import type { ScopeProfilingAnswer, ComplianceDepthLevel, ScopeDocumentType } from './compliance-scope-types' export interface GoldenTest { id: string name: string description: string answers: ScopeProfilingAnswer[] expectedLevel: ComplianceDepthLevel | null // null for prefill tests expectedMinDocuments?: ScopeDocumentType[] expectedHardTriggerIds?: string[] expectedDsfaRequired?: boolean tags: string[] } export const GOLDEN_TESTS: GoldenTest[] = [ // GT-01: 2-Person Freelancer, nur B2B, DE-Hosting → L1 { id: 'GT-01', name: '2-Person Freelancer B2B', description: 'Kleinstes Setup ohne besondere Risiken', answers: [ { questionId: 'org_employee_count', value: '2' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'consulting' }, { questionId: 'data_health', value: false }, { questionId: 'data_genetic', value: false }, { questionId: 'data_biometric', value: false }, { questionId: 'data_racial_ethnic', value: false }, { questionId: 'data_political_opinion', value: false }, { questionId: 'data_religious', value: false }, { questionId: 'data_union_membership', value: false }, { questionId: 'data_sexual_orientation', value: false }, { questionId: 'data_criminal', value: false }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, { questionId: 'process_has_dsfa', value: true }, { questionId: 'process_has_incident_plan', value: true }, { questionId: 'data_volume', value: '<1000' }, { questionId: 'org_customer_count', value: '<100' }, ], expectedLevel: 'L1', expectedMinDocuments: ['VVT', 'TOM', 'COOKIE_BANNER'], expectedHardTriggerIds: [], expectedDsfaRequired: false, tags: ['baseline', 'freelancer', 'b2b'], }, // GT-02: Solo IT-Berater → L1 { id: 'GT-02', name: 'Solo IT-Berater', description: 'Einzelperson, minimale Datenverarbeitung', answers: [ { questionId: 'org_employee_count', value: '1' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'it_services' }, { questionId: 'data_health', value: false }, { questionId: 'data_genetic', value: false }, { questionId: 'data_biometric', value: false }, { questionId: 'data_volume', value: '<1000' }, { questionId: 'org_customer_count', value: '<50' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L1', expectedHardTriggerIds: [], tags: ['baseline', 'solo', 'minimal'], }, // GT-03: 5-Person Agentur, Website, kein Tracking → L1 { id: 'GT-03', name: '5-Person Agentur ohne Tracking', description: 'Kleine Agentur, einfache Website ohne Analytics', answers: [ { questionId: 'org_employee_count', value: '5' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'marketing' }, { questionId: 'tech_has_website', value: true }, { questionId: 'tech_has_tracking', value: false }, { questionId: 'data_volume', value: '1000-10000' }, { questionId: 'org_customer_count', value: '100-1000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L1', expectedMinDocuments: ['VVT', 'TOM', 'COOKIE_BANNER'], tags: ['baseline', 'agency', 'simple'], }, // GT-04: 30-Person SaaS B2B, EU-Cloud → L2 (scale trigger) { id: 'GT-04', name: '30-Person SaaS B2B', description: 'Scale-Trigger durch Mitarbeiterzahl', answers: [ { questionId: 'org_employee_count', value: '30' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'software' }, { questionId: 'tech_has_cloud', value: true }, { questionId: 'data_volume', value: '10000-100000' }, { questionId: 'org_customer_count', value: '1000-10000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, { questionId: 'process_has_dsfa', value: false }, ], expectedLevel: 'L2', expectedMinDocuments: ['VVT', 'TOM', 'AVV', 'COOKIE_BANNER'], tags: ['scale', 'saas', 'growth'], }, // GT-05: 50-Person Handel B2C, Webshop → L2 (B2C+Webshop) { id: 'GT-05', name: '50-Person E-Commerce B2C', description: 'B2C mit Webshop erhöht Anforderungen', answers: [ { questionId: 'org_employee_count', value: '50' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'retail' }, { questionId: 'tech_has_webshop', value: true }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'org_customer_count', value: '10000-100000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L2', expectedHardTriggerIds: ['HT-H01'], expectedMinDocuments: ['VVT', 'TOM', 'AVV', 'COOKIE_BANNER', 'EINWILLIGUNG'], tags: ['b2c', 'webshop', 'retail'], }, // GT-06: 80-Person Dienstleister, Cloud → L2 (scale) { id: 'GT-06', name: '80-Person Dienstleister', description: 'Größerer Betrieb mit Cloud-Services', answers: [ { questionId: 'org_employee_count', value: '80' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'professional_services' }, { questionId: 'tech_has_cloud', value: true }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'org_customer_count', value: '1000-10000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L2', expectedMinDocuments: ['VVT', 'TOM', 'AVV'], tags: ['scale', 'services'], }, // GT-07: 20-Person Startup mit GA4 Tracking → L2 (tracking) { id: 'GT-07', name: 'Startup mit Google Analytics', description: 'Tracking-Tools erhöhen Compliance-Anforderungen', answers: [ { questionId: 'org_employee_count', value: '20' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'technology' }, { questionId: 'tech_has_website', value: true }, { questionId: 'tech_has_tracking', value: true }, { questionId: 'tech_tracking_tools', value: 'google_analytics' }, { questionId: 'data_volume', value: '10000-100000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L2', expectedMinDocuments: ['VVT', 'TOM', 'COOKIE_BANNER', 'EINWILLIGUNG'], tags: ['tracking', 'analytics', 'startup'], }, // GT-08: Kita-App (Minderjaehrige) → L3 (HT-B01) { id: 'GT-08', name: 'Kita-App für Eltern', description: 'Datenverarbeitung von Minderjährigen unter 16', answers: [ { questionId: 'org_employee_count', value: '15' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'education' }, { questionId: 'data_subjects_minors', value: true }, { questionId: 'data_subjects_minors_age', value: '<16' }, { questionId: 'data_volume', value: '1000-10000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-B01'], expectedDsfaRequired: true, expectedMinDocuments: ['VVT', 'TOM', 'DSFA', 'EINWILLIGUNG', 'AVV'], tags: ['hard-trigger', 'minors', 'education'], }, // GT-09: Krankenhaus-Software → L3 (HT-A01) { id: 'GT-09', name: 'Krankenhaus-Verwaltungssoftware', description: 'Gesundheitsdaten Art. 9 DSGVO', answers: [ { questionId: 'org_employee_count', value: '200' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'healthcare' }, { questionId: 'data_health', value: true }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'org_customer_count', value: '10-50' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-A01'], expectedDsfaRequired: true, expectedMinDocuments: ['VVT', 'TOM', 'DSFA', 'AVV'], tags: ['hard-trigger', 'health', 'art9'], }, // GT-10: HR-Scoring-Plattform → L3 (HT-C01) { id: 'GT-10', name: 'HR-Scoring für Bewerbungen', description: 'Automatisierte Entscheidungen im HR-Bereich', answers: [ { questionId: 'org_employee_count', value: '40' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'hr_tech' }, { questionId: 'tech_has_adm', value: true }, { questionId: 'tech_adm_type', value: 'profiling' }, { questionId: 'tech_adm_impact', value: 'employment' }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-C01'], expectedDsfaRequired: true, expectedMinDocuments: ['VVT', 'TOM', 'DSFA', 'AVV'], tags: ['hard-trigger', 'adm', 'profiling'], }, // GT-11: Fintech Kreditscoring → L3 (HT-H05 + C01) { id: 'GT-11', name: 'Fintech Kreditscoring', description: 'Finanzsektor mit automatisierten Entscheidungen', answers: [ { questionId: 'org_employee_count', value: '120' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'finance' }, { questionId: 'tech_has_adm', value: true }, { questionId: 'tech_adm_type', value: 'scoring' }, { questionId: 'tech_adm_impact', value: 'credit' }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-H05', 'HT-C01'], expectedDsfaRequired: true, expectedMinDocuments: ['VVT', 'TOM', 'DSFA', 'AVV'], tags: ['hard-trigger', 'finance', 'scoring'], }, // GT-12: Bildungsplattform Minderjaehrige → L3 (HT-B01) { id: 'GT-12', name: 'Online-Lernplattform für Schüler', description: 'Bildungssektor mit minderjährigen Nutzern', answers: [ { questionId: 'org_employee_count', value: '35' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'education' }, { questionId: 'data_subjects_minors', value: true }, { questionId: 'data_subjects_minors_age', value: '<16' }, { questionId: 'tech_has_tracking', value: true }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-B01'], expectedDsfaRequired: true, tags: ['hard-trigger', 'education', 'minors'], }, // GT-13: Datenbroker → L3 (HT-H02) { id: 'GT-13', name: 'Datenbroker / Adresshandel', description: 'Geschäftsmodell basiert auf Datenhandel', answers: [ { questionId: 'org_employee_count', value: '25' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'data_broker' }, { questionId: 'data_is_core_business', value: true }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'org_customer_count', value: '100-1000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-H02'], expectedDsfaRequired: true, tags: ['hard-trigger', 'data-broker'], }, // GT-14: Video + ADM → L3 (HT-D05) { id: 'GT-14', name: 'Videoüberwachung mit Gesichtserkennung', description: 'Biometrische Daten mit automatisierter Verarbeitung', answers: [ { questionId: 'org_employee_count', value: '60' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'security' }, { questionId: 'data_biometric', value: true }, { questionId: 'tech_has_video_surveillance', value: true }, { questionId: 'tech_has_adm', value: true }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-D05'], expectedDsfaRequired: true, tags: ['hard-trigger', 'biometric', 'video'], }, // GT-15: 500-MA Konzern ohne Zert → L3 (HT-G04) { id: 'GT-15', name: 'Großunternehmen ohne Zertifizierung', description: 'Scale-Trigger durch Unternehmensgröße', answers: [ { questionId: 'org_employee_count', value: '500' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'manufacturing' }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'org_customer_count', value: '>100000' }, { questionId: 'cert_has_iso27001', value: false }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-G04'], expectedDsfaRequired: true, tags: ['hard-trigger', 'scale', 'enterprise'], }, // GT-16: ISO 27001 Anbieter → L4 (HT-F01) { id: 'GT-16', name: 'ISO 27001 zertifizierter Cloud-Provider', description: 'Zertifizierung erfordert höchste Compliance', answers: [ { questionId: 'org_employee_count', value: '150' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'cloud_services' }, { questionId: 'cert_has_iso27001', value: true }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, { questionId: 'process_has_dsfa', value: true }, ], expectedLevel: 'L4', expectedHardTriggerIds: ['HT-F01'], expectedMinDocuments: ['VVT', 'TOM', 'DSFA', 'AVV', 'CERT_ISO27001'], tags: ['hard-trigger', 'certification', 'iso'], }, // GT-17: TISAX Automobilzulieferer → L4 (HT-F04) { id: 'GT-17', name: 'TISAX-zertifizierter Automobilzulieferer', description: 'Automotive-Branche mit TISAX-Anforderungen', answers: [ { questionId: 'org_employee_count', value: '300' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'automotive' }, { questionId: 'cert_has_tisax', value: true }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'org_customer_count', value: '10-50' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L4', expectedHardTriggerIds: ['HT-F04'], tags: ['hard-trigger', 'certification', 'tisax'], }, // GT-18: ISO 27701 Cloud-Provider → L4 (HT-F02) { id: 'GT-18', name: 'ISO 27701 Privacy-zertifiziert', description: 'Privacy-spezifische Zertifizierung', answers: [ { questionId: 'org_employee_count', value: '200' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'cloud_services' }, { questionId: 'cert_has_iso27701', value: true }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, { questionId: 'process_has_dsfa', value: true }, ], expectedLevel: 'L4', expectedHardTriggerIds: ['HT-F02'], tags: ['hard-trigger', 'certification', 'privacy'], }, // GT-19: Grosskonzern + Art.9 + >1M DS → L4 (HT-G05) { id: 'GT-19', name: 'Konzern mit sensiblen Massendaten', description: 'Kombination aus Scale und Art. 9 Daten', answers: [ { questionId: 'org_employee_count', value: '2000' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'insurance' }, { questionId: 'data_health', value: true }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'org_customer_count', value: '>100000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, ], expectedLevel: 'L4', expectedHardTriggerIds: ['HT-G05'], expectedDsfaRequired: true, tags: ['hard-trigger', 'scale', 'art9'], }, // GT-20: Nur B2C Webshop → L2 (HT-H01) { id: 'GT-20', name: 'Reiner B2C Webshop', description: 'B2C-Trigger ohne weitere Risiken', answers: [ { questionId: 'org_employee_count', value: '12' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'retail' }, { questionId: 'tech_has_webshop', value: true }, { questionId: 'data_volume', value: '10000-100000' }, { questionId: 'org_customer_count', value: '1000-10000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L2', expectedHardTriggerIds: ['HT-H01'], tags: ['b2c', 'webshop'], }, // GT-21: Keine Daten, keine MA → L1 { id: 'GT-21', name: 'Minimale Datenverarbeitung', description: 'Absolute Baseline ohne Risiken', answers: [ { questionId: 'org_employee_count', value: '1' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'consulting' }, { questionId: 'data_volume', value: '<1000' }, { questionId: 'org_customer_count', value: '<50' }, { questionId: 'tech_has_website', value: false }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L1', expectedHardTriggerIds: [], tags: ['baseline', 'minimal'], }, // GT-22: Alle Art.9 Kategorien → L3 (HT-A09) { id: 'GT-22', name: 'Alle Art. 9 Kategorien', description: 'Multiple sensible Datenkategorien', answers: [ { questionId: 'org_employee_count', value: '50' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'research' }, { questionId: 'data_health', value: true }, { questionId: 'data_genetic', value: true }, { questionId: 'data_biometric', value: true }, { questionId: 'data_racial_ethnic', value: true }, { questionId: 'data_political_opinion', value: true }, { questionId: 'data_religious', value: true }, { questionId: 'data_union_membership', value: true }, { questionId: 'data_sexual_orientation', value: true }, { questionId: 'data_criminal', value: true }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-A09'], expectedDsfaRequired: true, tags: ['hard-trigger', 'art9', 'multiple-categories'], }, // GT-23: Drittland + Art.9 → L3 (HT-E04) { id: 'GT-23', name: 'Drittlandtransfer mit Art. 9 Daten', description: 'Kombination aus Drittland und sensiblen Daten', answers: [ { questionId: 'org_employee_count', value: '45' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'us' }, { questionId: 'org_industry', value: 'healthcare' }, { questionId: 'data_health', value: true }, { questionId: 'tech_has_third_country_transfer', value: true }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-E04'], expectedDsfaRequired: true, tags: ['hard-trigger', 'third-country', 'art9'], }, // GT-24: Minderjaehrige + Art.9 → L4 (HT-B02) { id: 'GT-24', name: 'Minderjährige mit Gesundheitsdaten', description: 'Kombination aus vulnerabler Gruppe und Art. 9', answers: [ { questionId: 'org_employee_count', value: '30' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'healthcare' }, { questionId: 'data_subjects_minors', value: true }, { questionId: 'data_subjects_minors_age', value: '<16' }, { questionId: 'data_health', value: true }, { questionId: 'data_volume', value: '10000-100000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L4', expectedHardTriggerIds: ['HT-B02'], expectedDsfaRequired: true, tags: ['hard-trigger', 'minors', 'health', 'combined-risk'], }, // GT-25: KI autonome Entscheidungen → L3 (HT-C02) { id: 'GT-25', name: 'KI mit autonomen Entscheidungen', description: 'AI Act relevante autonome Systeme', answers: [ { questionId: 'org_employee_count', value: '70' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'ai_services' }, { questionId: 'tech_has_adm', value: true }, { questionId: 'tech_adm_type', value: 'autonomous_decision' }, { questionId: 'tech_has_ai', value: true }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-C02'], expectedDsfaRequired: true, tags: ['hard-trigger', 'ai', 'adm'], }, // GT-26: Multiple Zertifizierungen → L4 (HT-F01-05) { id: 'GT-26', name: 'Multiple Zertifizierungen', description: 'Mehrere Zertifizierungen kombiniert', answers: [ { questionId: 'org_employee_count', value: '250' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'cloud_services' }, { questionId: 'cert_has_iso27001', value: true }, { questionId: 'cert_has_iso27701', value: true }, { questionId: 'cert_has_soc2', value: true }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, { questionId: 'process_has_dsfa', value: true }, ], expectedLevel: 'L4', expectedHardTriggerIds: ['HT-F01', 'HT-F02', 'HT-F03'], tags: ['hard-trigger', 'certification', 'multiple'], }, // GT-27: Oeffentlicher Sektor + Gesundheit → L3 (HT-H07 + A01) { id: 'GT-27', name: 'Öffentlicher Sektor mit Gesundheitsdaten', description: 'Behörde mit Art. 9 Datenverarbeitung', answers: [ { questionId: 'org_employee_count', value: '120' }, { questionId: 'org_business_model', value: 'b2g' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'public_sector' }, { questionId: 'org_is_public_sector', value: true }, { questionId: 'data_health', value: true }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-H07', 'HT-A01'], expectedDsfaRequired: true, tags: ['hard-trigger', 'public-sector', 'health'], }, // GT-28: Bildung + KI + Minderjaehrige → L4 (HT-B03) { id: 'GT-28', name: 'EdTech mit KI für Minderjährige', description: 'Triple-Risiko: Bildung, KI, vulnerable Gruppe', answers: [ { questionId: 'org_employee_count', value: '55' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'education' }, { questionId: 'data_subjects_minors', value: true }, { questionId: 'data_subjects_minors_age', value: '<16' }, { questionId: 'tech_has_ai', value: true }, { questionId: 'tech_has_adm', value: true }, { questionId: 'data_volume', value: '100000-1000000' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L4', expectedHardTriggerIds: ['HT-B03'], expectedDsfaRequired: true, tags: ['hard-trigger', 'education', 'ai', 'minors', 'triple-risk'], }, // GT-29: Freelancer mit 1 Art.9 → L3 (hard trigger override despite low score) { id: 'GT-29', name: 'Freelancer mit Gesundheitsdaten', description: 'Hard Trigger überschreibt niedrige Score-Bewertung', answers: [ { questionId: 'org_employee_count', value: '1' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'de' }, { questionId: 'org_industry', value: 'healthcare' }, { questionId: 'data_health', value: true }, { questionId: 'data_volume', value: '<1000' }, { questionId: 'org_customer_count', value: '<50' }, { questionId: 'process_has_vvt', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-A01'], expectedDsfaRequired: true, tags: ['hard-trigger', 'override', 'art9', 'freelancer'], }, // GT-30: Enterprise, alle Prozesse vorhanden → L3 (good process maturity) { id: 'GT-30', name: 'Enterprise mit reifer Prozesslandschaft', description: 'Große Organisation mit allen Compliance-Prozessen', answers: [ { questionId: 'org_employee_count', value: '450' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'tech_hosting_location', value: 'eu' }, { questionId: 'org_industry', value: 'manufacturing' }, { questionId: 'data_volume', value: '>1000000' }, { questionId: 'org_customer_count', value: '10000-100000' }, { questionId: 'process_has_vvt', value: true }, { questionId: 'process_has_tom', value: true }, { questionId: 'process_has_dsfa', value: true }, { questionId: 'process_has_incident_plan', value: true }, { questionId: 'process_has_dsb', value: true }, { questionId: 'process_has_training', value: true }, ], expectedLevel: 'L3', expectedHardTriggerIds: ['HT-G04'], tags: ['enterprise', 'mature', 'all-processes'], }, // GT-31: SMB, nur 1 Block beantwortet → L1 (graceful degradation) { id: 'GT-31', name: 'Unvollständige Profilerstellung', description: 'Test für graceful degradation bei unvollständigen Antworten', answers: [ { questionId: 'org_employee_count', value: '8' }, { questionId: 'org_business_model', value: 'b2b' }, { questionId: 'org_industry', value: 'consulting' }, // Nur Block 1 (Organization) beantwortet, Rest fehlt ], expectedLevel: 'L1', expectedHardTriggerIds: [], tags: ['incomplete', 'degradation', 'edge-case'], }, // GT-32: CompanyProfile Prefill Konsistenz → null (prefill test, no expected level) { id: 'GT-32', name: 'CompanyProfile Prefill Test', description: 'Prüft ob CompanyProfile-Daten korrekt in ScopeProfile übernommen werden', answers: [ { questionId: 'org_employee_count', value: '25' }, { questionId: 'org_business_model', value: 'b2c' }, { questionId: 'org_industry', value: 'retail' }, { questionId: 'tech_hosting_location', value: 'eu' }, // Diese Werte sollten mit CompanyProfile-Prefill übereinstimmen ], expectedLevel: null, tags: ['prefill', 'integration', 'consistency'], }, ]