Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
060f351da7f60faf024daaa7e556cabe1fb8c48d
breakpilot-compliance/backend-compliance/compliance/services/dsr_art11_service.py
T
Benjamin Admin 060f351da7 feat: Art. 11 DSGVO — reject DSR when data subject not identifiable 
- New DSRArt11Service: handles rejection with proper legal basis,
  automated email notification to requester explaining Art. 11
- POST /dsr/{id}/reject-art11 endpoint
- ActionButtons.tsx: "Nicht identifizierbar (Art. 11)" button
  shown when identity is not yet verified
- Also fixes: DSR export type-cast rollback handling

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-03 23:30:18 +02:00

108 lines
4.6 KiB
Python
Raw Blame History

"""
DSR Art. 11 Service — handles "data subject not identifiable" rejections.
Art. 11 Abs. 1 DSGVO: If the controller is unable to identify the data
subject, it is not obligated to obtain additional information solely to
comply with Art. 15-20 requests.
Common scenario: Website visitor requests access, but only anonymous
cookies/IP-hashes are stored — no way to link to a person.
"""
import logging
from datetime import datetime, timezone
from typing import Any, Dict
from sqlalchemy.orm import Session
from compliance.domain import ValidationError
logger = logging.getLogger(__name__)
class DSRArt11Service:
"""Handles Art. 11 DSGVO rejections for non-identifiable data subjects."""
def __init__(self, db: Session) -> None:
self._db = db
def reject_not_identifiable(
self, dsr_id: str, tenant_id: str, notes: str = "",
) -> Dict[str, Any]:
"""Reject DSR because data subject cannot be identified."""
from compliance.db.dsr_models import DSRRequestDB
from compliance.services.dsr_workflow_service import _dsr_to_dict, _record_history
dsr = (
self._db.query(DSRRequestDB)
.filter(DSRRequestDB.id == dsr_id, DSRRequestDB.tenant_id == tenant_id)
.first()
)
if not dsr:
raise ValidationError("DSR not found")
if dsr.status in ("completed", "rejected", "cancelled"):
raise ValidationError("DSR already closed")
now = datetime.now(timezone.utc)
reason = (
"Die bei uns gespeicherten Daten (anonymisierte Cookies, IP-Hashes, "
"Device-Fingerprints) erlauben keine Identifikation der betroffenen Person. "
"Gemaess Art. 11 Abs. 1 DSGVO sind wir nicht verpflichtet, zusaetzliche "
"Informationen zu erheben, um die betroffene Person zu identifizieren."
)
if notes:
reason += f" Ergaenzung: {notes}"
_record_history(self._db, dsr, "rejected",
comment="Art. 11 DSGVO — Identifikation nicht moeglich")
dsr.status = "rejected"
dsr.rejection_reason = reason
dsr.rejection_legal_basis = "Art. 11 Abs. 1 DSGVO"
dsr.identity_verified = False
dsr.verification_method = "art11_not_identifiable"
dsr.verification_notes = "Daten erlauben keine Identifikation der betroffenen Person"
dsr.completed_at = now
dsr.updated_at = now
self._db.commit()
self._db.refresh(dsr)
# Send rejection notification
self._send_art11_notification(dsr)
return _dsr_to_dict(dsr)
def _send_art11_notification(self, dsr: Any) -> None:
if not dsr.requester_email:
return
try:
from compliance.services.smtp_sender import send_email
send_email(
recipient=dsr.requester_email,
subject=f"Zu Ihrer Anfrage {dsr.request_number} — Art. 11 DSGVO",
body_html=f"""
<div style="font-family:system-ui,sans-serif;max-width:600px;margin:0 auto;">
<div style="background:#6b7280;color:white;padding:20px 24px;border-radius:12px 12px 0 0;">
<h1 style="margin:0;font-size:20px;">Mitteilung zu Ihrer Anfrage</h1>
</div>
<div style="background:white;padding:24px;border:1px solid #e5e7eb;border-top:none;border-radius:0 0 12px 12px;">
<p>Sehr geehrte/r Antragsteller/in,</p>
<p>wir haben Ihre Anfrage ({dsr.request_number}) gemaess Art. 15 DSGVO
erhalten und geprueft.</p>
<p>Leider koennen wir die bei uns gespeicherten Daten (anonymisierte
Cookies, IP-Hashes) <strong>keiner identifizierbaren Person zuordnen</strong>.</p>
<p>Gemaess <strong>Art. 11 Abs. 1 DSGVO</strong> sind wir nicht verpflichtet,
zusaetzliche Informationen zu erheben, um Sie zu identifizieren.
Eine Auskunftserteilung ist daher nicht moeglich.</p>
<p>Sollten Sie ueber ein Kundenkonto bei uns verfuegen, koennen Sie
die Anfrage unter Angabe Ihrer Kundennummer erneut einreichen.</p>
<p style="margin-top:24px;color:#6b7280;font-size:12px;">
Mit freundlichen Gruessen<br>
<strong>Datenschutzbeauftragter</strong>
</p>
</div>
</div>
""",
)
except Exception as e:
logger.warning("Art. 11 notification failed: %s", e)
Reference in New Issue View Git Blame Copy Permalink