refactor(admin): split lib document generators and data catalogs into domain barrels

obligations-document, tom-document, loeschfristen-document, compliance-scope-triggers, sdk-flow/flow-data, processing-activities, loeschfristen-baseline-catalog, catalog-registry, dsfa mitigation-library + risk-catalog, vvt-baseline-catalog, vendor contract-review checklists + findings, demo-data, tom-compliance. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-18 00:07:03 +02:00
parent b00fe6cb73
commit 91063f09b8
65 changed files with 9514 additions and 9544 deletions
--- a/admin-compliance/lib/sdk/compliance-scope-triggers/triggers-a-e.ts
+++ b/admin-compliance/lib/sdk/compliance-scope-triggers/triggers-a-e.ts
@@ -0,0 +1,359 @@
+/**
+ * Hard Trigger Rules A–E
+ * Groups: Art.9 (A), Vulnerable (B), ADM/KI (C), Ueberwachung (D), Drittland (E)
+ */
+import type { HardTriggerRule } from '../compliance-scope-types'
+
+export const HARD_TRIGGER_RULES_A_E: HardTriggerRule[] = [
+  // ========== A: Art. 9 Besondere Kategorien (9 rules) ==========
+  {
+    id: 'HT-A01',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'gesundheit',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 Abs. 1 DSGVO',
+    description: 'Verarbeitung von Gesundheitsdaten',
+  },
+  {
+    id: 'HT-A02',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'biometrie',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 Abs. 1 DSGVO',
+    description: 'Verarbeitung biometrischer Daten zur eindeutigen Identifizierung',
+  },
+  {
+    id: 'HT-A03',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'genetik',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 Abs. 1 DSGVO',
+    description: 'Verarbeitung genetischer Daten',
+  },
+  {
+    id: 'HT-A04',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'politisch',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 Abs. 1 DSGVO',
+    description: 'Verarbeitung politischer Meinungen',
+  },
+  {
+    id: 'HT-A05',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'religion',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 Abs. 1 DSGVO',
+    description: 'Verarbeitung religiöser oder weltanschaulicher Überzeugungen',
+  },
+  {
+    id: 'HT-A06',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'gewerkschaft',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 Abs. 1 DSGVO',
+    description: 'Verarbeitung von Gewerkschaftszugehörigkeit',
+  },
+  {
+    id: 'HT-A07',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'sexualleben',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 Abs. 1 DSGVO',
+    description: 'Verarbeitung von Daten zum Sexualleben oder zur sexuellen Orientierung',
+  },
+  {
+    id: 'HT-A08',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'strafrechtlich',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 10 DSGVO',
+    description: 'Verarbeitung strafrechtlicher Verurteilungen',
+  },
+  {
+    id: 'HT-A09',
+    category: 'art9',
+    questionId: 'data_art9',
+    condition: 'CONTAINS',
+    conditionValue: 'ethnisch',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 Abs. 1 DSGVO',
+    description: 'Verarbeitung der rassischen oder ethnischen Herkunft',
+  },
+
+  // ========== B: Vulnerable Gruppen (3 rules) ==========
+  {
+    id: 'HT-B01',
+    category: 'vulnerable',
+    questionId: 'data_minors',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'DSE'],
+    legalReference: 'Art. 8 DSGVO',
+    description: 'Verarbeitung von Daten Minderjähriger',
+  },
+  {
+    id: 'HT-B02',
+    category: 'vulnerable',
+    questionId: 'data_minors',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L4',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'DSE'],
+    legalReference: 'Art. 8 + Art. 9 DSGVO',
+    description: 'Verarbeitung besonderer Kategorien von Daten Minderjähriger',
+    combineWithArt9: true,
+  },
+  {
+    id: 'HT-B03',
+    category: 'vulnerable',
+    questionId: 'data_minors',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L4',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'AI_ACT_DOKU'],
+    legalReference: 'Art. 8 DSGVO + AI Act',
+    description: 'KI-gestützte Verarbeitung von Daten Minderjähriger',
+    combineWithAI: true,
+  },
+
+  // ========== C: ADM/KI (6 rules) ==========
+  {
+    id: 'HT-C01',
+    category: 'adm',
+    questionId: 'proc_adm_scoring',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 22 DSGVO',
+    description: 'Automatisierte Einzelentscheidung mit Rechtswirkung oder erheblicher Beeinträchtigung',
+  },
+  {
+    id: 'HT-C02',
+    category: 'adm',
+    questionId: 'proc_ai_usage',
+    condition: 'CONTAINS',
+    conditionValue: 'autonom',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'AI_ACT_DOKU'],
+    legalReference: 'Art. 22 DSGVO + AI Act',
+    description: 'Autonome KI-Systeme mit Entscheidungsbefugnis',
+  },
+  {
+    id: 'HT-C03',
+    category: 'adm',
+    questionId: 'proc_ai_usage',
+    condition: 'CONTAINS',
+    conditionValue: 'scoring',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM'],
+    legalReference: 'Art. 22 DSGVO',
+    description: 'KI-gestütztes Scoring',
+  },
+  {
+    id: 'HT-C04',
+    category: 'adm',
+    questionId: 'proc_ai_usage',
+    condition: 'CONTAINS',
+    conditionValue: 'profiling',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 22 DSGVO',
+    description: 'KI-gestütztes Profiling mit erheblicher Wirkung',
+  },
+  {
+    id: 'HT-C05',
+    category: 'adm',
+    questionId: 'proc_ai_usage',
+    condition: 'CONTAINS',
+    conditionValue: 'generativ',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'AI_ACT_DOKU'],
+    legalReference: 'AI Act',
+    description: 'Generative KI-Systeme',
+  },
+  {
+    id: 'HT-C06',
+    category: 'adm',
+    questionId: 'proc_ai_usage',
+    condition: 'CONTAINS',
+    conditionValue: 'chatbot',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'AI_ACT_DOKU'],
+    legalReference: 'AI Act',
+    description: 'Chatbots mit Personendatenverarbeitung',
+  },
+
+  // ========== D: Überwachung (5 rules) ==========
+  {
+    id: 'HT-D01',
+    category: 'surveillance',
+    questionId: 'proc_video_surveillance',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSE'],
+    legalReference: 'Art. 6 DSGVO',
+    description: 'Videoüberwachung',
+  },
+  {
+    id: 'HT-D02',
+    category: 'surveillance',
+    questionId: 'proc_employee_monitoring',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 88 DSGVO + BetrVG',
+    description: 'Mitarbeiterüberwachung',
+  },
+  {
+    id: 'HT-D03',
+    category: 'surveillance',
+    questionId: 'proc_tracking',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'COOKIE_BANNER', 'EINWILLIGUNGEN'],
+    legalReference: 'Art. 6 DSGVO + ePrivacy',
+    description: 'Online-Tracking',
+  },
+  {
+    id: 'HT-D04',
+    category: 'surveillance',
+    questionId: 'proc_video_surveillance',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 35 Abs. 3 DSGVO',
+    description: 'Videoüberwachung kombiniert mit Mitarbeitermonitoring',
+    combineWithEmployeeMonitoring: true,
+  },
+  {
+    id: 'HT-D05',
+    category: 'surveillance',
+    questionId: 'proc_video_surveillance',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 35 Abs. 3 DSGVO',
+    description: 'Videoüberwachung kombiniert mit automatisierter Bewertung',
+    combineWithADM: true,
+  },
+
+  // ========== E: Drittland (5 rules) ==========
+  {
+    id: 'HT-E01',
+    category: 'third_country',
+    questionId: 'tech_third_country',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TRANSFER_DOKU'],
+    legalReference: 'Art. 44 ff. DSGVO',
+    description: 'Datenübermittlung in Drittland',
+  },
+  {
+    id: 'HT-E02',
+    category: 'third_country',
+    questionId: 'tech_hosting_location',
+    condition: 'EQUALS',
+    conditionValue: 'drittland',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU'],
+    legalReference: 'Art. 44 ff. DSGVO',
+    description: 'Hosting in Drittland',
+  },
+  {
+    id: 'HT-E03',
+    category: 'third_country',
+    questionId: 'tech_hosting_location',
+    condition: 'EQUALS',
+    conditionValue: 'us_adequacy',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TRANSFER_DOKU'],
+    legalReference: 'Art. 45 DSGVO',
+    description: 'Hosting in USA mit Angemessenheitsbeschluss',
+  },
+  {
+    id: 'HT-E04',
+    category: 'third_country',
+    questionId: 'tech_third_country',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU', 'DSFA'],
+    legalReference: 'Art. 44 ff. + Art. 9 DSGVO',
+    description: 'Drittlandtransfer besonderer Kategorien',
+    combineWithArt9: true,
+  },
+  {
+    id: 'HT-E05',
+    category: 'third_country',
+    questionId: 'tech_third_country',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU', 'DSFA'],
+    legalReference: 'Art. 44 ff. + Art. 8 DSGVO',
+    description: 'Drittlandtransfer von Daten Minderjähriger',
+    combineWithMinors: true,
+  },
+]