Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ef8eead513e9ce2c87508a0496883693ff096a1a
breakpilot-compliance/admin-compliance/lib/sdk/vendor-compliance/adequacy-decisions.ts
T
Benjamin Admin ef8eead513 feat: Adequacy decisions, DPF check, customer guidance for transfers 
New: adequacy-decisions.ts
- Complete list of 15 countries with EU adequacy decisions (Art. 45)
- EU/EEA country set (30 countries)
- getTransferRequirement() — determines SCC/TIA/certification needs
  per country code with human-readable explanations
- US special handling: DPF certification required, check URL included

Updated: transfers/page.tsx
- "Was muss ich tun?" explanation section with 3 options:
  1. Adequacy decision (green) — no action needed
  2. DPF certification (blue, US only) — check dataprivacyframework.gov
  3. SCC + TIA required (amber) — link to Document Generator
- Collapsible adequacy countries table (15 countries with restrictions)
- Schrems II background explanation for customers
- Customer guidance written for non-experts who never heard of TIA/SCC

Updated: templateRecommendations.ts
- SCC+TIA rules now consider DPF certification and adequacy status
- us_dpf_only → SCC/TIA optional (not required)
- adequate_only → SCC/TIA not recommended

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-01 12:57:54 +02:00

131 lines
5.1 KiB
TypeScript
Raw Blame History

/**
* EU-Angemessenheitsbeschluesse (Art. 45 DSGVO)
*
* Laender mit Angemessenheitsbeschluss benoetigen KEINE SCC und KEIN TIA
* fuer Datenuebermittlungen. Die Liste wird von der EU-Kommission gefuehrt.
*
* WICHTIG: USA hat Sonderstatus — Angemessenheit gilt NUR fuer Unternehmen,
* die nach dem EU-US Data Privacy Framework (DPF) zertifiziert sind.
* Nicht-zertifizierte US-Unternehmen brauchen weiterhin SCC + TIA.
*
* Quelle: https://commission.europa.eu/law/law-topic/data-protection/
* international-dimension-data-protection/adequacy-decisions_en
*/
export interface AdequacyDecision {
/** ISO 3166-1 alpha-2 Laendercode */
countryCode: string
/** Laendername (deutsch) */
countryName: string
/** Jahr des Angemessenheitsbeschlusses */
since: number
/** Einschraenkungen (z.B. nur bestimmte Sektoren) */
restriction?: string
/** Befristet? */
expires?: string
/** Sonderstatus (z.B. DPF-Zertifizierung erforderlich) */
requiresCertification?: boolean
/** Name der erforderlichen Zertifizierung */
certificationName?: string
/** Pruef-URL fuer die Zertifizierung */
certificationCheckUrl?: string
}
/**
* Vollstaendige Liste der Laender mit EU-Angemessenheitsbeschluss.
* Stand: Mai 2026
*/
export const ADEQUACY_DECISIONS: AdequacyDecision[] = [
{ countryCode: 'AD', countryName: 'Andorra', since: 2010 },
{ countryCode: 'AR', countryName: 'Argentinien', since: 2003 },
{ countryCode: 'FO', countryName: 'Faeroeer-Inseln', since: 2010 },
{ countryCode: 'GG', countryName: 'Guernsey', since: 2003 },
{ countryCode: 'IM', countryName: 'Isle of Man', since: 2004 },
{ countryCode: 'IL', countryName: 'Israel', since: 2011 },
{ countryCode: 'JP', countryName: 'Japan', since: 2019 },
{ countryCode: 'JE', countryName: 'Jersey', since: 2008 },
{
countryCode: 'CA', countryName: 'Kanada', since: 2001,
restriction: 'Nur Unternehmen, die dem Personal Information Protection and Electronic Documents Act (PIPEDA) unterliegen',
},
{ countryCode: 'NZ', countryName: 'Neuseeland', since: 2012 },
{ countryCode: 'KR', countryName: 'Republik Korea (Suedkorea)', since: 2022 },
{ countryCode: 'CH', countryName: 'Schweiz', since: 2000 },
{
countryCode: 'GB', countryName: 'Vereinigtes Koenigreich (UK)', since: 2021,
expires: 'Befristet, verlaengert bis 2029',
},
{ countryCode: 'UY', countryName: 'Uruguay', since: 2012 },
{
countryCode: 'US', countryName: 'Vereinigte Staaten (USA)', since: 2023,
restriction: 'Nur Unternehmen, die nach dem EU-US Data Privacy Framework (DPF) zertifiziert sind',
requiresCertification: true,
certificationName: 'EU-US Data Privacy Framework (DPF)',
certificationCheckUrl: 'https://www.dataprivacyframework.gov/list',
},
]
/** Set der EU/EWR-Laender (kein Angemessenheitsbeschluss noetig) */
export const EU_EEA_COUNTRIES = new Set([
'AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI', 'FR',
'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT', 'LU', 'MT', 'NL',
'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE',
// EWR (nicht EU, aber gleicher Datenschutzraum)
'IS', 'LI', 'NO',
])
/** Set der Laendercodes mit Angemessenheitsbeschluss */
export const ADEQUATE_COUNTRIES = new Set(
ADEQUACY_DECISIONS.map((d) => d.countryCode)
)
/**
* Prueft ob ein Land einen Angemessenheitsbeschluss hat.
* Gibt das Decision-Objekt zurueck oder null.
*/
export function getAdequacyDecision(countryCode: string): AdequacyDecision | null {
return ADEQUACY_DECISIONS.find((d) => d.countryCode === countryCode) || null
}
/**
* Bestimmt den Transfer-Status fuer ein Land.
*/
export function getTransferRequirement(countryCode: string): {
isEU: boolean
isAdequate: boolean
requiresSCC: boolean
requiresTIA: boolean
requiresCertification: boolean
explanation: string
} {
if (EU_EEA_COUNTRIES.has(countryCode)) {
return {
isEU: true, isAdequate: true,
requiresSCC: false, requiresTIA: false, requiresCertification: false,
explanation: 'EU-/EWR-Mitgliedstaat — keine zusaetzlichen Massnahmen erforderlich.',
}
}
const decision = getAdequacyDecision(countryCode)
if (decision) {
if (decision.requiresCertification) {
return {
isEU: false, isAdequate: true,
requiresSCC: false, requiresTIA: false, requiresCertification: true,
explanation: `Angemessenheitsbeschluss seit ${decision.since}. ${decision.restriction || ''} Pruefung der Zertifizierung unter: ${decision.certificationCheckUrl || ''}`,
}
}
return {
isEU: false, isAdequate: true,
requiresSCC: false, requiresTIA: false, requiresCertification: false,
explanation: `Angemessenheitsbeschluss der EU-Kommission seit ${decision.since}.${decision.restriction ? ` Einschraenkung: ${decision.restriction}` : ''}${decision.expires ? ` (${decision.expires})` : ''}`,
}
}
return {
isEU: false, isAdequate: false,
requiresSCC: true, requiresTIA: true, requiresCertification: false,
explanation: 'Kein Angemessenheitsbeschluss — EU-Standardvertragsklauseln (SCC) und Transfer Impact Assessment (TIA) erforderlich (Art. 46 Abs. 2 lit. c DSGVO, EuGH Schrems II).',
}
}
Reference in New Issue View Git Blame Copy Permalink