""" Seed-Daten für ``compliance_template_rules`` — die 33 Initial-Regeln, die aus ``admin-compliance/app/sdk/document-generator/templateRecommendations.ts`` übernommen wurden. Reine Datenstruktur — die Logik liegt in ``scripts/seed_template_rules.py``. """ from typing import Any def _level_clause(*levels: str) -> dict: return {"field": "compliance_depth_level", "op": "in", "value": list(levels)} SEED_RULES: list[dict[str, Any]] = [ { "rule_key": "employee_dsi_required_with_employees", "document_type": "employee_dsi", "title": "Datenschutzinformation für Mitarbeiter", "classification": "required", "conditions": {"kind": "any", "clauses": [ {"field": "org_has_employees", "op": "eq", "value": "yes"}, {"field": "org_employee_count", "op": "not_in", "value": ["none", "0", "1_9"]}, ]}, "rationale": "Art. 13 DSGVO Informationspflichten gegenüber Beschäftigten.", }, { "rule_key": "applicant_dsi_recommended_with_employees", "document_type": "applicant_dsi", "title": "Datenschutzinformation für Bewerber", "classification": "recommended", "conditions": {"kind": "any", "clauses": [ {"field": "org_has_employees", "op": "eq", "value": "yes"}, {"field": "org_employee_count", "op": "not_in", "value": ["none", "0"]}, ]}, "rationale": "Empfehlenswert, sobald Bewerbungsdaten verarbeitet werden.", }, { "rule_key": "whistleblower_required_50plus", "document_type": "whistleblower_policy", "title": "Hinweisgeberschutz-Richtlinie (HinSchG)", "classification": "required", "conditions": {"kind": "all", "clauses": [ {"field": "org_employee_count", "op": "in", "value": ["50_249", "250_999", "1000_plus"]}, ]}, "rationale": "§ 12 HinSchG — Pflicht ab 50 Beschäftigten.", }, { "rule_key": "ai_usage_required_when_ai_used", "document_type": "ai_usage_policy", "title": "KI-Nutzungsrichtlinie", "classification": "required", "conditions": {"kind": "any", "clauses": [ {"field": "proc_ai_usage", "op": "not_in", "value": ["none", "no"]}, {"field": "proc_uses_ai_tools", "op": "truthy"}, ]}, "rationale": "AI Act + interne Governance bei KI-Einsatz.", }, { "rule_key": "byod_required_when_allowed", "document_type": "byod_policy", "title": "BYOD-Richtlinie (Bring Your Own Device)", "classification": "required", "conditions": {"kind": "all", "clauses": [ {"field": "proc_byod_allowed", "op": "eq", "value": "yes"}, ]}, "rationale": "Erforderlich wenn private Geräte für Arbeit genutzt werden.", }, { "rule_key": "social_media_dsi_required", "document_type": "social_media_dsi", "title": "Datenschutzhinweis Social Media", "classification": "required", "conditions": {"kind": "all", "clauses": [ {"field": "org_has_social_media", "op": "eq", "value": "yes"}, ]}, "rationale": "BVerfG/EuGH-Rechtsprechung zu gemeinsamer Verantwortlichkeit.", }, { "rule_key": "video_conference_dsi_recommended", "document_type": "video_conference_dsi", "title": "Datenschutzhinweis Videokonferenz", "classification": "recommended", "conditions": {"kind": "all", "clauses": [ {"field": "org_has_video_conferencing", "op": "eq", "value": "yes"}, ]}, "rationale": "DSK Orientierungshilfe Videokonferenzsysteme.", }, { "rule_key": "information_security_required_l3plus", "document_type": "information_security_policy", "title": "Informationssicherheits-Richtlinie", "classification": "required", "conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]}, "rationale": "Ab Compliance-Tiefe L3 (Strict) erforderlich.", }, { "rule_key": "password_recommended_l2plus", "document_type": "password_policy", "title": "Passwort-Richtlinie", "classification": "recommended", "conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]}, "rationale": "Best Practice IT-Sicherheit ab L2.", }, { "rule_key": "encryption_recommended_l3plus", "document_type": "encryption_policy", "title": "Verschlüsselungs-Richtlinie", "classification": "recommended", "conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]}, "rationale": "BSI-Empfehlung, ISO 27001 A.10.", }, { "rule_key": "access_control_recommended_l3plus", "document_type": "access_control_policy", "title": "Zugriffskontroll-Richtlinie", "classification": "recommended", "conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]}, "rationale": "Art. 32 DSGVO i.V.m. ISO 27001 A.9.", }, { "rule_key": "it_security_required_l3plus", "document_type": "it_security_concept", "title": "IT-Sicherheitskonzept", "classification": "required", "conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]}, "rationale": "BSI IT-Grundschutz / ISO 27001.", }, { "rule_key": "backup_recommended_l3plus", "document_type": "backup_recovery_concept", "title": "Backup- und Recovery-Konzept", "classification": "recommended", "conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]}, "rationale": "Art. 32 DSGVO 'Verfügbarkeit + Belastbarkeit'.", }, { "rule_key": "logging_recommended_l3plus", "document_type": "logging_concept", "title": "Protokollierungskonzept", "classification": "recommended", "conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]}, "rationale": "Art. 32 DSGVO + BSI IT-Grundschutz.", }, { "rule_key": "access_control_concept_recommended_l3plus", "document_type": "access_control_concept", "title": "Zugriffskonzept", "classification": "recommended", "conditions": {"kind": "all", "clauses": [_level_clause("L3", "L4")]}, "rationale": "ISO 27001 A.9 / BSI IT-Grundschutz ORP.4.", }, { "rule_key": "community_guidelines_required_ugc_platform", "document_type": "community_guidelines", "title": "Community-Richtlinien", "classification": "required", "conditions": {"kind": "any", "clauses": [ {"field": "prod_ugc_platform", "op": "eq", "value": "yes"}, {"field": "org_business_model", "op": "in", "value": ["platform", "marketplace", "social"]}, ]}, "rationale": "DSA + NetzDG für Plattformen mit nutzergeneriertem Inhalt.", }, { "rule_key": "terms_of_use_required_platforms", "document_type": "terms_of_use", "title": "Nutzungsbedingungen", "classification": "required", "conditions": {"kind": "any", "clauses": [ {"field": "prod_ugc_platform", "op": "eq", "value": "yes"}, {"field": "org_business_model", "op": "in", "value": ["platform", "marketplace", "social", "saas"]}, ]}, "rationale": "Plattform-/SaaS-Geschäft braucht klare Nutzungsregeln.", }, { "rule_key": "media_content_policy_recommended", "document_type": "media_content_policy", "title": "Medien-/Content-Policy", "classification": "recommended", "conditions": {"kind": "all", "clauses": [ {"field": "org_business_model", "op": "in", "value": ["platform", "media"]}, ]}, "rationale": "Empfehlenswert für Media-/Plattform-Geschäftsmodelle.", }, { "rule_key": "widerruf_required_webshop", "document_type": "widerruf", "title": "Widerrufsbelehrung", "classification": "required", "conditions": {"kind": "all", "clauses": [ {"field": "prod_webshop", "op": "neq", "value": "no"}, ]}, "rationale": "§§ 312g, 355 BGB bei Fernabsatzverträgen B2C.", }, { "rule_key": "consent_texts_recommended_with_consent_mgmt", "document_type": "consent_texts", "title": "Einwilligungstexte (Double-Opt-In)", "classification": "recommended", "conditions": {"kind": "all", "clauses": [ {"field": "prod_consent_management", "op": "neq", "value": "no"}, ]}, "rationale": "§ 7 UWG + Art. 7 DSGVO.", }, { "rule_key": "impressum_always_required", "document_type": "impressum", "title": "Impressum", "classification": "required", "conditions": {"kind": "all", "clauses": []}, "rationale": "§ 5 TMG / § 18 MStV — gilt für jedes Telemedienangebot.", }, { "rule_key": "cookie_policy_always_required", "document_type": "cookie_policy", "title": "Cookie-Richtlinie", "classification": "required", "conditions": {"kind": "all", "clauses": []}, "rationale": "§ 25 TDDDG + Art. 5 (3) ePrivacy.", }, { "rule_key": "privacy_policy_always_required", "document_type": "privacy_policy", "title": "Datenschutzerklärung", "classification": "required", "conditions": {"kind": "all", "clauses": []}, "rationale": "Art. 13 DSGVO — gilt für jede Verarbeitung.", }, { "rule_key": "data_protection_policy_required_l2plus", "document_type": "data_protection_policy", "title": "Datenschutzleitlinie", "classification": "required", "conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]}, "rationale": "Interne Leitlinie ab Standard-Compliance-Tiefe.", }, { "rule_key": "dsfa_required_when_flagged", "document_type": "dsfa", "title": "Datenschutz-Folgenabschätzung (DSFA)", "classification": "required", "conditions": {"kind": "any", "clauses": [ {"field": "proc_dsfa_required", "op": "eq", "value": "yes"}, {"field": "comp_dsfa_processes", "op": "eq", "value": "required"}, ]}, "rationale": "Art. 35 DSGVO + DSK Muss-Liste.", }, { "rule_key": "dpa_required_with_processors", "document_type": "dpa", "title": "Auftragsverarbeitungsvertrag (AVV)", "classification": "required", "conditions": {"kind": "any", "clauses": [ {"field": "comp_has_processors", "op": "neq", "value": "no"}, {"field": "comp_vendor_management", "op": "neq", "value": "no"}, ]}, "rationale": "Art. 28 DSGVO.", }, { "rule_key": "vvt_required_l2plus", "document_type": "vvt_register", "title": "Verzeichnis von Verarbeitungstätigkeiten (VVT)", "classification": "required", "conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]}, "rationale": "Art. 30 DSGVO — Pflicht außer Ausnahmen § 30 Abs. 5.", }, { "rule_key": "tom_required_l2plus", "document_type": "tom_documentation", "title": "Technisch-Organisatorische Maßnahmen (TOM)", "classification": "required", "conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]}, "rationale": "Art. 32 DSGVO Nachweispflicht.", }, { "rule_key": "loeschkonzept_required_l2plus", "document_type": "loeschkonzept", "title": "Löschkonzept", "classification": "required", "conditions": {"kind": "all", "clauses": [_level_clause("L2", "L3", "L4")]}, "rationale": "Art. 5 (1) e + Art. 17 DSGVO.", }, { "rule_key": "tia_required_third_country", "document_type": "transfer_impact_assessment", "title": "Transfer Impact Assessment (TIA)", "classification": "required", "conditions": {"kind": "all", "clauses": [ {"field": "tech_third_country", "op": "not_in", "value": ["no", "us_dpf_only", "adequate_only"]}, ]}, "rationale": "EuGH C-311/18 (Schrems II) + EDSA-Empfehlungen 01/2020.", }, { "rule_key": "isms_required_when_certifying", "document_type": "isms_manual", "title": "ISMS-Handbuch", "classification": "required", "conditions": {"kind": "all", "clauses": [ {"field": "org_cert_target", "op": "in", "value": ["iso27001", "iso27701", "tisax"]}, ]}, "rationale": "ISO 27001 / TISAX VDA-ISA Pflichtdokumentation.", }, { "rule_key": "vendor_risk_recommended", "document_type": "vendor_risk_management_policy", "title": "Lieferantenrisiko-Management", "classification": "recommended", "conditions": {"kind": "any", "clauses": [ {"field": "comp_vendor_management", "op": "neq", "value": "no"}, {"field": "compliance_depth_level", "op": "eq", "value": "L4"}, ]}, "rationale": "Empfehlenswert bei aktivem Vendor-Management.", }, { "rule_key": "bcm_required_l4", "document_type": "business_continuity_policy", "title": "Business-Continuity-Richtlinie", "classification": "required", "conditions": {"kind": "all", "clauses": [ {"field": "compliance_depth_level", "op": "eq", "value": "L4"}, ]}, "rationale": "BSI 200-4 / ISO 22301 für Zertifizierungsstufe.", }, ] __all__ = ["SEED_RULES"]