gdpr-dsgvo-expert
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseGDPR/DSGVO Expert
GDPR/DSGVO 合规专家
Tools and guidance for EU General Data Protection Regulation (GDPR) and German Bundesdatenschutzgesetz (BDSG) compliance.
为欧盟《通用数据保护条例》(GDPR)和德国《联邦数据保护法》(BDSG)合规提供工具与指导。
Table of Contents
目录
Tools
工具
GDPR Compliance Checker
GDPR合规检查器
Scans codebases for potential GDPR compliance issues including personal data patterns and risky code practices.
bash
undefined扫描代码库以识别潜在的GDPR合规问题,包括个人数据模式和高风险代码实践。
bash
undefinedScan a project directory
扫描项目目录
python scripts/gdpr_compliance_checker.py /path/to/project
python scripts/gdpr_compliance_checker.py /path/to/project
JSON output for CI/CD integration
生成JSON输出以集成到CI/CD流程
python scripts/gdpr_compliance_checker.py . --json --output report.json
**Detects:**
- Personal data patterns (email, phone, IP addresses)
- Special category data (health, biometric, religion)
- Financial data (credit cards, IBAN)
- Risky code patterns:
- Logging personal data
- Missing consent mechanisms
- Indefinite data retention
- Unencrypted sensitive data
- Disabled deletion functionality
**Output:**
- Compliance score (0-100)
- Risk categorization (critical, high, medium)
- Prioritized recommendations with GDPR article references
---python scripts/gdpr_compliance_checker.py . --json --output report.json
**检测内容:**
- 个人数据模式(邮箱、电话、IP地址)
- 特殊类别数据(健康、生物识别、宗教信息)
- 财务数据(信用卡、IBAN)
- 高风险代码模式:
- 记录个人数据日志
- 缺失同意机制
- 无限期数据留存
- 敏感数据未加密
- 删除功能被禁用
**输出内容:**
- 合规评分(0-100)
- 风险分类(严重、高、中)
- 带有GDPR条款引用的优先级建议
---DPIA Generator
DPIA生成器
Generates Data Protection Impact Assessment documentation following Art. 35 requirements.
bash
undefined根据第35条要求生成数据保护影响评估(DPIA)文档。
bash
undefinedGet input template
获取输入模板
python scripts/dpia_generator.py --template > input.json
python scripts/dpia_generator.py --template > input.json
Generate DPIA report
生成DPIA报告
python scripts/dpia_generator.py --input input.json --output dpia_report.md
**Features:**
- Automatic DPIA threshold assessment
- Risk identification based on processing characteristics
- Legal basis requirements documentation
- Mitigation recommendations
- Markdown report generation
**DPIA Triggers Assessed:**
- Systematic monitoring (Art. 35(3)(c))
- Large-scale special category data (Art. 35(3)(b))
- Automated decision-making (Art. 35(3)(a))
- WP29 high-risk criteria
---python scripts/dpia_generator.py --input input.json --output dpia_report.md
**功能特性:**
- 自动DPIA阈值评估
- 基于处理特征的风险识别
- 法律依据要求文档化
- 缓解措施建议
- 生成Markdown格式报告
**触发DPIA的评估场景:**
- 系统性监控(第35条第3款c项)
- 大规模处理特殊类别数据(第35条第3款b项)
- 自动化决策(第35条第3款a项)
- WP29高风险标准
---Data Subject Rights Tracker
数据主体权利跟踪器
Manages data subject rights requests under GDPR Articles 15-22.
bash
undefined管理GDPR第15-22条规定的数据主体权利请求。
bash
undefinedAdd new request
添加新请求
python scripts/data_subject_rights_tracker.py add
--type access --subject "John Doe" --email "john@example.com"
--type access --subject "John Doe" --email "john@example.com"
python scripts/data_subject_rights_tracker.py add
--type access --subject "John Doe" --email "john@example.com"
--type access --subject "John Doe" --email "john@example.com"
List all requests
列出所有请求
python scripts/data_subject_rights_tracker.py list
python scripts/data_subject_rights_tracker.py list
Update status
更新状态
python scripts/data_subject_rights_tracker.py status --id DSR-202601-0001 --update verified
python scripts/data_subject_rights_tracker.py status --id DSR-202601-0001 --update verified
Generate compliance report
生成合规报告
python scripts/data_subject_rights_tracker.py report --output compliance.json
python scripts/data_subject_rights_tracker.py report --output compliance.json
Generate response template
生成回复模板
python scripts/data_subject_rights_tracker.py template --id DSR-202601-0001
**Supported Rights:**
| Right | Article | Deadline |
|-------|---------|----------|
| Access | Art. 15 | 30 days |
| Rectification | Art. 16 | 30 days |
| Erasure | Art. 17 | 30 days |
| Restriction | Art. 18 | 30 days |
| Portability | Art. 20 | 30 days |
| Objection | Art. 21 | 30 days |
| Automated decisions | Art. 22 | 30 days |
**Features:**
- Deadline tracking with overdue alerts
- Identity verification workflow
- Response template generation
- Compliance reporting
---python scripts/data_subject_rights_tracker.py template --id DSR-202601-0001
**支持的权利:**
| 权利 | 条款 | 期限 |
|-------|---------|----------|
| 访问权 | 第15条 | 30天 |
| 更正权 | 第16条 | 30天 |
| 删除权 | 第17条 | 30天 |
| 限制处理权 | 第18条 | 30天 |
| 数据可携权 | 第20条 | 30天 |
| 反对权 | 第21条 | 30天 |
| 自动化决策反对权 | 第22条 | 30天 |
**功能特性:**
- 期限跟踪及逾期提醒
- 身份验证流程
- 回复模板生成
- 合规报告
---Reference Guides
参考指南
GDPR Compliance Guide
GDPR合规指南
references/gdpr_compliance_guide.mdComprehensive implementation guidance covering:
- Legal bases for processing (Art. 6)
- Special category requirements (Art. 9)
- Data subject rights implementation
- Accountability requirements (Art. 30)
- International transfers (Chapter V)
- Breach notification (Art. 33-34)
references/gdpr_compliance_guide.md全面的实施指南,涵盖:
- 数据处理的法律依据(第6条)
- 特殊类别数据要求(第9条)
- 数据主体权利实施
- 可问责性要求(第30条)
- 国际数据传输(第五章)
- 数据泄露通知(第33-34条)
German BDSG Requirements
德国BDSG要求
references/german_bdsg_requirements.mdGerman-specific requirements including:
- DPO appointment threshold (§ 38 BDSG - 20+ employees)
- Employment data processing (§ 26 BDSG)
- Video surveillance rules (§ 4 BDSG)
- Credit scoring requirements (§ 31 BDSG)
- State data protection laws (Landesdatenschutzgesetze)
- Works council co-determination rights
references/german_bdsg_requirements.md德国特有的合规要求,包括:
- 任命数据保护官(DPO)的阈值(BDSG第38条 - 20名以上员工)
- 员工数据处理(BDSG第26条)
- 视频监控规则(BDSG第4条)
- 信用评分要求(BDSG第31条)
- 州级数据保护法(Landesdatenschutzgesetze)
- 职工委员会共决权
DPIA Methodology
DPIA方法论
references/dpia_methodology.mdStep-by-step DPIA process:
- Threshold assessment criteria
- WP29 high-risk indicators
- Risk assessment methodology
- Mitigation measure categories
- DPO and supervisory authority consultation
- Templates and checklists
references/dpia_methodology.md分步式DPIA流程:
- 阈值评估标准
- WP29高风险指标
- 风险评估方法论
- 缓解措施类别
- 与DPO及监管机构的咨询
- 模板与检查清单
Workflows
工作流
Workflow 1: New Processing Activity Assessment
工作流1:新处理活动评估
Step 1: Run compliance checker on codebase
→ python scripts/gdpr_compliance_checker.py /path/to/code
Step 2: Review findings and compliance score
→ Address critical and high issues
Step 3: Determine if DPIA required
→ Check references/dpia_methodology.md threshold criteria
Step 4: If DPIA required, generate assessment
→ python scripts/dpia_generator.py --template > input.json
→ Fill in processing details
→ python scripts/dpia_generator.py --input input.json --output dpia.md
Step 5: Document in records of processing activities步骤1:对代码库运行合规检查器
→ python scripts/gdpr_compliance_checker.py /path/to/code
步骤2:审查检查结果与合规评分
→ 处理严重和高风险问题
步骤3:判断是否需要进行DPIA
→ 查阅references/dpia_methodology.md中的阈值标准
步骤4:若需要DPIA,生成评估报告
→ python scripts/dpia_generator.py --template > input.json
→ 填写处理细节
→ python scripts/dpia_generator.py --input input.json --output dpia.md
步骤5:将记录存入处理活动记录Workflow 2: Data Subject Request Handling
工作流2:数据主体请求处理
Step 1: Log request in tracker
→ python scripts/data_subject_rights_tracker.py add --type [type] ...
Step 2: Verify identity (proportionate measures)
→ python scripts/data_subject_rights_tracker.py status --id [ID] --update verified
Step 3: Gather data from systems
→ python scripts/data_subject_rights_tracker.py status --id [ID] --update in_progress
Step 4: Generate response
→ python scripts/data_subject_rights_tracker.py template --id [ID]
Step 5: Send response and complete
→ python scripts/data_subject_rights_tracker.py status --id [ID] --update completed
Step 6: Monitor compliance
→ python scripts/data_subject_rights_tracker.py report步骤1:在跟踪器中记录请求
→ python scripts/data_subject_rights_tracker.py add --type [类型] ...
步骤2:验证身份(采取相称措施)
→ python scripts/data_subject_rights_tracker.py status --id [ID] --update verified
步骤3:从系统中收集数据
→ python scripts/data_subject_rights_tracker.py status --id [ID] --update in_progress
步骤4:生成回复
→ python scripts/data_subject_rights_tracker.py template --id [ID]
步骤5:发送回复并完成请求
→ python scripts/data_subject_rights_tracker.py status --id [ID] --update completed
步骤6:监控合规情况
→ python scripts/data_subject_rights_tracker.py reportWorkflow 3: German BDSG Compliance Check
工作流3:德国BDSG合规检查
Step 1: Determine if DPO required
→ 20+ employees processing personal data automatically
→ OR processing requires DPIA
→ OR business involves data transfer/market research
Step 2: If employees involved, review § 26 BDSG
→ Document legal basis for employee data
→ Check works council requirements
Step 3: If video surveillance, comply with § 4 BDSG
→ Install signage
→ Document necessity
→ Limit retention
Step 4: Register DPO with supervisory authority
→ See references/german_bdsg_requirements.md for authority list步骤1:判断是否需要任命DPO
→ 20名以上员工自动处理个人数据
→ 或处理活动需要进行DPIA
→ 或业务涉及数据传输/市场调研
步骤2:若涉及员工,审查BDSG第26条
→ 记录员工数据处理的法律依据
→ 检查职工委员会要求
步骤3:若使用视频监控,遵守BDSG第4条
→ 设置标识牌
→ 记录必要性说明
→ 限制留存期限
步骤4:向监管机构注册DPO
→ 查阅references/german_bdsg_requirements.md获取机构列表Key GDPR Concepts
GDPR核心概念
Legal Bases (Art. 6)
法律依据(第6条)
- Consent: Marketing, newsletters, analytics (must be freely given, specific, informed)
- Contract: Order fulfillment, service delivery
- Legal obligation: Tax records, employment law
- Legitimate interests: Fraud prevention, security (requires balancing test)
- 同意:营销、新闻通讯、数据分析(必须是自由给出、具体且知情的同意)
- 合同:订单履行、服务交付
- 法定义务:税务记录、劳动法要求
- 合法利益:欺诈预防、安全防护(需进行利益平衡测试)
Special Category Data (Art. 9)
特殊类别数据(第9条)
Requires explicit consent or Art. 9(2) exception:
- Health data
- Biometric data
- Racial/ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Genetic data
- Sexual orientation
需获得明确同意或符合第9条第2款的例外情况:
- 健康数据
- 生物识别数据
- 种族/民族出身
- 政治观点
- 宗教信仰
- 工会成员身份
- 基因数据
- 性取向
Data Subject Rights
数据主体权利
All rights must be fulfilled within 30 days (extendable to 90 for complex requests):
- Access: Provide copy of data and processing information
- Rectification: Correct inaccurate data
- Erasure: Delete data (with exceptions for legal obligations)
- Restriction: Limit processing while issues are resolved
- Portability: Provide data in machine-readable format
- Object: Stop processing based on legitimate interests
所有权利必须在30天内履行(复杂请求可延长至90天):
- 访问权:提供数据副本及处理信息
- 更正权:修正不准确数据
- 删除权:删除数据(法定义务等情况除外)
- 限制处理权:在问题解决期间限制数据处理
- 数据可携权:以机器可读格式提供数据
- 反对权:基于合法利益的处理活动可提出反对
German BDSG Additions
德国BDSG补充要求
| Topic | BDSG Section | Key Requirement |
|---|---|---|
| DPO threshold | § 38 | 20+ employees = mandatory DPO |
| Employment | § 26 | Detailed employee data rules |
| Video | § 4 | Signage and proportionality |
| Scoring | § 31 | Explainable algorithms |
| 主题 | BDSG条款 | 核心要求 |
|---|---|---|
| DPO任命阈值 | §38 | 20名以上员工必须任命DPO |
| 员工数据处理 | §26 | 详细的员工数据处理规则 |
| 视频监控 | §4 | 设置标识牌并符合相称性原则 |
| 信用评分 | §31 | 算法需可解释 |