Back to Details

compliance-check

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

/compliance-check -- Compliance Review

/compliance-check -- 合规审查

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.
Run a compliance check on a proposed action, product feature, marketing campaign, or business initiative.
Important: This command assists with legal workflows but does not provide legal advice. Compliance assessments should be reviewed by qualified legal professionals. Regulatory requirements change frequently; always verify current requirements with authoritative sources.
如果遇到不熟悉的占位符或需要查看已连接的工具,请参阅CONNECTORS.md
针对拟议的行动、产品功能、营销活动或业务计划开展合规检查。
重要提示:本命令仅用于协助法律工作流程,不提供法律建议。合规评估应由合格的法律专业人员进行复核。监管要求会频繁变更,请始终通过权威渠道核实当前要求。

Usage

使用方法

/compliance-check $ARGUMENTS
/compliance-check $ARGUMENTS

What I Need From You

我需要你提供的信息

Describe what you're planning to do. Examples:
  • "We want to launch a referral program with cash rewards"
  • "We're adding biometric authentication to our mobile app"
  • "We need to process EU customer data in our US data center"
  • "Marketing wants to use customer testimonials in ads"
描述你的计划内容。示例:
  • "我们想要推出带有现金奖励的推荐计划"
  • "我们要在移动应用中添加生物识别认证功能"
  • "我们需要在位于美国的数据中心处理欧盟客户的数据"
  • "营销团队希望在广告中使用客户推荐语"

Output

输出格式

markdown
undefined
markdown
undefined

Compliance Check: [Initiative]

合规检查:[拟议事项]

Summary

概述

[Quick assessment: Proceed / Proceed with conditions / Requires further review]
[快速评估结果:可推进 / 有条件推进 / 需要进一步审查]

Applicable Regulations and Policies

适用法规与政策

Regulation/PolicyRelevanceKey Requirements
[GDPR / CCPA / HIPAA / etc.][How it applies][What you need to do]
法规/政策相关性说明核心要求
[GDPR / CCPA / HIPAA 等][适用场景说明][需执行的操作]

Requirements

具体要求

#RequirementStatusAction Needed
1[Requirement][Met / Not Met / Unknown][What to do]
序号要求内容状态需执行操作
1[要求详情][已满足 / 未满足 / 未知][应对措施]

Risk Areas

风险领域

RiskSeverityMitigation
[Risk][High/Med/Low][How to address]
风险内容严重程度缓解措施
[风险描述][高/中/低][解决方法]

Recommended Actions

推荐行动

  1. [Most important action]
  2. [Second priority]
  3. [Third priority]
  1. [优先级最高的行动]
  2. [次优先级行动]
  3. [第三优先级行动]

Approvals Needed

所需审批

ApproverWhyStatus
[Person/Team][Reason][Pending]
审批方审批原因状态
[人员/团队][原因说明][待审批]

Further Review Recommended

建议进一步审查的领域

[Areas where outside counsel or specialist review is advised]
undefined
[建议由外部法律顾问或专业人员审查的领域]
undefined

Privacy Regulation Overview

隐私法规概述

GDPR (General Data Protection Regulation)

GDPR(通用数据保护条例)

Scope: Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.
Key Obligations for In-House Legal Teams:
  • Lawful basis: Identify and document lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interest, public task)
  • Data subject rights: Respond to access, rectification, erasure, portability, restriction, and objection requests within 30 days (extendable by 60 days for complex requests)
  • Data protection impact assessments (DPIAs): Required for processing likely to result in high risk to individuals
  • Breach notification: Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify affected individuals without undue delay if high risk
  • Records of processing: Maintain Article 30 records of processing activities
  • International transfers: Ensure appropriate safeguards for transfers outside EEA (SCCs, adequacy decisions, BCRs)
  • DPO requirement: Appoint a Data Protection Officer if required (public authority, large-scale processing of special categories, large-scale systematic monitoring)
Common In-House Legal Touchpoints:
  • Reviewing vendor DPAs for GDPR compliance
  • Advising product teams on privacy by design requirements
  • Responding to supervisory authority inquiries
  • Managing cross-border data transfer mechanisms
  • Reviewing consent mechanisms and privacy notices
适用范围:适用于处理欧盟/欧洲经济区个人数据的行为,无论处理组织位于何处。
企业法务团队的核心义务
  • 合法基础:确定并记录每项处理活动的合法基础(同意、合同、合法利益、法定义务、重大利益、公共任务)
  • 数据主体权利:在30天内响应访问、更正、删除、可携带性、限制处理和反对请求(复杂请求可延长60天)
  • 数据保护影响评估(DPIA):对于可能对个人造成高风险的处理活动,必须开展评估
  • ** breach通知**:发现个人数据泄露后,需在72小时内通知监管机构;若存在高风险,需毫不延迟地通知受影响个人
  • 处理记录:维护第30条规定的处理活动记录
  • 跨境传输:确保向欧洲经济区以外传输数据时具备适当保障措施(标准合同条款SCC、充分性认定、约束性公司规则BCR)
  • DPO任命要求:若符合条件(公共机构、大规模处理特殊类别数据、大规模系统性监控),必须任命数据保护官
企业法务常见对接场景
  • 审查供应商的DPA协议是否符合GDPR要求
  • 为产品团队提供隐私设计要求建议
  • 响应监管机构的问询
  • 管理跨境数据传输机制
  • 审查同意机制和隐私声明

CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)

CCPA / CPRA(加州消费者隐私法案 / 加州隐私权利法案)

Scope: Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.
Key Obligations:
  • Right to know: Consumers can request disclosure of personal information collected, used, and shared
  • Right to delete: Consumers can request deletion of their personal information
  • Right to opt-out: Consumers can opt out of the sale or sharing of personal information
  • Right to correct: Consumers can request correction of inaccurate personal information (CPRA addition)
  • Right to limit use of sensitive personal information: Consumers can limit use of sensitive PI to specific purposes (CPRA addition)
  • Non-discrimination: Cannot discriminate against consumers who exercise their rights
  • Privacy notice: Must provide a privacy notice at or before collection describing categories of PI collected and purposes
  • Service provider agreements: Contracts with service providers must restrict use of PI to the specified business purpose
Response Timelines:
  • Acknowledge receipt within 10 business days
  • Respond substantively within 45 calendar days (extendable by 45 days with notice)
适用范围:适用于收集加州居民个人信息,且满足收入、数据量或数据销售阈值的企业。
核心义务
  • 知情权:消费者可请求披露所收集、使用和共享的个人信息
  • 删除权:消费者可请求删除其个人信息
  • 退出权:消费者可选择退出个人信息的销售或共享
  • 更正权:消费者可请求更正不准确的个人信息(CPRA新增)
  • 限制敏感个人信息使用权:消费者可限制敏感个人信息仅用于特定目的(CPRA新增)
  • 非歧视:不得歧视行使权利的消费者
  • 隐私声明:必须在收集时或收集前提供隐私声明,说明收集的个人信息类别和用途
  • 服务提供商协议:与服务提供商的合同必须限制其仅为指定商业目的使用个人信息
响应时限
  • 10个工作日内确认收到请求
  • 45个日历日内作出实质性响应(可通知后延长45天)

Other Key Regulations to Monitor

需关注的其他重要法规

RegulationJurisdictionKey Differentiators
LGPD (Brazil)BrazilSimilar to GDPR; requires DPO appointment; National Data Protection Authority (ANPD) enforcement
POPIA (South Africa)South AfricaInformation Regulator oversight; required registration of processing
PIPEDA (Canada)Canada (federal)Consent-based framework; OPC oversight; being modernized
PDPA (Singapore)SingaporeDo Not Call registry; mandatory breach notification; PDPC enforcement
Privacy Act (Australia)AustraliaAustralian Privacy Principles (APPs); notifiable data breaches scheme
PIPL (China)ChinaStrict cross-border transfer rules; data localization requirements; CAC oversight
UK GDPRUnited KingdomPost-Brexit UK version; ICO oversight; similar to EU GDPR with UK-specific adequacy
法规司法管辖区核心差异
LGPD(巴西通用数据保护法)巴西与GDPR类似;要求任命DPO;由国家数据保护局ANPD执行监管
POPIA(南非保护个人信息法)南非由信息监管局监督;处理活动需注册
PIPEDA(加拿大个人信息保护与电子文档法)加拿大(联邦)基于同意的框架;由隐私专员办公室OPC监督;正在现代化修订
PDPA(新加坡个人数据保护法)新加坡设有禁止呼叫登记册;强制 breach通知;由个人数据保护委员会PDPC执行监管
Privacy Act(澳大利亚隐私法)澳大利亚包含澳大利亚隐私原则(APPs);设有可报告数据泄露计划
PIPL(中华人民共和国个人信息保护法)中国严格的跨境传输规则;数据本地化要求;由国家互联网信息办公室CAC监督
UK GDPR(英国通用数据保护条例)英国脱欧后的英国版本;由信息专员办公室ICO监督;与欧盟GDPR类似,带有英国特定的充分性认定

DPA Review Checklist

DPA协议审查清单

When reviewing a Data Processing Agreement or Data Processing Addendum, verify the following:
审查数据处理协议(DPA)或数据处理附录时,需核实以下内容:

Required Elements (GDPR Article 28)

必备要素(GDPR第28条)

  • Subject matter and duration: Clearly defined scope and term of processing
  • Nature and purpose: Specific description of what processing will occur and why
  • Type of personal data: Categories of personal data being processed
  • Categories of data subjects: Whose personal data is being processed
  • Controller obligations and rights: Controller's instructions and oversight rights
  • 标的与期限:明确界定处理的范围和期限
  • 性质与目的:具体说明将开展的处理活动及其目的
  • 个人数据类型:列出正在处理的个人数据类别
  • 数据主体类别:明确涉及哪些个人的数据
  • 控制方的义务与权利:控制方的指令和监督权利

Processor Obligations

处理方义务

  • Process only on documented instructions: Processor commits to process only per controller's instructions (with exception for legal requirements)
  • Confidentiality: Personnel authorized to process have committed to confidentiality
  • Security measures: Appropriate technical and organizational measures described (Article 32 reference)
  • Sub-processor requirements:
    • Written authorization requirement (general or specific)
    • If general authorization: notification of changes with opportunity to object
    • Sub-processors bound by same obligations via written agreement
    • Processor remains liable for sub-processor performance
  • Data subject rights assistance: Processor will assist controller in responding to data subject requests
  • Security and breach assistance: Processor will assist with security obligations, breach notification, DPIAs, and prior consultation
  • Deletion or return: On termination, delete or return all personal data (at controller's choice) and delete existing copies unless legal retention required
  • Audit rights: Controller has right to conduct audits and inspections (or accept third-party audit reports)
  • Breach notification: Processor will notify controller of personal data breaches without undue delay (ideally within 24-48 hours; must enable controller to meet 72-hour regulatory deadline)
  • 仅根据书面指令处理:处理方承诺仅根据控制方的指令进行处理(法律要求除外)
  • 保密性:授权处理的人员已承诺遵守保密义务
  • 安全措施:描述了适当的技术和组织措施(参考第32条)
  • 子处理方要求
    • 需书面授权(通用或特定授权)
    • 若为通用授权:需通知变更并提供反对机会
    • 子处理方需通过书面协议承担相同义务
    • 处理方对子处理方的履约情况承担责任
  • 协助数据主体权利:处理方将协助控制方响应数据主体请求
  • 安全与breach协助:处理方将协助履行安全义务、breach通知、DPIA和事前咨询
  • 删除或返还:终止协议时,需按控制方选择删除或返还所有个人数据,并删除现有副本(法律要求保留的除外)
  • 审计权利:控制方有权开展审计和检查(或接受第三方审计报告)
  • Breach通知:处理方需毫不延迟地通知控制方个人数据泄露事件(理想情况下24-48小时内;需确保控制方能满足72小时的监管通知期限)

International Transfers

跨境传输

  • Transfer mechanism identified: SCCs, adequacy decision, BCRs, or other valid mechanism
  • SCCs version: Using current EU SCCs (June 2021 version) if applicable
  • Correct module: Appropriate SCC module selected (C2P, C2C, P2P, P2C)
  • Transfer impact assessment: Completed if transferring to countries without adequacy decisions
  • Supplementary measures: Technical, organizational, or contractual measures to address gaps identified in transfer impact assessment
  • UK addendum: If UK personal data is in scope, UK International Data Transfer Addendum included
  • 已确定传输机制:使用SCC、充分性认定、BCR或其他有效机制
  • SCC版本:若适用,使用当前的欧盟SCC(2021年6月版本)
  • 正确模块:选择了适当的SCC模块(C2P、C2C、P2P、P2C)
  • 传输影响评估:若向无充分性认定的国家传输,已完成传输影响评估
  • 补充措施:已采取技术、组织或合同措施解决传输影响评估中发现的差距
  • 英国附录:若涉及英国个人数据,需包含英国国际数据传输附录

Practical Considerations

实际考量因素

  • Liability: DPA liability provisions align with (or don't conflict with) the main services agreement
  • Termination alignment: DPA term aligns with the services agreement
  • Data locations: Processing locations specified and acceptable
  • Security standards: Specific security standards or certifications required (SOC 2, ISO 27001, etc.)
  • Insurance: Adequate insurance coverage for data processing activities
  • 责任:DPA的责任条款与主服务协议一致(或不冲突)
  • 终止对齐:DPA的期限与服务协议一致
  • 数据处理地点:明确了处理地点且符合要求
  • 安全标准:要求特定的安全标准或认证(SOC 2、ISO 27001等)
  • 保险:具备足够的数据处理活动保险覆盖

Common DPA Issues

常见DPA问题

IssueRiskStandard Position
Blanket sub-processor authorization without notificationLoss of control over processing chainRequire notification with right to object
Breach notification timeline > 72 hoursMay prevent timely regulatory notificationRequire notification within 24-48 hours
No audit rights (or audit rights only via third-party reports)Cannot verify complianceAccept SOC 2 Type II + right to audit upon cause
Data deletion timeline not specifiedData retained indefinitelyRequire deletion within 30-90 days of termination
No data processing locations specifiedData could be processed anywhereRequire disclosure of processing locations
Outdated SCCsInvalid transfer mechanismRequire current EU SCCs (2021 version)
问题风险标准立场
无通知的 blanket子处理方授权失去对处理链的控制要求通知并保留反对权利
Breach通知时限>72小时可能无法及时向监管机构通知要求24-48小时内通知
无审计权利(或仅接受第三方审计报告)无法验证合规性接受SOC 2 Type II + 有合理理由时的审计权利
未指定数据删除时限数据可能被无限期保留要求终止后30-90天内删除
未指定数据处理地点数据可能在任意地点处理要求披露处理地点
使用过时的SCC传输机制无效要求使用当前的欧盟SCC(2021版本)

Data Subject Request Handling

数据主体请求处理

Request Intake

请求接收

When a data subject request is received:
  1. Identify the request type:
    • Access (copy of personal data)
    • Rectification (correction of inaccurate data)
    • Erasure / deletion ("right to be forgotten")
    • Restriction of processing
    • Data portability (structured, machine-readable format)
    • Objection to processing
    • Opt-out of sale/sharing (CCPA/CPRA)
    • Limit use of sensitive personal information (CPRA)
  2. Identify applicable regulation(s):
    • Where is the data subject located?
    • Which laws apply based on your organization's presence and activities?
    • What are the specific requirements and timelines?
  3. Verify identity:
    • Confirm the requester is who they claim to be
    • Use reasonable verification measures proportionate to the sensitivity of the data
    • Do not require excessive documentation
  4. Log the request:
    • Date received
    • Request type
    • Requester identity
    • Applicable regulation
    • Response deadline
    • Assigned handler
收到数据主体请求时:
  1. 确定请求类型
    • 访问(个人数据副本)
    • 更正(不准确数据的修正)
    • 删除 / 擦除(“被遗忘权”)
    • 限制处理
    • 数据可携带性(结构化、机器可读格式)
    • 反对处理
    • 退出销售/共享(CCPA/CPRA)
    • 限制敏感个人信息使用(CPRA)
  2. 确定适用法规
    • 数据主体位于何处?
    • 根据组织的存在和活动,哪些法律适用?
    • 具体要求和时限是什么?
  3. 验证身份
    • 确认请求者身份属实
    • 使用与数据敏感性相称的合理验证措施
    • 不要求提供过多文件
  4. 记录请求
    • 收到日期
    • 请求类型
    • 请求者身份
    • 适用法规
    • 响应截止日期
    • 负责处理人

Response Timelines

响应时限

RegulationInitial AcknowledgmentSubstantive ResponseExtension
GDPRNot specified (best practice: promptly)30 days+60 days (with notice)
CCPA/CPRA10 business days45 calendar days+45 days (with notice)
UK GDPRNot specified (best practice: promptly)30 days+60 days (with notice)
LGPDNot specified15 daysLimited extensions
法规初始确认实质性响应延期
GDPR无明确规定(最佳实践:及时)30天+60天(需通知)
CCPA/CPRA10个工作日45个日历日+45天(需通知)
UK GDPR无明确规定(最佳实践:及时)30天+60天(需通知)
LGPD无明确规定15天有限延期

Exemptions and Exceptions

豁免与例外情况

Before fulfilling a request, check whether any exemptions apply:
Common exemptions across regulations:
  • Legal claims defense or establishment
  • Legal obligations requiring retention
  • Public interest or official authority
  • Freedom of expression and information (for erasure requests)
  • Archiving in the public interest or scientific/historical research
Organization-specific considerations:
  • Litigation hold: Data subject to a legal hold cannot be deleted
  • Regulatory retention: Financial records, employment records, and other categories may have mandatory retention periods
  • Third-party rights: Fulfilling the request might adversely affect the rights of others
在履行请求前,需检查是否存在豁免情况:
各法规通用豁免
  • 法律主张的辩护或确立
  • 法定义务要求保留
  • 公共利益或官方授权
  • 表达自由与信息(针对删除请求)
  • 公共利益归档或科学/历史研究
组织特定考量
  • 诉讼保全:处于法律保全状态的数据不得删除
  • 监管保留:财务记录、雇佣记录和其他类别可能有强制保留期限
  • 第三方权利:履行请求可能损害他人权利

Response Process

响应流程

  1. Gather all personal data of the requester across systems
  2. Apply any exemptions and document the basis
  3. Prepare response: fulfill the request or explain why (in whole or part) it cannot be fulfilled
  4. If denying (in whole or part): cite the specific legal basis for denial
  5. Inform the requester of their right to lodge a complaint with the supervisory authority
  6. Document the response and retain records of the request and response
  1. 收集请求者在所有系统中的个人数据
  2. 适用豁免并记录依据
  3. 准备响应:履行请求或说明(全部或部分)无法履行的原因
  4. 若(全部或部分)拒绝:引用拒绝的具体法律依据
  5. 告知请求者有权向监管机构投诉
  6. 记录响应内容,并保留请求和响应的记录

Regulatory Monitoring Basics

监管监控基础

What to Monitor

监控内容

Maintain awareness of developments in:
  • Regulatory guidance: New or updated guidance from supervisory authorities (ICO, CNIL, FTC, state AGs, etc.)
  • Enforcement actions: Fines, orders, and settlements that signal regulatory priorities
  • Legislative changes: New privacy laws, amendments to existing laws, implementing regulations
  • Industry standards: Updates to ISO 27001, SOC 2, NIST frameworks, and sector-specific requirements
  • Cross-border transfer developments: Adequacy decisions, SCC updates, data localization requirements
保持对以下领域发展的关注:
  • 监管指南:监管机构(ICO、CNIL、FTC、州总检察长等)发布的新指南或更新指南
  • 执法行动:罚款、命令和和解案例,这些信号反映了监管优先级
  • 立法变更:新隐私法、现有法律的修正案、实施条例
  • 行业标准:ISO 27001、SOC 2、NIST框架和行业特定要求的更新
  • 跨境传输发展:充分性认定、SCC更新、数据本地化要求

Monitoring Approach

监控方法

  1. Subscribe to regulatory authority communications (newsletters, RSS feeds, official announcements)
  2. Track relevant legal publications for analysis of new developments
  3. Review industry association updates for sector-specific guidance
  4. Maintain a regulatory calendar of known upcoming deadlines, effective dates, and compliance milestones
  5. Brief the legal team on material developments that affect the organization's processing activities
  1. 订阅监管机构的通讯(新闻通讯、RSS源、官方公告)
  2. 跟踪相关法律出版物,获取新发展的分析
  3. 查看行业协会更新,获取行业特定指南
  4. 维护监管日历,记录已知的即将到来的截止日期、生效日期和合规里程碑
  5. 向法务团队通报影响组织处理活动的重大发展

Escalation Criteria

升级标准

Escalate regulatory developments to senior counsel or leadership when:
  • A new regulation or guidance directly affects the organization's core business activities
  • An enforcement action in the organization's sector signals heightened regulatory scrutiny
  • A compliance deadline is approaching that requires organizational changes
  • A data transfer mechanism the organization relies on is challenged or invalidated
  • A regulatory authority initiates an inquiry or investigation involving the organization
出现以下情况时,需将监管发展升级至高级法律顾问或领导层:
  • 新法规或指南直接影响组织的核心业务活动
  • 所在行业的执法行动表明监管审查加强
  • 即将到来的合规截止日期需要组织变更
  • 组织依赖的数据传输机制受到挑战或被认定无效
  • 监管机构发起涉及组织的问询或调查

Tips

提示

  1. Be specific — "We want to email all our users" is better than "marketing campaign."
  2. Include the geography — Compliance requirements vary by jurisdiction.
  3. Mention the data — What personal data is involved? This drives most compliance requirements.
  1. 尽可能具体 —— “我们想要给所有用户发送邮件”比“营销活动”更好。
  2. 包含地域信息 —— 合规要求因司法管辖区而异。
  3. 提及涉及的数据 —— 涉及哪些个人数据?这是大部分合规要求的驱动因素。