/** * Hard Trigger Rules A–E * Groups: Art.9 (A), Vulnerable (B), ADM/KI (C), Ueberwachung (D), Drittland (E) */ import type { HardTriggerRule } from '../compliance-scope-types' export const HARD_TRIGGER_RULES_A_E: HardTriggerRule[] = [ // ========== A: Art. 9 Besondere Kategorien (9 rules) ========== { id: 'HT-A01', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'gesundheit', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung von Gesundheitsdaten', }, { id: 'HT-A02', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'biometrie', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung biometrischer Daten zur eindeutigen Identifizierung', }, { id: 'HT-A03', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'genetik', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung genetischer Daten', }, { id: 'HT-A04', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'politisch', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung politischer Meinungen', }, { id: 'HT-A05', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'religion', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung religiöser oder weltanschaulicher Überzeugungen', }, { id: 'HT-A06', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'gewerkschaft', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung von Gewerkschaftszugehörigkeit', }, { id: 'HT-A07', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'sexualleben', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung von Daten zum Sexualleben oder zur sexuellen Orientierung', }, { id: 'HT-A08', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'strafrechtlich', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 10 DSGVO', description: 'Verarbeitung strafrechtlicher Verurteilungen', }, { id: 'HT-A09', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'ethnisch', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung der rassischen oder ethnischen Herkunft', }, // ========== B: Vulnerable Gruppen (3 rules) ========== { id: 'HT-B01', category: 'vulnerable', questionId: 'data_minors', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'DSE'], legalReference: 'Art. 8 DSGVO', description: 'Verarbeitung von Daten Minderjähriger', }, { id: 'HT-B02', category: 'vulnerable', questionId: 'data_minors', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L4', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'DSE'], legalReference: 'Art. 8 + Art. 9 DSGVO', description: 'Verarbeitung besonderer Kategorien von Daten Minderjähriger', combineWithArt9: true, }, { id: 'HT-B03', category: 'vulnerable', questionId: 'data_minors', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L4', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'AI_ACT_DOKU'], legalReference: 'Art. 8 DSGVO + AI Act', description: 'KI-gestützte Verarbeitung von Daten Minderjähriger', combineWithAI: true, }, // ========== C: ADM/KI (6 rules) ========== { id: 'HT-C01', category: 'adm', questionId: 'proc_adm_scoring', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 22 DSGVO', description: 'Automatisierte Einzelentscheidung mit Rechtswirkung oder erheblicher Beeinträchtigung', }, { id: 'HT-C02', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'autonom', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'AI_ACT_DOKU'], legalReference: 'Art. 22 DSGVO + AI Act', description: 'Autonome KI-Systeme mit Entscheidungsbefugnis', }, { id: 'HT-C03', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'scoring', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM'], legalReference: 'Art. 22 DSGVO', description: 'KI-gestütztes Scoring', }, { id: 'HT-C04', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'profiling', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 22 DSGVO', description: 'KI-gestütztes Profiling mit erheblicher Wirkung', }, { id: 'HT-C05', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'generativ', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'AI_ACT_DOKU'], legalReference: 'AI Act', description: 'Generative KI-Systeme', }, { id: 'HT-C06', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'chatbot', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'AI_ACT_DOKU'], legalReference: 'AI Act', description: 'Chatbots mit Personendatenverarbeitung', }, // ========== D: Überwachung (5 rules) ========== { id: 'HT-D01', category: 'surveillance', questionId: 'proc_video_surveillance', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'DSE'], legalReference: 'Art. 6 DSGVO', description: 'Videoüberwachung', }, { id: 'HT-D02', category: 'surveillance', questionId: 'proc_employee_monitoring', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 88 DSGVO + BetrVG', description: 'Mitarbeiterüberwachung', }, { id: 'HT-D03', category: 'surveillance', questionId: 'proc_tracking', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'COOKIE_BANNER', 'EINWILLIGUNGEN'], legalReference: 'Art. 6 DSGVO + ePrivacy', description: 'Online-Tracking', }, { id: 'HT-D04', category: 'surveillance', questionId: 'proc_video_surveillance', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 35 Abs. 3 DSGVO', description: 'Videoüberwachung kombiniert mit Mitarbeitermonitoring', combineWithEmployeeMonitoring: true, }, { id: 'HT-D05', category: 'surveillance', questionId: 'proc_video_surveillance', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 35 Abs. 3 DSGVO', description: 'Videoüberwachung kombiniert mit automatisierter Bewertung', combineWithADM: true, }, // ========== E: Drittland (5 rules) ========== { id: 'HT-E01', category: 'third_country', questionId: 'tech_third_country', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TRANSFER_DOKU'], legalReference: 'Art. 44 ff. DSGVO', description: 'Datenübermittlung in Drittland', }, { id: 'HT-E02', category: 'third_country', questionId: 'tech_hosting_location', condition: 'EQUALS', conditionValue: 'drittland', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU'], legalReference: 'Art. 44 ff. DSGVO', description: 'Hosting in Drittland', }, { id: 'HT-E03', category: 'third_country', questionId: 'tech_hosting_location', condition: 'EQUALS', conditionValue: 'us_adequacy', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['TRANSFER_DOKU'], legalReference: 'Art. 45 DSGVO', description: 'Hosting in USA mit Angemessenheitsbeschluss', }, { id: 'HT-E04', category: 'third_country', questionId: 'tech_third_country', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU', 'DSFA'], legalReference: 'Art. 44 ff. + Art. 9 DSGVO', description: 'Drittlandtransfer besonderer Kategorien', combineWithArt9: true, }, { id: 'HT-E05', category: 'third_country', questionId: 'tech_third_country', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU', 'DSFA'], legalReference: 'Art. 44 ff. + Art. 8 DSGVO', description: 'Drittlandtransfer von Daten Minderjähriger', combineWithMinors: true, }, ]