{ "version": "1.0.0", "regulations": ["DSGVO", "AI_Act", "BDSG", "EDPB_Guidelines"], "rules": [ { "id": "MC-AIA-PROHIBITED-001", "obligation_id": "AIACT-OBL-001", "regulation": "AI_Act", "article_ref": "Art. 5 AI Act", "title": "Verbotene KI-Praktiken", "description": "Systeme mit verbotener Risikoeinstufung duerfen nicht eingesetzt werden", "rule_type": "hard_prohibition", "constraints": [ { "if": {"risk_classification": "prohibited"}, "then": {"allowed": false} } ] }, { "id": "MC-GDPR-ART22-001", "obligation_id": "DSGVO-OBL-022", "regulation": "DSGVO", "article_ref": "Art. 22 DSGVO", "title": "Verbot vollautomatisierter Entscheidungen mit erheblicher Wirkung", "description": "Keine ausschliesslich automatisierten Entscheidungen mit rechtlicher oder aehnlich erheblicher Wirkung", "rule_type": "hard_prohibition", "constraints": [ { "if": {"decision_impact": "high", "automation_level": "full"}, "then": {"allowed": false} } ] }, { "id": "MC-GDPR-ART22-002", "obligation_id": "DSGVO-OBL-022", "regulation": "DSGVO", "article_ref": "Art. 22 DSGVO", "title": "Menschliche Ueberpruefung bei hoher Auswirkung", "description": "Bei hoher Entscheidungswirkung muss menschliche Kontrolle gewaehrleistet sein", "rule_type": "requirement", "constraints": [ { "if": {"decision_impact": "high"}, "then": {"required_values": {"human_in_loop": "required", "decision_binding": "human_review_required"}} } ] }, { "id": "MC-GDPR-ART22-003", "obligation_id": "DSGVO-OBL-022", "regulation": "EDPB_Guidelines", "article_ref": "Art. 22 DSGVO / EDPB Guidelines", "title": "Echte menschliche Entscheidungsmacht erforderlich", "description": "Pro-forma Human-in-Loop ohne echte Entscheidungsbefugnis genuegt nicht", "rule_type": "requirement", "constraints": [ { "if": {"decision_impact": "high", "decision_binding": "fully_binding"}, "then": {"required_values": {"decision_binding": "human_review_required"}} } ] }, { "id": "MC-GDPR-ART9-001", "obligation_id": "DSGVO-OBL-009", "regulation": "DSGVO", "article_ref": "Art. 9 DSGVO", "title": "Besondere Datenkategorien erfordern spezielle Rechtsgrundlage", "description": "Verarbeitung sensibler Daten nur mit Einwilligung oder oeffentlichem Interesse", "rule_type": "requirement", "constraints": [ { "if": {"data_type": "sensitive"}, "then": {"required_values": {"legal_basis": "consent"}, "required_controls": ["C_EXPLICIT_CONSENT"]} } ] }, { "id": "MC-GDPR-ART9-002", "obligation_id": "DSGVO-OBL-009", "regulation": "DSGVO", "article_ref": "Art. 9 DSGVO", "title": "Biometrische Daten erfordern erhoehte Pruefung", "description": "Biometrische Daten loesen verstaerkte Rechtsgrundlagen-Pruefung und Transparenzpflicht aus", "rule_type": "escalation_gate", "constraints": [ { "if": {"data_type": "biometric"}, "then": {"required_values": {"legal_basis": "consent", "transparency_required": "true"}, "required_controls": ["C_EXPLICIT_CONSENT", "C_DSFA"]} } ] }, { "id": "MC-AIA-HR-001", "obligation_id": "AIACT-OBL-HR-001", "regulation": "AI_Act", "article_ref": "Annex III Nr. 4 AI Act", "title": "KI im HR-Bereich ist Hochrisiko", "description": "KI-Systeme im Bereich Beschaeftigung mit hoher Auswirkung erfordern Hochrisiko-Einstufung", "rule_type": "classification_rule", "constraints": [ { "if": {"domain": "hr", "decision_impact": "high"}, "then": {"set_risk_classification": "high", "required_values": {"logging_required": "true", "transparency_required": "true"}, "required_controls": ["C_TRANSPARENCY", "C_ACCESS_LOGGING"]} } ] }, { "id": "MC-AIA-HR-002", "obligation_id": "AIACT-OBL-HR-002", "regulation": "AI_Act", "article_ref": "Annex III Nr. 4 AI Act", "title": "HR-Ranking und Bewerberauswahl als Hochrisiko", "description": "KI fuer Bewerber-Ranking oder -Klassifikation muss als Hochrisiko bewertet werden", "rule_type": "classification_rule", "constraints": [ { "if": {"domain": "hr", "decision_impact": "medium"}, "then": {"set_risk_classification": "high", "required_values": {"logging_required": "true"}} } ] }, { "id": "MC-AIA-HIGHRISK-001", "obligation_id": "AIACT-OBL-OVERSIGHT", "regulation": "AI_Act", "article_ref": "Art. 14 AI Act", "title": "Hochrisiko-KI erfordert Human Oversight", "description": "Hochrisiko-KI-Systeme muessen wirksame menschliche Aufsicht ermoeglichen", "rule_type": "requirement", "constraints": [ { "if": {"risk_classification": "high"}, "then": {"required_values": {"human_in_loop": "required"}, "required_controls": ["C_CONTESTATION"]} } ] }, { "id": "MC-AIA-HIGHRISK-002", "obligation_id": "AIACT-OBL-LOGGING", "regulation": "AI_Act", "article_ref": "Art. 12 AI Act", "title": "Hochrisiko-KI erfordert Logging", "description": "Hochrisiko-KI-Systeme muessen Betrieb und Vorfaelle protokollieren koennen", "rule_type": "requirement", "constraints": [ { "if": {"risk_classification": "high"}, "then": {"required_values": {"logging_required": "true"}, "required_controls": ["C_ACCESS_LOGGING"]} } ] }, { "id": "MC-AIA-HIGHRISK-003", "obligation_id": "AIACT-OBL-TRANSPARENCY", "regulation": "AI_Act", "article_ref": "Art. 13 AI Act", "title": "Hochrisiko-KI erfordert Transparenz", "description": "Hochrisiko-KI-Systeme muessen Transparenzanforderungen erfuellen", "rule_type": "requirement", "constraints": [ { "if": {"risk_classification": "high"}, "then": {"required_values": {"transparency_required": "true"}, "required_controls": ["C_TRANSPARENCY"]} } ] }, { "id": "MC-AIA-HIGHRISK-004", "obligation_id": "AIACT-OBL-EXPLAIN", "regulation": "AI_Act", "article_ref": "Art. 13 AI Act", "title": "Hochrisiko-KI erfordert Mindest-Erklaerbarkeit", "description": "Hochrisiko-Systeme muessen ein Mindestmass an Erklaerbarkeit bieten", "rule_type": "requirement", "constraints": [ { "if": {"risk_classification": "high", "explainability": "none"}, "then": {"required_values": {"explainability": "basic"}} } ] }, { "id": "MC-AIA-TRANS-001", "obligation_id": "AIACT-OBL-TRANS-USER", "regulation": "AI_Act", "article_ref": "Art. 52 AI Act", "title": "KI-Interaktion erfordert Nutzerbenachrichtigung", "description": "Nutzer muessen ueber die KI-Interaktion informiert werden", "rule_type": "requirement", "constraints": [ { "if": {"deployment_scope": "external"}, "then": {"required_values": {"transparency_required": "true"}} }, { "if": {"deployment_scope": "public"}, "then": {"required_values": {"transparency_required": "true"}} } ] }, { "id": "MC-GDPR-PRINCIPLES-001", "obligation_id": "DSGVO-OBL-005", "regulation": "DSGVO", "article_ref": "Art. 5 DSGVO", "title": "Datenminimierung bei personenbezogenen Daten", "description": "Personenbezogene Datenverarbeitung erfordert Datenminimierungsmassnahmen", "rule_type": "requirement", "constraints": [ { "if": {"data_type": "personal"}, "then": {"required_controls": ["C_RETENTION_POLICY"]} }, { "if": {"data_type": "sensitive"}, "then": {"required_controls": ["C_RETENTION_POLICY", "C_ENCRYPTION"]} }, { "if": {"data_type": "biometric"}, "then": {"required_controls": ["C_RETENTION_POLICY", "C_ENCRYPTION"]} } ] }, { "id": "MC-GDPR-INFO-001", "obligation_id": "DSGVO-OBL-013", "regulation": "DSGVO", "article_ref": "Art. 13-14 DSGVO", "title": "Informationspflicht bei personenbezogenen Daten", "description": "Betroffene muessen ueber die Verarbeitung personenbezogener Daten informiert werden", "rule_type": "requirement", "constraints": [ { "if": {"data_type": "personal", "transparency_required": "false"}, "then": {"required_values": {"transparency_required": "true"}} } ] }, { "id": "MC-GDPR-RIGHTS-001", "obligation_id": "DSGVO-OBL-015", "regulation": "DSGVO", "article_ref": "Art. 15 DSGVO", "title": "Erklaerbarkeit bei hoher Auswirkung", "description": "Bei hoher Entscheidungswirkung muss die Verarbeitung erklaerbar sein", "rule_type": "requirement", "constraints": [ { "if": {"decision_impact": "high", "explainability": "none"}, "then": {"required_values": {"explainability": "basic"}} } ] }, { "id": "MC-GDPR-DPIA-001", "obligation_id": "DSGVO-OBL-035", "regulation": "DSGVO", "article_ref": "Art. 35 DSGVO", "title": "DSFA bei hohem Risiko", "description": "Hohe Entscheidungswirkung mit personenbezogenen Daten erfordert DSFA-Screening", "rule_type": "requirement", "constraints": [ { "if": {"decision_impact": "high", "data_type": "personal"}, "then": {"required_controls": ["C_DSFA"]} }, { "if": {"decision_impact": "high", "data_type": "sensitive"}, "then": {"required_controls": ["C_DSFA"]} } ] }, { "id": "MC-GDPR-SEC-001", "obligation_id": "DSGVO-OBL-032", "regulation": "DSGVO", "article_ref": "Art. 32 DSGVO", "title": "Sicherheitsmassnahmen bei personenbezogenen Daten", "description": "Personenbezogene Daten erfordern angemessene technische und organisatorische Massnahmen", "rule_type": "requirement", "constraints": [ { "if": {"data_type": "personal"}, "then": {"required_controls": ["C_ENCRYPTION"]} } ] }, { "id": "MC-GDPR-SEC-002", "obligation_id": "DSGVO-OBL-032", "regulation": "DSGVO", "article_ref": "Art. 32 DSGVO", "title": "Audit-Logging bei mittlerer bis hoher Auswirkung", "description": "Entscheidungen mit mittlerer oder hoher Auswirkung muessen protokolliert werden", "rule_type": "requirement", "constraints": [ { "if": {"decision_impact": "medium"}, "then": {"required_values": {"logging_required": "true"}} }, { "if": {"decision_impact": "high"}, "then": {"required_values": {"logging_required": "true"}} } ] }, { "id": "MC-GDPR-PBD-001", "obligation_id": "DSGVO-OBL-025", "regulation": "DSGVO", "article_ref": "Art. 25 DSGVO", "title": "Privacy by Design bei personenbezogenen Daten", "description": "KI-Systeme mit personenbezogenen Daten muessen Privacy by Design implementieren", "rule_type": "requirement", "constraints": [ { "if": {"data_type": "personal", "deployment_scope": "public"}, "then": {"required_patterns": ["P_PRE_ANON", "P_NAMESPACE_ISOLATION"]} } ] }, { "id": "MC-AIA-EDUCATION-001", "obligation_id": "AIACT-OBL-EDU-001", "regulation": "AI_Act", "article_ref": "Annex III Nr. 3 AI Act", "title": "KI im Bildungsbereich mit hoher Auswirkung ist Hochrisiko", "description": "KI-Systeme im Bildungsbereich mit hoher Entscheidungswirkung erfordern Hochrisiko-Einstufung", "rule_type": "classification_rule", "constraints": [ { "if": {"domain": "education", "decision_impact": "high"}, "then": {"set_risk_classification": "high", "required_values": {"logging_required": "true", "transparency_required": "true"}} } ] }, { "id": "MC-AIA-FINANCE-001", "obligation_id": "AIACT-OBL-FIN-001", "regulation": "AI_Act", "article_ref": "Annex III Nr. 5 AI Act", "title": "KI fuer Kreditvergabe und Versicherung ist Hochrisiko", "description": "KI-Systeme fuer wesentliche Dienste wie Kreditvergabe oder Versicherung erfordern Hochrisiko-Einstufung", "rule_type": "classification_rule", "constraints": [ { "if": {"domain": "finance", "decision_impact": "high"}, "then": {"set_risk_classification": "high", "required_values": {"human_in_loop": "required", "logging_required": "true", "transparency_required": "true"}} } ] }, { "id": "MC-AIA-HEALTH-001", "obligation_id": "AIACT-OBL-HEALTH-001", "regulation": "AI_Act", "article_ref": "Annex III Nr. 5 AI Act", "title": "KI im Gesundheitsbereich mit hoher Auswirkung ist Hochrisiko", "description": "KI-Systeme im Gesundheitsbereich mit hoher Auswirkung erfordern Hochrisiko-Einstufung", "rule_type": "classification_rule", "constraints": [ { "if": {"domain": "health", "decision_impact": "high"}, "then": {"set_risk_classification": "high", "required_values": {"human_in_loop": "required", "logging_required": "true", "explainability": "high"}} } ] }, { "id": "MC-GDPR-LAWFULNESS-001", "obligation_id": "DSGVO-OBL-006", "regulation": "DSGVO", "article_ref": "Art. 6 DSGVO", "title": "Vollautomatisierung mit personenbezogenen Daten erfordert Einwilligung oder Vertrag", "description": "Vollautomatisierte Verarbeitung personenbezogener Daten muss auf Einwilligung oder Vertrag basieren", "rule_type": "requirement", "constraints": [ { "if": {"automation_level": "full", "data_type": "personal"}, "then": {"required_controls": ["C_EXPLICIT_CONSENT"]} } ] }, { "id": "MC-AIA-BLACKBOX-001", "obligation_id": "AIACT-OBL-EXPLAIN-002", "regulation": "AI_Act", "article_ref": "Art. 13 AI Act", "title": "Blackbox-Modelle bei hoher Auswirkung erfordern erhoehte Erklaerbarkeit", "description": "Blackbox-LLM-Modelle mit hoher Entscheidungswirkung muessen mindestens Basic-Erklaerbarkeit bieten", "rule_type": "requirement", "constraints": [ { "if": {"model_type": "blackbox_llm", "decision_impact": "high", "explainability": "none"}, "then": {"required_values": {"explainability": "basic"}} } ] }, { "id": "MC-GDPR-PROFILING-001", "obligation_id": "DSGVO-OBL-PROFILING", "regulation": "EDPB_Guidelines", "article_ref": "Art. 22 DSGVO / EDPB Profiling Guidelines", "title": "Profiling mit erheblicher Wirkung erfordert Transparenz und Fairness", "description": "Ranking- und Klassifikationssysteme mit hoher Auswirkung muessen Fairness- und Transparenzpruefung bestehen", "rule_type": "requirement", "constraints": [ { "if": {"decision_impact": "high", "deployment_scope": "external"}, "then": {"required_values": {"transparency_required": "true", "explainability": "basic"}, "required_controls": ["C_CONTESTATION"]} } ] }, { "id": "MC-OPT-META-001", "obligation_id": "OPT-DERIVED-001", "regulation": "AI_Act", "article_ref": "Abgeleitet aus AI Act + DSGVO", "title": "Optimierungsregel: Vollautomatisierung auf Assistenz reduzieren", "description": "Wenn Vollautomatisierung bei hoher Wirkung blockiert ist, naechste konforme Konfiguration vorschlagen", "rule_type": "optimizer_rule", "constraints": [ { "if": {"automation_level": "full", "decision_impact": "high"}, "then": {"required_values": {"automation_level": "assistive", "human_in_loop": "required", "decision_binding": "human_review_required"}} } ] }, { "id": "MC-OPT-META-002", "obligation_id": "OPT-DERIVED-002", "regulation": "DSGVO", "article_ref": "Abgeleitet aus DSGVO Grundsaetze", "title": "Optimierungsregel: Datensensitivitaet reduzieren", "description": "Wenn sensible Daten ohne Notwendigkeitsnachweis vorgeschlagen werden, geringere Datentiefe empfehlen", "rule_type": "optimizer_rule", "constraints": [ { "if": {"data_type": "sensitive", "decision_impact": "low"}, "then": {"required_values": {"data_type": "personal"}} } ] }, { "id": "MC-OPT-META-003", "obligation_id": "OPT-DERIVED-003", "regulation": "AI_Act", "article_ref": "Abgeleitet aus AI Act + DSGVO", "title": "Optimierungsregel: Maximale Contestability bei Profiling", "description": "Wenn Profiling nicht vermeidbar ist, Contestability und Transparenz maximieren", "rule_type": "optimizer_rule", "constraints": [ { "if": {"decision_impact": "high", "deployment_scope": "public"}, "then": {"required_values": {"transparency_required": "true", "explainability": "high"}, "required_controls": ["C_CONTESTATION"]} } ] } ] }