+ employees processing personal data",
|
||||
"applies_when_condition": { "any_of": [{ "field": "organization.employees_processing_data", "operator": "GREATER_OR_EQUAL", "value": 20 }, { "field": "data_protection.special_categories", "operator": "EQUALS", "value": true }, { "field": "data_protection.core_activity_monitoring", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 38 Abs. 1", "title": "Datenschutzbeauftragte nichtoeffentlicher Stellen" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 38 BDSG" }, { "type": "dsk_kurzpapier", "ref": "DSK KP Nr. 12" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Geschaeftsfuehrung",
|
||||
"deadline": { "type": "on_event", "event": "Unverzueglich bei Erreichen der Schwelle" },
|
||||
"sanctions": { "max_fine": "10 Mio. EUR oder 2% Jahresumsatz", "personal_liability": true },
|
||||
"evidence": [{ "name": "Benennungsurkunde DSB", "required": true }, { "name": "Meldung an Aufsichtsbehoerde", "required": true }],
|
||||
"priority": "kritisch",
|
||||
"tom_control_ids": ["TOM.GOV.01", "TOM.GOV.05"],
|
||||
"breakpilot_feature": "/sdk/dsb-portal",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-015",
|
||||
"title": "Kuendigungsschutz DSB",
|
||||
"description": "Der Datenschutzbeauftragte darf wegen der Erfuellung seiner Aufgaben nicht abberufen oder benachteiligt werden. Ein besonderer Kuendigungsschutz gilt nach § 38 Abs. 2 i.V.m. § 6 Abs. 4 BDSG.",
|
||||
"applies_when": "organization has appointed a DPO",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.has_dpo", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 38 Abs. 2", "title": "Kuendigungsschutz DSB" }, { "norm": "BDSG", "article": "§ 6 Abs. 4", "title": "Stellung des DSB" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 38 Abs. 2 BDSG" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Geschaeftsfuehrung",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "10 Mio. EUR oder 2% Jahresumsatz", "personal_liability": true },
|
||||
"evidence": [{ "name": "Arbeitsvertrag/Bestellungsurkunde DSB", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.GOV.05"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-016",
|
||||
"title": "Geheimhaltungspflicht DSB",
|
||||
"description": "Der Datenschutzbeauftragte ist zur Geheimhaltung ueber die Identitaet betroffener Personen und Umstaende verpflichtet, die Rueckschluesse auf diese zulassen (§ 38 Abs. 2 i.V.m. § 6 Abs. 5 BDSG).",
|
||||
"applies_when": "organization has appointed a DPO",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.has_dpo", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 6 Abs. 5", "title": "Geheimhaltungspflicht DSB" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 6 Abs. 5 BDSG" }],
|
||||
"category": "Organisatorisch",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "personal_liability": true, "criminal_liability": true },
|
||||
"evidence": [{ "name": "Verschwiegenheitserklaerung DSB", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.GOV.05"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-017",
|
||||
"title": "Zustaendigkeit der Aufsichtsbehoerden",
|
||||
"description": "Die Aufsichtsbehoerden ueberwachen die Einhaltung des BDSG und der DSGVO. Der Verantwortliche muss mit der zustaendigen Aufsichtsbehoerde kooperieren (§§ 40-41 BDSG).",
|
||||
"applies_when": "always",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.processes_personal_data", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 40", "title": "Aufsichtsbehoerden der Laender" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 40 BDSG" }],
|
||||
"category": "Compliance",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "10 Mio. EUR oder 2% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Dokumentierte Aufsichtsbehoerdenkontakte", "required": false }],
|
||||
"priority": "mittel",
|
||||
"tom_control_ids": ["TOM.GOV.01"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-018",
|
||||
"title": "Anwendung der Bussgeldvorschriften",
|
||||
"description": "Ordnungswidrig handelt, wer gegen Vorschriften des BDSG verstoesst. Die Aufsichtsbehoerden koennen Bussgelder verhaengen (§ 43 BDSG ergaenzend zu Art. 83 DSGVO).",
|
||||
"applies_when": "always",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.processes_personal_data", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 43", "title": "Bussgeldvorschriften" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 43 BDSG" }],
|
||||
"category": "Compliance",
|
||||
"responsible": "Geschaeftsfuehrung",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "50.000 EUR (national) bzw. 20 Mio. EUR (DSGVO)", "personal_liability": true },
|
||||
"evidence": [{ "name": "Compliance-Management-System", "required": true }],
|
||||
"priority": "kritisch",
|
||||
"tom_control_ids": ["TOM.GOV.01", "TOM.GOV.02"],
|
||||
"breakpilot_feature": "/sdk/risk-assessment",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-019",
|
||||
"title": "Verarbeitung fuer Forschungszwecke",
|
||||
"description": "Bei Verarbeitung personenbezogener Daten fuer wissenschaftliche oder historische Forschungszwecke gelten die Sonderregelungen des § 27 BDSG einschliesslich Pseudonymisierung.",
|
||||
"applies_when": "organization processes data for research purposes",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.research_processing", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 27", "title": "Datenverarbeitung zu Forschungszwecken" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 27 BDSG" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Forschungsleitung",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "20 Mio. EUR oder 4% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Forschungsdatenschutzkonzept", "required": true }, "Pseudonymisierungsnachweis"],
|
||||
"priority": "mittel",
|
||||
"tom_control_ids": ["TOM.CRY.02", "TOM.GOV.04"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-020",
|
||||
"title": "Verarbeitung fuer statistische Zwecke",
|
||||
"description": "Bei Verarbeitung fuer statistische Zwecke sind die besonderen Anforderungen des § 27 Abs. 1 BDSG zu beachten, insbesondere Pseudonymisierung und Anonymisierung.",
|
||||
"applies_when": "organization processes data for statistical purposes",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.statistical_processing", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 27 Abs. 1", "title": "Statistische Zwecke" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 27 BDSG" }],
|
||||
"category": "Technisch",
|
||||
"responsible": "Datenanalyst",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "10 Mio. EUR oder 2% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Anonymisierungskonzept", "required": true }],
|
||||
"priority": "mittel",
|
||||
"tom_control_ids": ["TOM.CRY.02"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-021",
|
||||
"title": "Verarbeitung durch Polizei/Strafverfolgung — Rechtsgrundlage",
|
||||
"description": "Personenbezogene Daten duerfen von Polizei und Strafverfolgungsbehoerden nur verarbeitet werden, wenn dies fuer die Erfuellung ihrer Aufgaben erforderlich ist (§§ 46 ff. BDSG).",
|
||||
"applies_when": "organization is law enforcement or cooperates with law enforcement",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.sector", "operator": "IN", "value": ["law_enforcement", "public_authority"] }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 46", "title": "Begriffsbestimmungen Strafverfolgung" }, { "norm": "BDSG", "article": "§ 47", "title": "Allgemeine Grundsaetze" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§§ 46-47 BDSG" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Behoerdenleitung",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "Disziplinarmassnahmen", "personal_liability": true },
|
||||
"evidence": [{ "name": "Verarbeitungskonzept Strafverfolgung", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.GOV.01", "TOM.AC.01"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-022",
|
||||
"title": "Protokollierungspflicht bei Strafverfolgung",
|
||||
"description": "Zugriffe und Uebermittlungen personenbezogener Daten zu Strafverfolgungszwecken sind zu protokollieren (§ 51 BDSG).",
|
||||
"applies_when": "organization processes data for law enforcement purposes",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.sector", "operator": "IN", "value": ["law_enforcement", "public_authority"] }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 51", "title": "Verarbeitungssicherheit" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 51 BDSG" }],
|
||||
"category": "Technisch",
|
||||
"responsible": "IT-Sicherheitsbeauftragter",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "personal_liability": true },
|
||||
"evidence": [{ "name": "Protokollierungsrichtlinie", "required": true }, "Zugriffsprotokolle"],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.LOG.01", "TOM.AC.01"],
|
||||
"breakpilot_feature": "/sdk/audit",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-023",
|
||||
"title": "Betroffenenrechte bei Strafverfolgung",
|
||||
"description": "Auch im Bereich der Strafverfolgung bestehen Auskunfts-, Berichtigungs- und Loeschungsrechte der Betroffenen nach §§ 53-54 BDSG, ggf. mit Einschraenkungen.",
|
||||
"applies_when": "law enforcement data processing",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.sector", "operator": "IN", "value": ["law_enforcement", "public_authority"] }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 53", "title": "Auskunftsrecht" }, { "norm": "BDSG", "article": "§ 54", "title": "Berichtigung und Loeschung" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§§ 53-54 BDSG" }],
|
||||
"category": "Organisatorisch",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "relative", "duration": "P30D" },
|
||||
"sanctions": { "personal_liability": true },
|
||||
"evidence": [{ "name": "Betroffenenrechte-Prozess Strafverfolgung", "required": true }],
|
||||
"priority": "mittel",
|
||||
"tom_control_ids": ["TOM.GOV.02"],
|
||||
"breakpilot_feature": "/sdk/dsr",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-024",
|
||||
"title": "Datenuebermittlung an Drittstaaten — besondere Voraussetzungen",
|
||||
"description": "Die Uebermittlung personenbezogener Daten an Drittstaaten durch Polizei-/Justizbehoerden ist nur bei Vorliegen eines Angemessenheitsbeschlusses oder geeigneter Garantien zulaessig (§§ 62 ff. BDSG).",
|
||||
"applies_when": "law enforcement transfers data to third countries",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.sector", "operator": "IN", "value": ["law_enforcement", "public_authority"] }, { "field": "data_protection.third_country_transfer", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 62", "title": "Uebermittlung bei Angemessenheitsbeschluss" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§§ 62-66 BDSG" }],
|
||||
"category": "Compliance",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "on_event", "event": "Vor jeder Drittstaatenuebermittlung" },
|
||||
"sanctions": { "personal_liability": true, "criminal_liability": true },
|
||||
"evidence": [{ "name": "Angemessenheitsbeschluss-Pruefung", "required": true }],
|
||||
"priority": "kritisch",
|
||||
"tom_control_ids": ["TOM.GOV.03", "TOM.CRY.01"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-025",
|
||||
"title": "Datenuebermittlung ohne Angemessenheitsbeschluss",
|
||||
"description": "Ohne Angemessenheitsbeschluss ist eine Uebermittlung an Drittstaaten nur bei geeigneten Garantien oder in Ausnahmefaellen nach § 63 BDSG zulaessig.",
|
||||
"applies_when": "law enforcement transfers data to third country without adequacy decision",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.sector", "operator": "IN", "value": ["law_enforcement", "public_authority"] }, { "field": "data_protection.third_country_transfer", "operator": "EQUALS", "value": true }, { "field": "data_protection.adequacy_decision", "operator": "EQUALS", "value": false }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 63", "title": "Uebermittlung bei geeigneten Garantien" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 63 BDSG" }],
|
||||
"category": "Compliance",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "on_event", "event": "Vor jeder Uebermittlung" },
|
||||
"sanctions": { "personal_liability": true, "criminal_liability": true },
|
||||
"evidence": [{ "name": "Geeignete Garantien dokumentiert", "required": true }],
|
||||
"priority": "kritisch",
|
||||
"tom_control_ids": ["TOM.GOV.03"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-026",
|
||||
"title": "Strafvorschriften — unbefugte Datenverarbeitung",
|
||||
"description": "Wer wissentlich nicht allgemein zugaengliche personenbezogene Daten unbefugt verarbeitet, wird mit Freiheitsstrafe bis zu drei Jahren oder Geldstrafe bestraft (§ 42 BDSG).",
|
||||
"applies_when": "always",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.processes_personal_data", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 42", "title": "Strafvorschriften" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 42 BDSG" }],
|
||||
"category": "Compliance",
|
||||
"responsible": "Geschaeftsfuehrung",
|
||||
"deadline": { "type": "recurring", "interval": "laufend" },
|
||||
"sanctions": { "max_fine": "Freiheitsstrafe bis 3 Jahre oder Geldstrafe", "personal_liability": true, "criminal_liability": true },
|
||||
"evidence": [{ "name": "Datenschutzschulungsnachweis", "required": true }, "Zugriffsberechtigungskonzept"],
|
||||
"priority": "kritisch",
|
||||
"tom_control_ids": ["TOM.AC.01", "TOM.GOV.01"],
|
||||
"breakpilot_feature": "/sdk/training",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-027",
|
||||
"title": "Bussgeld bei Verstoessen gegen Auskunftspflicht",
|
||||
"description": "Ordnungswidrig handelt, wer einer vollziehbaren Anordnung der Aufsichtsbehoerde nach § 43 Abs. 1 BDSG zuwiderhandelt. Bussgelder bis 50.000 EUR.",
|
||||
"applies_when": "always",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.processes_personal_data", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 43 Abs. 1", "title": "Bussgeldvorschriften" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 43 BDSG" }],
|
||||
"category": "Compliance",
|
||||
"responsible": "Geschaeftsfuehrung",
|
||||
"deadline": { "type": "on_event", "event": "Bei Anordnung der Aufsichtsbehoerde" },
|
||||
"sanctions": { "max_fine": "50.000 EUR" },
|
||||
"evidence": [{ "name": "Korrespondenz Aufsichtsbehoerde", "required": false }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.GOV.01"],
|
||||
"breakpilot_feature": null,
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-028",
|
||||
"title": "Akkreditierung Zertifizierungsstellen",
|
||||
"description": "Zertifizierungsstellen nach Art. 43 DSGVO beduerfern der Akkreditierung durch die zustaendige Aufsichtsbehoerde oder die DAkkS (§ 39 BDSG).",
|
||||
"applies_when": "organization is or uses a certification body",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.certification_body", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 39", "title": "Akkreditierung" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 39 BDSG" }],
|
||||
"category": "Audit",
|
||||
"responsible": "Geschaeftsfuehrung",
|
||||
"deadline": { "type": "recurring", "interval": "5 Jahre" },
|
||||
"sanctions": { "max_fine": "10 Mio. EUR oder 2% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Akkreditierungsurkunde", "required": true }],
|
||||
"priority": "niedrig",
|
||||
"tom_control_ids": ["TOM.GOV.01"],
|
||||
"breakpilot_feature": "/sdk/audit",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-029",
|
||||
"title": "Geheimhaltungspflicht und Datengeheimnis",
|
||||
"description": "Personen, die bei der Datenverarbeitung taetig sind, duerfen personenbezogene Daten nicht unbefugt verarbeiten. Sie sind auf das Datengeheimnis zu verpflichten (§ 53 BDSG analog).",
|
||||
"applies_when": "always",
|
||||
"applies_when_condition": { "all_of": [{ "field": "organization.has_employees", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 53", "title": "Datengeheimnis" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 53 BDSG" }],
|
||||
"category": "Schulung",
|
||||
"responsible": "Personalleitung",
|
||||
"deadline": { "type": "on_event", "event": "Bei Arbeitsaufnahme" },
|
||||
"sanctions": { "personal_liability": true, "criminal_liability": true },
|
||||
"evidence": [{ "name": "Verpflichtungserklaerung Datengeheimnis", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.HR.02", "TOM.GOV.05"],
|
||||
"breakpilot_feature": "/sdk/training",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-OBL-030",
|
||||
"title": "Verarbeitung im Auftrag — Vertragspflicht",
|
||||
"description": "Die Auftragsverarbeitung ist durch einen Vertrag nach Art. 28 DSGVO i.V.m. § 29 BDSG zu regeln. Der Auftraggeber muss die TOM des Auftragsverarbeiters ueberpruefen.",
|
||||
"applies_when": "organization uses data processors",
|
||||
"applies_when_condition": { "all_of": [{ "field": "data_protection.uses_processors", "operator": "EQUALS", "value": true }] },
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 29", "title": "Auftragsverarbeitung" }, { "norm": "DSGVO", "article": "Art. 28", "title": "Auftragsverarbeiter" }],
|
||||
"sources": [{ "type": "national_law", "ref": "§ 29 BDSG" }, { "type": "article", "ref": "Art. 28 DSGVO" }],
|
||||
"category": "Governance",
|
||||
"responsible": "Datenschutzbeauftragter",
|
||||
"deadline": { "type": "on_event", "event": "Vor Beginn der Auftragsverarbeitung" },
|
||||
"sanctions": { "max_fine": "10 Mio. EUR oder 2% Jahresumsatz" },
|
||||
"evidence": [{ "name": "Auftragsverarbeitungsvertrag (AVV)", "required": true }, { "name": "TOM-Pruefbericht Auftragsverarbeiter", "required": true }],
|
||||
"priority": "hoch",
|
||||
"tom_control_ids": ["TOM.GOV.03", "TOM.VEN.01"],
|
||||
"breakpilot_feature": "/sdk/vendor-compliance",
|
||||
"valid_from": "2018-05-25",
|
||||
"valid_until": null,
|
||||
"version": "1.0"
|
||||
}
|
||||
],
|
||||
"controls": [
|
||||
{
|
||||
"id": "BDSG-CTRL-001",
|
||||
"name": "Videoueberwachungs-Compliance",
|
||||
"description": "Kontrolle zur Sicherstellung der Einhaltung der Anforderungen an Videoueberwachung nach § 4 BDSG.",
|
||||
"category": "Technisch",
|
||||
"what_to_do": "Videoueberwachungskonzept erstellen, Beschilderung pruefen, Loeschfristen einhalten, DSFA durchfuehren.",
|
||||
"iso27001_mapping": ["A.7.4"],
|
||||
"priority": "hoch"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-CTRL-002",
|
||||
"name": "Beschaeftigtendatenschutz-Kontrolle",
|
||||
"description": "Kontrolle zur Pruefung der Einhaltung des § 26 BDSG bei der Verarbeitung von Beschaeftigtendaten.",
|
||||
"category": "Organisatorisch",
|
||||
"what_to_do": "Beschaeftigtendatenschutzrichtlinie erstellen, Einwilligungen pruefen, Betriebsvereinbarungen aktualisieren.",
|
||||
"iso27001_mapping": ["A.6.1", "A.6.2"],
|
||||
"priority": "hoch"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-CTRL-003",
|
||||
"name": "DSB-Governance-Kontrolle",
|
||||
"description": "Kontrolle zur Sicherstellung der ordnungsgemaessen Benennung und Unterstuetzung des Datenschutzbeauftragten.",
|
||||
"category": "Governance",
|
||||
"what_to_do": "DSB-Benennung pruefen, Ressourcen sicherstellen, Unabhaengigkeit gewaehrleisten, Schulung nachweisen.",
|
||||
"iso27001_mapping": ["A.5.1"],
|
||||
"priority": "kritisch"
|
||||
},
|
||||
{
|
||||
"id": "BDSG-CTRL-004",
|
||||
"name": "Bussgeld-Praevention und Compliance-Monitoring",
|
||||
"description": "Kontrolle zur Vermeidung von Bussgeldern und strafrechtlichen Konsequenzen durch proaktives Compliance-Monitoring.",
|
||||
"category": "Compliance",
|
||||
"what_to_do": "Regelmaessige Compliance-Audits durchfuehren, Schulungen sicherstellen, Aufsichtsbehoerden-Anfragen zeitnah bearbeiten.",
|
||||
"iso27001_mapping": ["A.5.36"],
|
||||
"priority": "kritisch"
|
||||
}
|
||||
],
|
||||
"incident_deadlines": [
|
||||
{
|
||||
"phase": "Erstmeldung an Aufsichtsbehoerde",
|
||||
"deadline": "72 Stunden (gemaess DSGVO Art. 33, konkretisiert durch BDSG)",
|
||||
"content": "Art der Verletzung, betroffene Datenkategorien und Personen, wahrscheinliche Folgen, ergriffene Massnahmen",
|
||||
"recipient": "Zustaendige Landesdatenschutzbehoerde",
|
||||
"legal_basis": [{ "norm": "DSGVO", "article": "Art. 33" }, { "norm": "BDSG", "article": "§ 40" }]
|
||||
},
|
||||
{
|
||||
"phase": "Benachrichtigung Betroffener",
|
||||
"deadline": "Unverzueglich bei hohem Risiko",
|
||||
"content": "Art der Verletzung, Kontaktdaten DSB, wahrscheinliche Folgen, ergriffene Massnahmen",
|
||||
"recipient": "Betroffene Personen",
|
||||
"legal_basis": [{ "norm": "DSGVO", "article": "Art. 34" }]
|
||||
},
|
||||
{
|
||||
"phase": "Meldung Strafverfolgungsbehoerden",
|
||||
"deadline": "Unverzueglich bei Verdacht auf Straftat nach § 42 BDSG",
|
||||
"content": "Sachverhaltsbeschreibung, beteiligte Personen, betroffene Daten",
|
||||
"recipient": "Staatsanwaltschaft",
|
||||
"legal_basis": [{ "norm": "BDSG", "article": "§ 42" }]
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user