# ============================================================================= # Datenpunktkatalog - Vordefinierte Datenpunkte # ============================================================================= # 28 vordefinierte Datenpunkte in 8 Kategorien (A-H) # Konform mit DSGVO, AO (Abgabenordnung), HGB # ============================================================================= version: "1.0.0" last_updated: "2025-02-04" # ============================================================================= # KATEGORIE A: AUTHENTIFIZIERUNG & SESSION # ============================================================================= data_points: # --------------------------------------------------------------------------- # A1: E-Mail-Adresse # --------------------------------------------------------------------------- - id: "dp-a1-email" code: "A1" category: "AUTHENTICATION" name_de: "E-Mail-Adresse" name_en: "Email Address" description_de: "Primaere E-Mail-Adresse des Nutzers fuer Login und Benachrichtigungen" description_en: "Primary email address for user login and notifications" purpose_de: "Authentifizierung, Kontobenachrichtigungen, Passwort-Wiederherstellung" purpose_en: "Authentication, account notifications, password recovery" risk_level: "MEDIUM" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich zur Vertragserfuellung und Bereitstellung des Benutzerkontos" legal_basis_justification_en: "Required for contract performance and user account provision" retention_period: "UNTIL_ACCOUNT_DELETION" retention_justification_de: "Notwendig solange das Konto aktiv ist; Loeschung bei Kontoschliessung" retention_justification_en: "Necessary while account is active; deleted upon account closure" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "E-Mail-Dienstleister (Transaktionsmails)" technical_measures: - "Verschluesselung bei Uebertragung (TLS)" - "Pseudonymisierung in Logs" - "Zugriffskontrolle" tags: - "account" - "authentication" - "contact" # --------------------------------------------------------------------------- # A2: Passwort-Hash # --------------------------------------------------------------------------- - id: "dp-a2-password" code: "A2" category: "AUTHENTICATION" name_de: "Passwort-Hash" name_en: "Password Hash" description_de: "Kryptografisch gehashtes Passwort (bcrypt/Argon2)" description_en: "Cryptographically hashed password (bcrypt/Argon2)" purpose_de: "Sichere Authentifizierung des Nutzers" purpose_en: "Secure user authentication" risk_level: "HIGH" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich zur sicheren Bereitstellung des Benutzerkontos" legal_basis_justification_en: "Required for secure provision of user account" retention_period: "UNTIL_ACCOUNT_DELETION" retention_justification_de: "Notwendig solange das Konto aktiv ist" retention_justification_en: "Necessary while account is active" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Einweg-Hashing (bcrypt, Argon2id)" - "Salting" - "Kein Klartext-Speicherung" - "Zugriff nur fuer Auth-Service" tags: - "authentication" - "security" - "credentials" # --------------------------------------------------------------------------- # A3: Session-Token # --------------------------------------------------------------------------- - id: "dp-a3-session" code: "A3" category: "AUTHENTICATION" name_de: "Session-Token" name_en: "Session Token" description_de: "JWT oder Session-ID zur Aufrechterhaltung der Benutzersitzung" description_en: "JWT or Session ID for maintaining user session" purpose_de: "Aufrechterhaltung der Benutzersitzung ohne erneute Anmeldung" purpose_en: "Maintaining user session without re-authentication" risk_level: "MEDIUM" legal_basis: "CONTRACT" legal_basis_justification_de: "Technisch erforderlich fuer die Nutzung des Dienstes" legal_basis_justification_en: "Technically required for service usage" retention_period: "24_HOURS" retention_justification_de: "Kurze Lebensdauer zur Minimierung des Missbrauchsrisikos" retention_justification_en: "Short lifespan to minimize abuse risk" cookie_category: "ESSENTIAL" is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Signierter JWT" - "HTTPS-Only Cookie" - "HttpOnly Flag" - "SameSite=Strict" tags: - "authentication" - "session" - "cookie" # --------------------------------------------------------------------------- # A4: Refresh-Token # --------------------------------------------------------------------------- - id: "dp-a4-refresh" code: "A4" category: "AUTHENTICATION" name_de: "Refresh-Token" name_en: "Refresh Token" description_de: "Langlebiger Token zur Erneuerung des Session-Tokens" description_en: "Long-lived token for session token renewal" purpose_de: "Erneuerung abgelaufener Session-Tokens ohne erneute Anmeldung" purpose_en: "Renewal of expired session tokens without re-authentication" risk_level: "MEDIUM" legal_basis: "CONTRACT" legal_basis_justification_de: "Technisch erforderlich fuer nahtlose Benutzererfahrung" legal_basis_justification_en: "Technically required for seamless user experience" retention_period: "30_DAYS" retention_justification_de: "Balance zwischen Benutzerfreundlichkeit und Sicherheit" retention_justification_en: "Balance between usability and security" cookie_category: "ESSENTIAL" is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Rotation bei Verwendung" - "Sichere Speicherung" - "Token-Widerrufsliste" tags: - "authentication" - "session" - "token" # --------------------------------------------------------------------------- # A5: OAuth-Provider-ID # --------------------------------------------------------------------------- - id: "dp-a5-oauth" code: "A5" category: "AUTHENTICATION" name_de: "OAuth-Provider-ID" name_en: "OAuth Provider ID" description_de: "Eindeutige ID des externen Authentifizierungsanbieters" description_en: "Unique ID from external authentication provider" purpose_de: "Verknuepfung mit externem Login-Anbieter (Google, Microsoft, etc.)" purpose_en: "Linking with external login provider (Google, Microsoft, etc.)" risk_level: "LOW" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich wenn Nutzer Social Login waehlt" legal_basis_justification_en: "Required when user chooses social login" retention_period: "UNTIL_ACCOUNT_DELETION" retention_justification_de: "Notwendig solange externe Anmeldung gewuenscht ist" retention_justification_en: "Necessary while external login is desired" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "OAuth-Provider (nur ID-Austausch)" technical_measures: - "Minimale Datenuebernahme" - "Kein Zugriff auf Provider-Profildaten" tags: - "authentication" - "oauth" - "social-login" # =========================================================================== # KATEGORIE B: CONSENT & PRAEFERENZEN # =========================================================================== # --------------------------------------------------------------------------- # B1: Consent-Eintraege # --------------------------------------------------------------------------- - id: "dp-b1-consent" code: "B1" category: "CONSENT" name_de: "Consent-Eintraege" name_en: "Consent Records" description_de: "Protokollierte Einwilligungen des Nutzers mit Zeitstempel" description_en: "Recorded user consents with timestamps" purpose_de: "Nachweis der Einwilligung gegenueber Aufsichtsbehoerden" purpose_en: "Proof of consent to supervisory authorities" risk_level: "LOW" legal_basis: "LEGAL_OBLIGATION" legal_basis_justification_de: "Nachweispflicht nach Art. 7 Abs. 1 DSGVO" legal_basis_justification_en: "Accountability obligation under Art. 7(1) GDPR" retention_period: "6_YEARS" retention_justification_de: "Aufbewahrung fuer Audit-Zwecke (6 Jahre AO)" retention_justification_en: "Retention for audit purposes (6 years)" cookie_category: "ESSENTIAL" is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Unveraenderbare Protokollierung" - "Digitale Signatur" - "Versionierung" tags: - "consent" - "compliance" - "audit" # --------------------------------------------------------------------------- # B2: Cookie-Praeferenzen # --------------------------------------------------------------------------- - id: "dp-b2-cookie-prefs" code: "B2" category: "CONSENT" name_de: "Cookie-Praeferenzen" name_en: "Cookie Preferences" description_de: "Vom Nutzer gewaehlte Cookie-Einstellungen" description_en: "User-selected cookie settings" purpose_de: "Speicherung der Cookie-Consent-Entscheidung" purpose_en: "Storage of cookie consent decision" risk_level: "LOW" legal_basis: "CONSENT" legal_basis_justification_de: "Speicherung der Einwilligungsentscheidung selbst" legal_basis_justification_en: "Storage of the consent decision itself" retention_period: "12_MONTHS" retention_justification_de: "Branchenuebliche Auffrischung nach 12 Monaten" retention_justification_en: "Industry-standard refresh after 12 months" cookie_category: "ESSENTIAL" is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "First-Party Cookie" - "Keine Drittanbieter-Weitergabe" tags: - "consent" - "cookie" - "preferences" # --------------------------------------------------------------------------- # B3: Sprach-/Regionspraeferenz # --------------------------------------------------------------------------- - id: "dp-b3-locale" code: "B3" category: "CONSENT" name_de: "Sprach-/Regionspraeferenz" name_en: "Language/Region Preference" description_de: "Bevorzugte Sprache und Region des Nutzers" description_en: "User's preferred language and region" purpose_de: "Lokalisierung der Benutzeroberflaeche" purpose_en: "User interface localization" risk_level: "LOW" legal_basis: "CONTRACT" legal_basis_justification_de: "Bestandteil der Servicefunktionalitaet" legal_basis_justification_en: "Part of service functionality" retention_period: "12_MONTHS" retention_justification_de: "Erhalt der Nutzereinstellungen" retention_justification_en: "Preservation of user settings" cookie_category: "ESSENTIAL" is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "First-Party Cookie" tags: - "preferences" - "localization" - "ux" # =========================================================================== # KATEGORIE C: MARKETING & TRACKING # =========================================================================== # --------------------------------------------------------------------------- # C1: Tracking-Pixel-Daten # --------------------------------------------------------------------------- - id: "dp-c1-tracking" code: "C1" category: "MARKETING" name_de: "Tracking-Pixel-Daten" name_en: "Tracking Pixel Data" description_de: "Conversion-Tracking ueber Marketing-Pixel" description_en: "Conversion tracking via marketing pixels" purpose_de: "Messung der Werbewirksamkeit" purpose_en: "Measuring advertising effectiveness" risk_level: "HIGH" legal_basis: "CONSENT" legal_basis_justification_de: "Erfordert aktive Einwilligung (Cookie-Banner)" legal_basis_justification_en: "Requires active consent (cookie banner)" retention_period: "90_DAYS" retention_justification_de: "Typische Conversion-Fenster" retention_justification_en: "Typical conversion window" cookie_category: "PERSONALIZATION" is_special_category: false requires_explicit_consent: true third_party_recipients: - "Google Ads" - "Meta (Facebook/Instagram)" - "LinkedIn Ads" technical_measures: - "Nur bei Consent aktiviert" - "Anonymisierte User-IDs" tags: - "marketing" - "tracking" - "conversion" # --------------------------------------------------------------------------- # C2: Werbe-ID # --------------------------------------------------------------------------- - id: "dp-c2-advertising-id" code: "C2" category: "MARKETING" name_de: "Werbe-ID" name_en: "Advertising ID" description_de: "Geraetuebergreifende Werbe-Identifikation" description_en: "Cross-device advertising identification" purpose_de: "Personalisierte Werbung und Remarketing" purpose_en: "Personalized advertising and remarketing" risk_level: "HIGH" legal_basis: "CONSENT" legal_basis_justification_de: "Erfordert aktive Einwilligung wegen Profilbildung" legal_basis_justification_en: "Requires active consent due to profiling" retention_period: "90_DAYS" retention_justification_de: "Begrenzt auf Kampagnen-Zeitraum" retention_justification_en: "Limited to campaign period" cookie_category: "PERSONALIZATION" is_special_category: false requires_explicit_consent: true third_party_recipients: - "Werbenetzwerke" - "Demand-Side-Platforms (DSP)" technical_measures: - "Opt-out Mechanismus" - "Nur bei Consent gesetzt" tags: - "marketing" - "advertising" - "remarketing" # --------------------------------------------------------------------------- # C3: UTM-Parameter # --------------------------------------------------------------------------- - id: "dp-c3-utm" code: "C3" category: "MARKETING" name_de: "UTM-Parameter" name_en: "UTM Parameters" description_de: "Kampagnen-Tracking-Parameter aus URLs" description_en: "Campaign tracking parameters from URLs" purpose_de: "Attribution von Marketing-Kampagnen" purpose_en: "Marketing campaign attribution" risk_level: "LOW" legal_basis: "LEGITIMATE_INTEREST" legal_basis_justification_de: "Berechtigtes Interesse an Kampagnenmessung" legal_basis_justification_en: "Legitimate interest in campaign measurement" retention_period: "30_DAYS" retention_justification_de: "Kurze Speicherung fuer Session-Attribution" retention_justification_en: "Short storage for session attribution" cookie_category: "PERFORMANCE" is_special_category: false requires_explicit_consent: false third_party_recipients: - "Analytics-Dienste (aggregiert)" technical_measures: - "Aggregierte Auswertung" - "Keine Personenbeziehbarkeit" tags: - "marketing" - "analytics" - "attribution" # --------------------------------------------------------------------------- # C4: Newsletter-Abonnement # --------------------------------------------------------------------------- - id: "dp-c4-newsletter" code: "C4" category: "MARKETING" name_de: "Newsletter-Abonnement" name_en: "Newsletter Subscription" description_de: "E-Mail-Adresse und Praeferenzen fuer Newsletter" description_en: "Email address and preferences for newsletter" purpose_de: "Versand von Marketing-E-Mails und Produktneuheiten" purpose_en: "Sending marketing emails and product news" risk_level: "LOW" legal_basis: "CONSENT" legal_basis_justification_de: "Double-Opt-In Einwilligung erforderlich" legal_basis_justification_en: "Double opt-in consent required" retention_period: "UNTIL_REVOCATION" retention_justification_de: "Bis zum Widerruf der Einwilligung" retention_justification_en: "Until consent is revoked" cookie_category: null is_special_category: false requires_explicit_consent: true third_party_recipients: - "E-Mail-Marketing-Plattform" technical_measures: - "Double-Opt-In" - "Abmelde-Link in jeder E-Mail" - "Protokollierung der Einwilligung" tags: - "marketing" - "email" - "newsletter" # =========================================================================== # KATEGORIE D: KOMMUNIKATION & SUPPORT # =========================================================================== # --------------------------------------------------------------------------- # D1: Support-Ticket-Inhalt # --------------------------------------------------------------------------- - id: "dp-d1-support-ticket" code: "D1" category: "COMMUNICATION" name_de: "Support-Ticket-Inhalt" name_en: "Support Ticket Content" description_de: "Inhalt von Kundenanfragen und Support-Tickets" description_en: "Content of customer inquiries and support tickets" purpose_de: "Bearbeitung und Nachverfolgung von Kundenanfragen" purpose_en: "Processing and tracking customer inquiries" risk_level: "MEDIUM" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich zur Erfuellung von Supportleistungen" legal_basis_justification_en: "Required for fulfilling support services" retention_period: "24_MONTHS" retention_justification_de: "Nachvollziehbarkeit und Wissensbasis" retention_justification_en: "Traceability and knowledge base" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "Helpdesk-Software-Anbieter" technical_measures: - "Verschluesselte Speicherung" - "Zugriffsbeschraenkung auf Support-Team" tags: - "support" - "communication" - "customer-service" # --------------------------------------------------------------------------- # D2: Chat-Verlaeufe # --------------------------------------------------------------------------- - id: "dp-d2-chat" code: "D2" category: "COMMUNICATION" name_de: "Chat-Verlaeufe" name_en: "Chat Histories" description_de: "Verlaeufe von Live-Chat und Chatbot-Interaktionen" description_en: "Histories of live chat and chatbot interactions" purpose_de: "Kundenservice und Qualitaetssicherung" purpose_en: "Customer service and quality assurance" risk_level: "MEDIUM" legal_basis: "LEGITIMATE_INTEREST" legal_basis_justification_de: "Berechtigtes Interesse an Servicequalitaet" legal_basis_justification_en: "Legitimate interest in service quality" retention_period: "12_MONTHS" retention_justification_de: "Qualitaetssicherung und Training" retention_justification_en: "Quality assurance and training" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "Chat-Software-Anbieter" technical_measures: - "Pseudonymisierung fuer Training" - "Zugriffskontrolle" tags: - "support" - "chat" - "communication" # --------------------------------------------------------------------------- # D3: Anrufaufzeichnungen # --------------------------------------------------------------------------- - id: "dp-d3-call-recording" code: "D3" category: "COMMUNICATION" name_de: "Anrufaufzeichnungen" name_en: "Call Recordings" description_de: "Aufzeichnungen von Telefongespaechen mit Kunden" description_en: "Recordings of phone calls with customers" purpose_de: "Qualitaetssicherung und Schulung" purpose_en: "Quality assurance and training" risk_level: "HIGH" legal_basis: "CONSENT" legal_basis_justification_de: "Ausdrueckliche Einwilligung vor Aufzeichnung erforderlich" legal_basis_justification_en: "Explicit consent required before recording" retention_period: "90_DAYS" retention_justification_de: "Begrenzter Zeitraum fuer Qualitaetspruefung" retention_justification_en: "Limited period for quality review" cookie_category: null is_special_category: false requires_explicit_consent: true third_party_recipients: - "Telefonie-Anbieter" technical_measures: - "Verschluesselte Speicherung" - "Zugriff nur fuer QA-Team" - "Automatische Loeschung" tags: - "support" - "phone" - "recording" # =========================================================================== # KATEGORIE E: TRANSAKTION & ZAHLUNG # =========================================================================== # --------------------------------------------------------------------------- # E1: Rechnungsadresse # --------------------------------------------------------------------------- - id: "dp-e1-billing-address" code: "E1" category: "TRANSACTION" name_de: "Rechnungsadresse" name_en: "Billing Address" description_de: "Vollstaendige Rechnungsanschrift des Kunden" description_en: "Complete billing address of the customer" purpose_de: "Rechnungsstellung und steuerliche Dokumentation" purpose_en: "Invoicing and tax documentation" risk_level: "MEDIUM" legal_basis: "LEGAL_OBLIGATION" legal_basis_justification_de: "Aufbewahrungspflicht nach 147 AO, 257 HGB" legal_basis_justification_en: "Retention obligation under tax law" retention_period: "10_YEARS" retention_justification_de: "Steuerliche Aufbewahrungsfrist" retention_justification_en: "Tax retention period" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "Steuerberater" - "Buchhaltungssoftware" technical_measures: - "Verschluesselung" - "Zugriffskontrolle" - "Revisionssichere Archivierung" tags: - "payment" - "billing" - "tax" # --------------------------------------------------------------------------- # E2: Zahlungsmethode (Token) # --------------------------------------------------------------------------- - id: "dp-e2-payment-token" code: "E2" category: "TRANSACTION" name_de: "Zahlungsmethode (Token)" name_en: "Payment Method (Token)" description_de: "Tokenisierte Zahlungsinformationen (keine Klardaten)" description_en: "Tokenized payment information (no clear data)" purpose_de: "Wiederkehrende Zahlungen und Abonnements" purpose_en: "Recurring payments and subscriptions" risk_level: "HIGH" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich fuer Zahlungsabwicklung" legal_basis_justification_en: "Required for payment processing" retention_period: "36_MONTHS" retention_justification_de: "Dauer der Kundenbeziehung plus Rueckbuchungsfrist" retention_justification_en: "Duration of customer relationship plus chargeback period" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "Payment Service Provider (Stripe, PayPal)" technical_measures: - "PCI-DSS Konformitaet" - "Tokenisierung" - "Keine Speicherung von Kartennummern" tags: - "payment" - "token" - "pci-dss" # --------------------------------------------------------------------------- # E3: Transaktionshistorie # --------------------------------------------------------------------------- - id: "dp-e3-transactions" code: "E3" category: "TRANSACTION" name_de: "Transaktionshistorie" name_en: "Transaction History" description_de: "Historie aller Kaeufe und Transaktionen" description_en: "History of all purchases and transactions" purpose_de: "Nachweis von Vertragserfuellung und Buchfuehrung" purpose_en: "Proof of contract fulfillment and accounting" risk_level: "MEDIUM" legal_basis: "LEGAL_OBLIGATION" legal_basis_justification_de: "Aufbewahrungspflicht nach 147 AO" legal_basis_justification_en: "Retention obligation under tax law" retention_period: "10_YEARS" retention_justification_de: "Steuerliche Aufbewahrungsfrist" retention_justification_en: "Tax retention period" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "Steuerberater" - "Wirtschaftspruefer" technical_measures: - "Revisionssichere Archivierung" - "Verschluesselung" tags: - "payment" - "transactions" - "accounting" # =========================================================================== # KATEGORIE F: KUNDENSEGMENTE # =========================================================================== # --------------------------------------------------------------------------- # F1: Unternehmenszuordnung # --------------------------------------------------------------------------- - id: "dp-f1-company" code: "F1" category: "SEGMENTATION" name_de: "Unternehmenszuordnung" name_en: "Company Assignment" description_de: "Zuordnung zu einem Unternehmenskonto (B2B)" description_en: "Assignment to a company account (B2B)" purpose_de: "B2B-Kundenmanagement und Rechnungsstellung" purpose_en: "B2B customer management and invoicing" risk_level: "LOW" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich fuer B2B-Vertragsbeziehung" legal_basis_justification_en: "Required for B2B contract relationship" retention_period: "UNTIL_PURPOSE_FULFILLED" retention_justification_de: "Dauer der Geschaeftsbeziehung" retention_justification_en: "Duration of business relationship" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Mandantentrennung" - "Zugriffskontrolle" tags: - "b2b" - "organization" - "segmentation" # --------------------------------------------------------------------------- # F2: Rolle/Position # --------------------------------------------------------------------------- - id: "dp-f2-role" code: "F2" category: "SEGMENTATION" name_de: "Rolle/Position" name_en: "Role/Position" description_de: "Funktion und Berechtigungsstufe des Nutzers" description_en: "Function and permission level of the user" purpose_de: "Berechtigungssteuerung und Funktionszugriff" purpose_en: "Permission control and feature access" risk_level: "LOW" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich fuer Berechtigungsmanagement" legal_basis_justification_en: "Required for permission management" retention_period: "UNTIL_PURPOSE_FULFILLED" retention_justification_de: "Dauer der Rollenzuweisung" retention_justification_en: "Duration of role assignment" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "RBAC-System" - "Audit-Logging" tags: - "authorization" - "roles" - "permissions" # --------------------------------------------------------------------------- # F3: Kundenkategorie # --------------------------------------------------------------------------- - id: "dp-f3-customer-category" code: "F3" category: "SEGMENTATION" name_de: "Kundenkategorie" name_en: "Customer Category" description_de: "Kundensegment fuer Preisgestaltung (z.B. Startup, Enterprise)" description_en: "Customer segment for pricing (e.g., Startup, Enterprise)" purpose_de: "Preisdifferenzierung und Angebotserstellung" purpose_en: "Price differentiation and offer creation" risk_level: "LOW" legal_basis: "CONTRACT" legal_basis_justification_de: "Bestandteil der Vertragskonditionen" legal_basis_justification_en: "Part of contract conditions" retention_period: "UNTIL_PURPOSE_FULFILLED" retention_justification_de: "Dauer des Vertragsverhältnisses" retention_justification_en: "Duration of contractual relationship" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Zugriffskontrolle" tags: - "pricing" - "segmentation" - "b2b" # =========================================================================== # KATEGORIE G: KI & FEEDBACK # =========================================================================== # --------------------------------------------------------------------------- # G1: KI-Prompt-Daten # --------------------------------------------------------------------------- - id: "dp-g1-ai-prompts" code: "G1" category: "AI_FEEDBACK" name_de: "KI-Prompt-Daten" name_en: "AI Prompt Data" description_de: "Nutzereingaben an KI-Assistenten und generierte Antworten" description_en: "User inputs to AI assistants and generated responses" purpose_de: "Bereitstellung von KI-gestuetzten Funktionen" purpose_en: "Provision of AI-powered features" risk_level: "HIGH" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich fuer KI-Funktionalitaet des Dienstes" legal_basis_justification_en: "Required for AI functionality of the service" retention_period: "90_DAYS" retention_justification_de: "Kurze Aufbewahrung fuer Kontexterhaltung" retention_justification_en: "Short retention for context preservation" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "KI-API-Anbieter (Anthropic, OpenAI)" technical_measures: - "Keine Verwendung fuer Training" - "Pseudonymisierung" - "Verschluesselte Uebertragung" tags: - "ai" - "llm" - "prompts" # --------------------------------------------------------------------------- # G2: Feedback-Bewertungen # --------------------------------------------------------------------------- - id: "dp-g2-feedback" code: "G2" category: "AI_FEEDBACK" name_de: "Feedback-Bewertungen" name_en: "Feedback Ratings" description_de: "Nutzerbewertungen und Feedback zu Funktionen" description_en: "User ratings and feedback on features" purpose_de: "Qualitaetsmessung und Produktverbesserung" purpose_en: "Quality measurement and product improvement" risk_level: "LOW" legal_basis: "LEGITIMATE_INTEREST" legal_basis_justification_de: "Berechtigtes Interesse an Produktqualitaet" legal_basis_justification_en: "Legitimate interest in product quality" retention_period: "24_MONTHS" retention_justification_de: "Langzeitanalyse von Qualitaetstrends" retention_justification_en: "Long-term analysis of quality trends" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Aggregierte Auswertung" - "Optional: Anonymisierung" tags: - "feedback" - "quality" - "analytics" # --------------------------------------------------------------------------- # G3: RAG-Embedding-Kontext # --------------------------------------------------------------------------- - id: "dp-g3-rag" code: "G3" category: "AI_FEEDBACK" name_de: "RAG-Embedding-Kontext" name_en: "RAG Embedding Context" description_de: "Temporaerer Kontext fuer kontextuelle KI-Antworten" description_en: "Temporary context for contextual AI responses" purpose_de: "Bereitstellung kontextbezogener KI-Antworten" purpose_en: "Provision of context-aware AI responses" risk_level: "MEDIUM" legal_basis: "CONTRACT" legal_basis_justification_de: "Erforderlich fuer kontextuelle KI-Funktionalitaet" legal_basis_justification_en: "Required for contextual AI functionality" retention_period: "24_HOURS" retention_justification_de: "Kurzlebiger Session-Kontext" retention_justification_en: "Short-lived session context" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "In-Memory-Speicherung" - "Automatische Bereinigung" - "Keine persistente Speicherung" tags: - "ai" - "rag" - "embeddings" # =========================================================================== # KATEGORIE H: SECURITY & AUDIT # =========================================================================== # --------------------------------------------------------------------------- # H1: IP-Adresse # --------------------------------------------------------------------------- - id: "dp-h1-ip" code: "H1" category: "SECURITY_AUDIT" name_de: "IP-Adresse" name_en: "IP Address" description_de: "IP-Adresse des Nutzers bei Anfragen" description_en: "User's IP address during requests" purpose_de: "Sicherheit, Missbrauchserkennung, Geo-Blocking" purpose_en: "Security, abuse detection, geo-blocking" risk_level: "MEDIUM" legal_basis: "LEGITIMATE_INTEREST" legal_basis_justification_de: "Berechtigtes Interesse an IT-Sicherheit" legal_basis_justification_en: "Legitimate interest in IT security" retention_period: "90_DAYS" retention_justification_de: "Ausreichend fuer Sicherheitsanalysen" retention_justification_en: "Sufficient for security analysis" cookie_category: "ESSENTIAL" is_special_category: false requires_explicit_consent: false third_party_recipients: - "Security-Monitoring-Dienste" technical_measures: - "IP-Anonymisierung nach Analyse" - "Geo-IP nur auf Landesebene" tags: - "security" - "network" - "audit" # --------------------------------------------------------------------------- # H2: Login-Protokolle # --------------------------------------------------------------------------- - id: "dp-h2-login-logs" code: "H2" category: "SECURITY_AUDIT" name_de: "Login-Protokolle" name_en: "Login Logs" description_de: "Protokoll erfolgreicher und fehlgeschlagener Anmeldeversuche" description_en: "Log of successful and failed login attempts" purpose_de: "Sicherheitsaudit und Erkennung von Angriffen" purpose_en: "Security audit and attack detection" risk_level: "MEDIUM" legal_basis: "LEGITIMATE_INTEREST" legal_basis_justification_de: "Berechtigtes Interesse an Accountsicherheit" legal_basis_justification_en: "Legitimate interest in account security" retention_period: "12_MONTHS" retention_justification_de: "Ausreichend fuer Sicherheitsforensik" retention_justification_en: "Sufficient for security forensics" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: - "SIEM-System" technical_measures: - "Unveraenderbare Logs" - "Zugriffsbeschraenkung" tags: - "security" - "authentication" - "audit" # --------------------------------------------------------------------------- # H3: Aenderungshistorie # --------------------------------------------------------------------------- - id: "dp-h3-audit-trail" code: "H3" category: "SECURITY_AUDIT" name_de: "Aenderungshistorie" name_en: "Change History" description_de: "Audit-Trail aller wichtigen Aenderungen im System" description_en: "Audit trail of all important system changes" purpose_de: "Nachvollziehbarkeit und Compliance-Nachweis" purpose_en: "Traceability and compliance documentation" risk_level: "LOW" legal_basis: "LEGAL_OBLIGATION" legal_basis_justification_de: "Aufbewahrungspflicht fuer revisionssichere Dokumentation" legal_basis_justification_en: "Retention obligation for audit-proof documentation" retention_period: "6_YEARS" retention_justification_de: "Aufbewahrungsfrist nach AO" retention_justification_en: "Retention period under tax law" cookie_category: null is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Unveraenderbare Logs" - "Digitale Signatur" - "Revisionssichere Archivierung" tags: - "audit" - "compliance" - "traceability" # --------------------------------------------------------------------------- # H4: Geraetefingerprint # --------------------------------------------------------------------------- - id: "dp-h4-device-fingerprint" code: "H4" category: "SECURITY_AUDIT" name_de: "Geraetefingerprint" name_en: "Device Fingerprint" description_de: "Hash aus Geraete- und Browser-Merkmalen" description_en: "Hash of device and browser characteristics" purpose_de: "Betrugsverhinderung und Geraeteerkennung" purpose_en: "Fraud prevention and device recognition" risk_level: "MEDIUM" legal_basis: "LEGITIMATE_INTEREST" legal_basis_justification_de: "Berechtigtes Interesse an Betrugspraevention" legal_basis_justification_en: "Legitimate interest in fraud prevention" retention_period: "30_DAYS" retention_justification_de: "Kurze Speicherung fuer Sessionverknuepfung" retention_justification_en: "Short storage for session linking" cookie_category: "ESSENTIAL" is_special_category: false requires_explicit_consent: false third_party_recipients: [] technical_measures: - "Einweg-Hashing" - "Keine Rueckberechnung moeglich" tags: - "security" - "fraud" - "device" # ============================================================================= # RETENTION MATRIX # ============================================================================= retention_matrix: - category: "AUTHENTICATION" category_name_de: "Authentifizierung" category_name_en: "Authentication" standard_period: "UNTIL_ACCOUNT_DELETION" legal_basis: "Vertragserfuellung (Art. 6 Abs. 1 lit. b DSGVO)" exceptions: - condition_de: "Session-Daten" condition_en: "Session data" period: "24_HOURS" reason_de: "Sicherheitsbedingte Kurzlebigkeit" reason_en: "Security-related short lifespan" - category: "CONSENT" category_name_de: "Einwilligungen" category_name_en: "Consents" standard_period: "6_YEARS" legal_basis: "Nachweispflicht (Art. 7 Abs. 1 DSGVO), AO" exceptions: - condition_de: "Cookie-Praeferenzen" condition_en: "Cookie preferences" period: "12_MONTHS" reason_de: "Branchenuebliche Auffrischung" reason_en: "Industry-standard refresh" - category: "MARKETING" category_name_de: "Marketing" category_name_en: "Marketing" standard_period: "90_DAYS" legal_basis: "Einwilligung (Art. 6 Abs. 1 lit. a DSGVO)" exceptions: - condition_de: "Newsletter-Abonnements" condition_en: "Newsletter subscriptions" period: "UNTIL_REVOCATION" reason_de: "Dauerhaft bis Widerruf" reason_en: "Permanent until revocation" - category: "COMMUNICATION" category_name_de: "Kommunikation" category_name_en: "Communication" standard_period: "24_MONTHS" legal_basis: "Vertragserfuellung / Berechtigtes Interesse" exceptions: - condition_de: "Anrufaufzeichnungen" condition_en: "Call recordings" period: "90_DAYS" reason_de: "Begrenzte Qualitaetssicherung" reason_en: "Limited quality assurance" - category: "TRANSACTION" category_name_de: "Transaktionen" category_name_en: "Transactions" standard_period: "10_YEARS" legal_basis: "Aufbewahrungspflicht 147 AO, 257 HGB" exceptions: [] - category: "SEGMENTATION" category_name_de: "Segmentierung" category_name_en: "Segmentation" standard_period: "UNTIL_PURPOSE_FULFILLED" legal_basis: "Vertragserfuellung (Art. 6 Abs. 1 lit. b DSGVO)" exceptions: [] - category: "AI_FEEDBACK" category_name_de: "KI & Feedback" category_name_en: "AI & Feedback" standard_period: "90_DAYS" legal_basis: "Vertragserfuellung / Berechtigtes Interesse" exceptions: - condition_de: "RAG-Kontext" condition_en: "RAG context" period: "24_HOURS" reason_de: "Kurzlebiger Session-Kontext" reason_en: "Short-lived session context" - category: "SECURITY_AUDIT" category_name_de: "Security & Audit" category_name_en: "Security & Audit" standard_period: "12_MONTHS" legal_basis: "Berechtigtes Interesse / Rechtliche Verpflichtung" exceptions: - condition_de: "Aenderungshistorie" condition_en: "Change history" period: "6_YEARS" reason_de: "Revisionssichere Archivierung" reason_en: "Audit-proof archiving" # ============================================================================= # COOKIE CATEGORY MAPPINGS # ============================================================================= cookie_categories: ESSENTIAL: name_de: "Technisch notwendig" name_en: "Essential" description_de: "Diese Cookies sind fuer den Betrieb der Website erforderlich und koennen nicht deaktiviert werden." description_en: "These cookies are required for the website to function and cannot be disabled." is_required: true default_enabled: true data_points: - "dp-a3-session" - "dp-a4-refresh" - "dp-b1-consent" - "dp-b2-cookie-prefs" - "dp-b3-locale" - "dp-h1-ip" - "dp-h4-device-fingerprint" PERFORMANCE: name_de: "Analyse & Performance" name_en: "Analytics & Performance" description_de: "Diese Cookies helfen uns, die Nutzung der Website zu verstehen und zu verbessern." description_en: "These cookies help us understand and improve website usage." is_required: false default_enabled: false data_points: - "dp-c3-utm" PERSONALIZATION: name_de: "Personalisierung" name_en: "Personalization" description_de: "Diese Cookies ermoeglichen personalisierte Werbung und Inhalte." description_en: "These cookies enable personalized advertising and content." is_required: false default_enabled: false data_points: - "dp-c1-tracking" - "dp-c2-advertising-id" EXTERNAL_MEDIA: name_de: "Externe Medien" name_en: "External Media" description_de: "Diese Cookies erlauben die Einbindung externer Medien wie Videos und Karten." description_en: "These cookies allow embedding external media like videos and maps." is_required: false default_enabled: false data_points: []