@greenarmor/ges-policy-engine 1.2.8 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/index.d.ts +7 -0
  2. package/dist/index.js +51 -0
  3. package/dist/packs/countries.d.ts +13 -0
  4. package/dist/packs/countries.js +156 -0
  5. package/dist/packs/privacy-africa-me.d.ts +4 -0
  6. package/dist/packs/privacy-africa-me.js +369 -0
  7. package/dist/packs/privacy-americas.d.ts +4 -0
  8. package/dist/packs/privacy-americas.js +509 -0
  9. package/dist/packs/privacy-asia.d.ts +7 -0
  10. package/dist/packs/privacy-asia.js +991 -0
  11. package/dist/packs/privacy-core.d.ts +2 -0
  12. package/dist/packs/privacy-core.js +643 -0
  13. package/dist/packs/privacy-countries.d.ts +15 -0
  14. package/dist/packs/privacy-countries.js +805 -0
  15. package/dist/packs/privacy-europe.d.ts +3 -0
  16. package/dist/packs/privacy-europe.js +372 -0
  17. package/package.json +3 -3
package/dist/packs/privacy-asia.js ADDED
@@ -0,0 +1,991 @@
1
+ // ============================================================
2
+ // SINGAPORE — PDPA (Personal Data Protection Act 2012, as amended 2020/2021)
3
+ // Regulator: Personal Data Protection Commission (PDPC)
4
+ // ============================================================
5
+ export function createSingaporePDPAPolicyPack() {
6
+ const controls = [
7
+ {
8
+ id: "PDPA-SG-01",
9
+ name: "Data Protection Officer (Singapore)",
10
+ description: "Appoint a DPO and publish their contact information as required by PDPA.",
11
+ category: "privacy-governance",
12
+ framework: "PDPA-SG",
13
+ status: "not-implemented",
14
+ severity: "critical",
15
+ implementation_guidance: "Appoint at least one DPO and make their business contact information publicly available on the organization's website. The DPO ensures PDPA compliance, handles complaints, and liaises with the PDPC. The DPO need not be a dedicated employee but must have sufficient knowledge and authority. [Ref: PDPA Section 11; PDPC Advisory Guidelines]",
16
+ checks: [
17
+ { id: "PDPA-SG-01-C1", description: "DPO appointed and contact information published", status: "not-implemented" },
18
+ { id: "PDPA-SG-01-C2", description: "DPO responsibilities documented", status: "not-implemented" },
19
+ ],
20
+ },
21
+ {
22
+ id: "PDPA-SG-02",
23
+ name: "Consent Obligation",
24
+ description: "Obtain clear, informed consent for collection, use, and disclosure of personal data.",
25
+ category: "consent-management",
26
+ framework: "PDPA-SG",
27
+ status: "not-implemented",
28
+ severity: "critical",
29
+ implementation_guidance: "Obtain consent that is: given for a purpose reasonably related to the purpose notified, clear and unambiguous, obtained by an affirmative act, and documented. Notify individuals of: purposes at the point of collection, expected processing, and right to withdraw consent. Do not require consent for collection/use/dissemination as a condition of providing a service unless necessary. [Ref: PDPA Section 13-15]",
30
+ checks: [
31
+ { id: "PDPA-SG-02-C1", description: "Consent obtained for each specific purpose", status: "not-implemented" },
32
+ { id: "PDPA-SG-02-C2", description: "Purpose notification at point of collection", status: "not-implemented" },
33
+ { id: "PDPA-SG-02-C3", description: "Consent records maintained", status: "not-implemented" },
34
+ ],
35
+ },
36
+ {
37
+ id: "PDPA-SG-03",
38
+ name: "Purpose Limitation",
39
+ description: "Limit collection, use, and disclosure of personal data to purposes for which consent was obtained.",
40
+ category: "consent-management",
41
+ framework: "PDPA-SG",
42
+ status: "not-implemented",
43
+ severity: "high",
44
+ implementation_guidance: "Document purposes for each data collection. Only use data for consented purposes or purposes reasonably related to the original. Obtain new consent for new purposes. Implement technical controls preventing use beyond stated purposes. [Ref: PDPA Section 18]",
45
+ checks: [
46
+ { id: "PDPA-SG-03-C1", description: "Purposes documented per data collection", status: "not-implemented" },
47
+ { id: "PDPA-SG-03-C2", description: "New consent obtained for new purposes", status: "not-implemented" },
48
+ ],
49
+ },
50
+ {
51
+ id: "PDPA-SG-04",
52
+ name: "Notification Obligation",
53
+ description: "Inform individuals of the purposes for collection, use, or disclosure of personal data.",
54
+ category: "privacy-governance",
55
+ framework: "PDPA-SG",
56
+ status: "not-implemented",
57
+ severity: "high",
58
+ implementation_guidance: "Notify individuals at or before collection of: data items collected, purposes, expected disclosure recipients, and data retention. If data collected from third parties, notify within a reasonable time. Provide clear, plain-language notices accessible in relevant formats. [Ref: PDPA Section 20]",
59
+ checks: [
60
+ { id: "PDPA-SG-04-C1", description: "Collection notices provided at point of collection", status: "not-implemented" },
61
+ { id: "PDPA-SG-04-C2", description: "Third-party data subjects notified", status: "not-implemented" },
62
+ ],
63
+ },
64
+ {
65
+ id: "PDPA-SG-05",
66
+ name: "Access and Correction Rights",
67
+ description: "Provide individuals access to and correction of their personal data.",
68
+ category: "data-subject-rights",
69
+ framework: "PDPA-SG",
70
+ status: "not-implemented",
71
+ severity: "high",
72
+ implementation_guidance: "Respond to access requests within 30 days. Provide: personal data held, purposes, and disclosure info for past year. Respond to correction requests within 30 days. Correct data and notify recipients of corrections within a reasonable time. Charge reasonable fees for access if disclosed. [Ref: PDPA Section 21-22]",
73
+ checks: [
74
+ { id: "PDPA-SG-05-C1", description: "Access request process within 30 days", status: "not-implemented" },
75
+ { id: "PDPA-SG-05-C2", description: "Correction request process within 30 days", status: "not-implemented" },
76
+ { id: "PDPA-SG-05-C3", description: "Correction recipients notified", status: "not-implemented" },
77
+ ],
78
+ },
79
+ {
80
+ id: "PDPA-SG-06",
81
+ name: "Accuracy Obligation",
82
+ description: "Ensure personal data is accurate and complete before use or disclosure.",
83
+ category: "data-inventory",
84
+ framework: "PDPA-SG",
85
+ status: "not-implemented",
86
+ severity: "medium",
87
+ implementation_guidance: "Implement reasonable steps to ensure data accuracy before use/disclosure. Consider: data source reliability, purpose of use, potential impact on individuals. Provide self-service correction mechanisms. Verify data at collection. [Ref: PDPA Section 23]",
88
+ checks: [
89
+ { id: "PDPA-SG-06-C1", description: "Accuracy verification procedures implemented", status: "not-implemented" },
90
+ { id: "PDPA-SG-06-C2", description: "Self-service correction available", status: "not-implemented" },
91
+ ],
92
+ },
93
+ {
94
+ id: "PDPA-SG-07",
95
+ name: "Protection Obligation",
96
+ description: "Implement reasonable security arrangements to protect personal data.",
97
+ category: "security-controls",
98
+ framework: "PDPA-SG",
99
+ status: "not-implemented",
100
+ severity: "critical",
101
+ implementation_guidance: "Implement reasonable security arrangements considering: nature of data, impact of breach, format (physical/electronic), and cost. Include: access controls, encryption, network security, data minimization, endpoint protection, and incident response. Follow PDPC's Guide to Data Protection Practices for ICT Systems. [Ref: PDPA Section 24; PDPC Security Guidelines]",
102
+ checks: [
103
+ { id: "PDPA-SG-07-C1", description: "Security arrangements documented and risk-assessed", status: "not-implemented" },
104
+ { id: "PDPA-SG-07-C2", description: "Access controls and encryption implemented", status: "not-implemented" },
105
+ { id: "PDPA-SG-07-C3", description: "PDPC ICT security guidelines followed", status: "not-implemented" },
106
+ ],
107
+ },
108
+ {
109
+ id: "PDPA-SG-08",
110
+ name: "Retention Limitation",
111
+ description: "Cease retention of personal data when no longer needed for business or legal purposes.",
112
+ category: "data-retention",
113
+ framework: "PDPA-SG",
114
+ status: "not-implemented",
115
+ severity: "high",
116
+ implementation_guidance: "Define and document retention periods. Cease retention when: purpose is fulfilled, consent withdrawn, or no business/legal need. Implement automated deletion or anonymisation. Review retention schedules annually. Document disposal methods. [Ref: PDPA Section 25]",
117
+ checks: [
118
+ { id: "PDPA-SG-08-C1", description: "Retention periods defined and documented", status: "not-implemented" },
119
+ { id: "PDPA-SG-08-C2", description: "Automated deletion/anonymisation implemented", status: "not-implemented" },
120
+ ],
121
+ },
122
+ {
123
+ id: "PDPA-SG-09",
124
+ name: "Transfer Limitation",
125
+ description: "Ensure comparable protection for personal data transferred outside Singapore.",
126
+ category: "cross-border-transfers",
127
+ framework: "PDPA-SG",
128
+ status: "not-implemented",
129
+ severity: "high",
130
+ implementation_guidance: "Ensure overseas recipients are bound by legally enforceable obligations providing a standard of protection comparable to PDPA. Use contractual clauses, BCRs, or certifications. Conduct transfer assessments. Document transfer mechanisms per recipient. [Ref: PDPA Section 26; PDPC Transfer Limitation Guidelines]",
131
+ checks: [
132
+ { id: "PDPA-SG-09-C1", description: "Legally enforceable transfer mechanisms in place", status: "not-implemented" },
133
+ { id: "PDPA-SG-09-C2", description: "Comparable protection assessment documented", status: "not-implemented" },
134
+ ],
135
+ },
136
+ {
137
+ id: "PDPA-SG-10",
138
+ name: "Data Breach Notification (PDPA Amendment 2021)",
139
+ description: "Notify PDPC and affected individuals of notifiable data breaches within 3 calendar days.",
140
+ category: "incident-management",
141
+ framework: "PDPA-SG",
142
+ status: "not-implemented",
143
+ severity: "critical",
144
+ implementation_guidance: "Assess breaches for notifiability (significant scale: 500+ individuals, or significant harm). Notify PDPC within 3 calendar days of assessing a breach as notifiable. Notify affected individuals if significant harm is likely. Maintain a breach register. Document assessment rationale. [Ref: PDPA Section 26B-26E; PDPC Breach Notification Guidelines]",
145
+ checks: [
146
+ { id: "PDPA-SG-10-C1", description: "Breach notifiability assessment procedure", status: "not-implemented" },
147
+ { id: "PDPA-SG-10-C2", description: "PDPC notification within 3 calendar days", status: "not-implemented" },
148
+ { id: "PDPA-SG-10-C3", description: "Individual notification for significant harm", status: "not-implemented" },
149
+ { id: "PDPA-SG-10-C4", description: "Breach register maintained", status: "not-implemented" },
150
+ ],
151
+ },
152
+ {
153
+ id: "PDPA-SG-11",
154
+ name: "Data Portability (PDPA Amendment)",
155
+ description: "Implement data portability allowing individuals to request data transmission to another organization.",
156
+ category: "data-subject-rights",
157
+ framework: "PDPA-SG",
158
+ status: "not-implemented",
159
+ severity: "medium",
160
+ implementation_guidance: "Implement mechanisms for individuals to request personal data in a structured, commonly used, and machine-readable format. Enable direct transmission to another organization where technically feasible. Develop portability request handling procedures aligned with PDPC guidance. [Ref: PDPA Section 26F-26H]",
161
+ checks: [
162
+ { id: "PDPA-SG-11-C1", description: "Data portability request mechanism implemented", status: "not-implemented" },
163
+ { id: "PDPA-SG-11-C2", description: "Machine-readable export format available", status: "not-implemented" },
164
+ ],
165
+ },
166
+ {
167
+ id: "PDPA-SG-12",
168
+ name: "Do Not Call Registry",
169
+ description: "Comply with DNC registry requirements for telemarketing communications.",
170
+ category: "consent-management",
171
+ framework: "PDPA-SG",
172
+ status: "not-implemented",
173
+ severity: "medium",
174
+ implementation_guidance: "Check Singapore DNC registry before sending marketing messages to Singapore phone numbers (voice, text, fax). Maintain clear, written consent for telemarketing. Honor DNC registry entries and individual opt-outs. Appoint a DNC compliance officer. Maintain records of DNC checks. [Ref: PDPA Part IXA; DNC Registry Rules]",
175
+ checks: [
176
+ { id: "PDPA-SG-12-C1", description: "DNC registry checked before each telemarketing campaign", status: "not-implemented" },
177
+ { id: "PDPA-SG-12-C2", description: "Clear, written telemarketing consent maintained", status: "not-implemented" },
178
+ { id: "PDPA-SG-12-C3", description: "Opt-out requests honored within 21 days", status: "not-implemented" },
179
+ ],
180
+ },
181
+ ];
182
+ return {
183
+ id: "sg-pdpa",
184
+ name: "Singapore PDPA Pack (2020/2021 Amendments)",
185
+ description: "Comprehensive Singapore PDPA controls covering all obligations: DPO appointment, consent, purpose limitation, notification, access/correction, accuracy, protection, retention, transfer limitation, data breach notification (3-day PDPC), data portability, and Do Not Call registry compliance.",
186
+ version: "1.0.0",
187
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
188
+ controls,
189
+ frameworks: ["PDPA-SG"],
190
+ };
191
+ }
192
+ // ============================================================
193
+ // PHILIPPINES — DATA PRIVACY ACT OF 2012 (DPA)
194
+ // Regulator: National Privacy Commission (NPC)
195
+ // Implementing Rules: NPC Circular 16-03, 17-01, 18-01, 19-01, 20-04
196
+ // ============================================================
197
+ export function createPhilippinesDPAPolicyPack() {
198
+ const controls = [
199
+ {
200
+ id: "DPA-PH-01",
201
+ name: "PIC and PIP Designation",
202
+ description: "Designate Personal Information Controller (PIC) and Personal Information Processor (PIP) roles.",
203
+ category: "privacy-governance",
204
+ framework: "DPA-PH",
205
+ status: "not-implemented",
206
+ severity: "critical",
207
+ implementation_guidance: "Designate and document PIC (determines purposes and means) and PIP (processes on behalf of PIC) roles. The PIC is accountable for compliance. Ensure PIC-PIP contracts clearly define obligations per DPA. Document the accountability chain for all processing. [Ref: DPA Section 3; IRR Article 4]",
208
+ checks: [
209
+ { id: "DPA-PH-01-C1", description: "PIC and PIP roles documented for each processing", status: "not-implemented" },
210
+ { id: "DPA-PH-01-C2", description: "PIC-PIP contracts executed with DPA obligations", status: "not-implemented" },
211
+ ],
212
+ },
213
+ {
214
+ id: "DPA-PH-02",
215
+ name: "Data Protection Officer (Philippines)",
216
+ description: "Designate a DPO and register with the NPC.",
217
+ category: "privacy-governance",
218
+ framework: "DPA-PH",
219
+ status: "not-implemented",
220
+ severity: "high",
221
+ implementation_guidance: "Designate a DPO who shall: ensure compliance, advise on DPIAs, cooperate with NPC, and serve as contact for data subjects. Register the DPO with the NPC. The DPO should have sufficient knowledge of the DPA and IRR. [Ref: DPA Section 11; IRR Article 7; NPC Circular 17-01]",
222
+ checks: [
223
+ { id: "DPA-PH-02-C1", description: "DPO designated and registered with NPC", status: "not-implemented" },
224
+ { id: "DPA-PH-02-C2", description: "DPO responsibilities documented", status: "not-implemented" },
225
+ ],
226
+ },
227
+ {
228
+ id: "DPA-PH-03",
229
+ name: "NPC Registration",
230
+ description: "Register personal data processing systems with the NPC if processing 1,000+ records.",
231
+ category: "privacy-governance",
232
+ framework: "DPA-PH",
233
+ status: "not-implemented",
234
+ severity: "high",
235
+ implementation_guidance: "Register with the NPC if processing personal data of 1,000 or more individuals. Submit registration forms including: PIC details, DPO information, processing system descriptions, and data categories. Renew registration annually. Update within 30 days of material changes. [Ref: NPC Circular 17-01; DPA IRR Article 7]",
236
+ checks: [
237
+ { id: "DPA-PH-03-C1", description: "NPC registration completed if applicable", status: "not-implemented" },
238
+ { id: "DPA-PH-03-C2", description: "Annual renewal process established", status: "not-implemented" },
239
+ ],
240
+ },
241
+ {
242
+ id: "DPA-PH-04",
243
+ name: "Criteria for Lawful Processing",
244
+ description: "Document the lawful criteria for processing personal data and sensitive personal information.",
245
+ category: "consent-management",
246
+ framework: "DPA-PH",
247
+ status: "not-implemented",
248
+ severity: "critical",
249
+ implementation_guidance: "For personal data, establish criteria: consent, contract, legal obligation, vital interests, public interest, or legitimate interests. For sensitive personal information (race, marital status, age, color, religious/philosophical/political affiliations, health, education, genetics, sexual life, SSN, licenses). Obtain specific, affirmed consent for SPI. [Ref: DPA Sections 12-13]",
250
+ checks: [
251
+ { id: "DPA-PH-04-C1", description: "Lawful criteria documented per processing", status: "not-implemented" },
252
+ { id: "DPA-PH-04-C2", description: "Specific consent for sensitive personal information", status: "not-implemented" },
253
+ ],
254
+ },
255
+ {
256
+ id: "DPA-PH-05",
257
+ name: "Data Subject Rights (Philippines)",
258
+ description: "Implement DPA data subject rights including bequeathal rights for deceased persons.",
259
+ category: "data-subject-rights",
260
+ framework: "DPA-PH",
261
+ status: "not-implemented",
262
+ severity: "high",
263
+ implementation_guidance: "Implement rights: information to data subject, right to object, right to access, right to rectification, right to erasure/blocking, right to data portability, and right to damages. Honor bequeathal rights (rights of heirs of deceased). Respond within a reasonable time. Provide mechanisms for filing complaints. [Ref: DPA Sections 16-18]",
264
+ checks: [
265
+ { id: "DPA-PH-05-C1", description: "All DPA rights implemented with request mechanisms", status: "not-implemented" },
266
+ { id: "DPA-PH-05-C2", description: "Bequeathal rights procedure documented", status: "not-implemented" },
267
+ { id: "DPA-PH-05-C3", description: "Complaint filing mechanism available", status: "not-implemented" },
268
+ ],
269
+ },
270
+ {
271
+ id: "DPA-PH-06",
272
+ name: "Security Measures (NPC Circular 16-03)",
273
+ description: "Implement physical, organizational, and technical security measures per NPC Circular 16-03.",
274
+ category: "security-controls",
275
+ framework: "DPA-PH",
276
+ status: "not-implemented",
277
+ severity: "critical",
278
+ implementation_guidance: "Implement: organizational security (data protection policies, access control policies, data mapping), physical security (facility access controls, environmental controls), and technical security (authentication, encryption, network security, logging). Appoint Information Security Officer (can be DPO). Conduct annual security reviews. [Ref: NPC Circular 16-03 Part 3-5]",
279
+ checks: [
280
+ { id: "DPA-PH-06-C1", description: "Organizational security measures documented", status: "not-implemented" },
281
+ { id: "DPA-PH-06-C2", description: "Physical security measures implemented", status: "not-implemented" },
282
+ { id: "DPA-PH-06-C3", description: "Technical security measures implemented", status: "not-implemented" },
283
+ { id: "DPA-PH-06-C4", description: "Annual security review conducted", status: "not-implemented" },
284
+ ],
285
+ },
286
+ {
287
+ id: "DPA-PH-07",
288
+ name: "Privacy Impact Assessment",
289
+ description: "Conduct Privacy Impact Assessments (PIAs) for processing systems and new projects.",
290
+ category: "privacy-governance",
291
+ framework: "DPA-PH",
292
+ status: "not-implemented",
293
+ severity: "high",
294
+ implementation_guidance: "Conduct PIAs for: new processing systems, significant changes to existing systems, automated processing/profiling, processing of sensitive personal information, and large-scale processing. Document: processing description, necessity, risks, mitigation. Submit PIAs to NPC if requested. Review annually. [Ref: DPA IRR Article 8; NPC PIA Guidelines]",
295
+ checks: [
296
+ { id: "DPA-PH-07-C1", description: "PIA criteria established for new/changed processing", status: "not-implemented" },
297
+ { id: "DPA-PH-07-C2", description: "PIAs documented with risk assessments", status: "not-implemented" },
298
+ ],
299
+ },
300
+ {
301
+ id: "DPA-PH-08",
302
+ name: "NPC Breach Notification",
303
+ description: "Report personal data breaches to the NPC within 72 hours and notify affected individuals.",
304
+ category: "incident-management",
305
+ framework: "DPA-PH",
306
+ status: "not-implemented",
307
+ severity: "critical",
308
+ implementation_guidance: "Notify NPC within 72 hours of knowledge of breach involving sensitive personal information or affecting 100+ individuals. Include: breach nature, data involved, date/time, circumstances, mitigation. Notify affected individuals within a reasonable time. Document all breaches. [Ref: NPC Circular 16-03 Section 9; DPA IRR Article 9]",
309
+ checks: [
310
+ { id: "DPA-PH-08-C1", description: "NPC 72-hour breach notification procedure", status: "not-implemented" },
311
+ { id: "DPA-PH-08-C2", description: "Individual notification procedures", status: "not-implemented" },
312
+ { id: "DPA-PH-08-C3", description: "Breach register maintained", status: "not-implemented" },
313
+ ],
314
+ },
315
+ {
316
+ id: "DPA-PH-09",
317
+ name: "Data Sharing and Outsourcing",
318
+ description: "Ensure lawful data sharing and outsourcing of personal data processing.",
319
+ category: "vendor-management",
320
+ framework: "DPA-PH",
321
+ status: "not-implemented",
322
+ severity: "high",
323
+ implementation_guidance: "Execute data sharing agreements with PICs containing: purpose, data categories, security measures, data subject rights, and termination conditions. For outsourcing to PIPs, ensure contracts specify: processing scope, security obligations, sub-processor controls, and data return/deletion. [Ref: DPA Sections 20, 32-36; IRR Articles 21, 28]",
324
+ checks: [
325
+ { id: "DPA-PH-09-C1", description: "Data sharing agreements with PICs executed", status: "not-implemented" },
326
+ { id: "DPA-PH-09-C2", description: "Outsourcing contracts with PIPs executed", status: "not-implemented" },
327
+ ],
328
+ },
329
+ {
330
+ id: "DPA-PH-10",
331
+ name: "Cross-Border Transfers (Philippines)",
332
+ description: "Ensure appropriate safeguards for international transfers of personal data.",
333
+ category: "cross-border-transfers",
334
+ framework: "DPA-PH",
335
+ status: "not-implemented",
336
+ severity: "high",
337
+ implementation_guidance: "Ensure overseas recipients provide a level of protection comparable to the DPA. Use contractual safeguards or adequate country transfers. Inform data subjects of cross-border transfers. Document transfer mechanisms. Conduct transfer risk assessments. [Ref: DPA Section 21; IRR Article 27]",
338
+ checks: [
339
+ { id: "DPA-PH-10-C1", description: "Cross-border transfer safeguards documented", status: "not-implemented" },
340
+ { id: "DPA-PH-10-C2", description: "Comparable protection ensured", status: "not-implemented" },
341
+ ],
342
+ },
343
+ ];
344
+ return {
345
+ id: "ph-dpa",
346
+ name: "Philippines Data Privacy Act Pack (DPA 2012 + IRR)",
347
+ description: "Comprehensive Philippine DPA controls: PIC/PIP roles, NPC registration (1,000+ records), DPO appointment, lawful processing criteria, data subject rights (including bequeathal), NPC Circular 16-03 security measures, PIAs, 72-hour NPC breach notification, and data sharing/outsourcing agreements.",
348
+ version: "1.0.0",
349
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application", "government-system"],
350
+ controls,
351
+ frameworks: ["DPA-PH"],
352
+ };
353
+ }
354
+ // ============================================================
355
+ // JAPAN — APPI (Act on the Protection of Personal Information)
356
+ // Amended 2022; Regulator: Personal Information Protection Commission (PPC)
357
+ // ============================================================
358
+ export function createJapanAPPIPolicyPack() {
359
+ const controls = [
360
+ {
361
+ id: "APPI-01",
362
+ name: "Purpose of Use Specification",
363
+ description: "Specify the purpose of use for personal information and publicly announce or notify it.",
364
+ category: "consent-management",
365
+ framework: "APPI",
366
+ status: "not-implemented",
367
+ severity: "critical",
368
+ implementation_guidance: "Specify the purpose of use as specifically as possible. Ensure purposes are not improperly associated with the individual. Publish purposes on the website or notify data subjects directly. Obtain consent before changing the purpose beyond the reasonable scope of the original. [Ref: APPI Article 17]",
369
+ checks: [
370
+ { id: "APPI-01-C1", description: "Purpose of use specified for each data category", status: "not-implemented" },
371
+ { id: "APPI-01-C2", description: "Purposes published or notified to data subjects", status: "not-implemented" },
372
+ { id: "APPI-01-C3", description: "Purpose change consent obtained", status: "not-implemented" },
373
+ ],
374
+ },
375
+ {
376
+ id: "APPI-02",
377
+ name: "Proper Acquisition",
378
+ description: "Acquire personal information by lawful and fair means, not by deceptive means.",
379
+ category: "consent-management",
380
+ framework: "APPI",
381
+ status: "not-implemented",
382
+ severity: "high",
383
+ implementation_guidance: "Acquire data by lawful and fair means. For sensitive personal information (race, creed, social status, medical history, criminal record, crime victim, etc.), obtain consent unless an exception applies. Notify or publish the purpose when acquiring sensitive data. [Ref: APPI Article 18-19]",
384
+ checks: [
385
+ { id: "APPI-02-C1", description: "Data acquisition methods reviewed for lawfulness", status: "not-implemented" },
386
+ { id: "APPI-02-C2", description: "Consent obtained for sensitive personal information", status: "not-implemented" },
387
+ ],
388
+ },
389
+ {
390
+ id: "APPI-03",
391
+ name: "Security Control Measures",
392
+ description: "Implement security control measures to prevent leakage, loss, or damage of personal data.",
393
+ category: "security-controls",
394
+ framework: "APPI",
395
+ status: "not-implemented",
396
+ severity: "critical",
397
+ implementation_guidance: "Implement organizational (policies, personnel training), personnel (agreements, access control), physical (facility access, equipment management), and technical (access control, encryption, intrusion detection) security measures. Follow PPC Basic Policy and guidelines. Conduct regular audits. [Ref: APPI Article 23; PPC Guidelines]",
398
+ checks: [
399
+ { id: "APPI-03-C1", description: "Organizational and personnel security measures implemented", status: "not-implemented" },
400
+ { id: "APPI-03-C2", description: "Physical and technical security measures implemented", status: "not-implemented" },
401
+ { id: "APPI-03-C3", description: "Regular security audits conducted", status: "not-implemented" },
402
+ ],
403
+ },
404
+ {
405
+ id: "APPI-04",
406
+ name: "Outsourcing Supervision",
407
+ description: "Exercise necessary and appropriate supervision over personal data processing outsourced to contractors.",
408
+ category: "vendor-management",
409
+ framework: "APPI",
410
+ status: "not-implemented",
411
+ severity: "high",
412
+ implementation_guidance: "Select qualified contractors. Execute written outsourcing contracts specifying: purpose of use, security measures, sub-contractor restrictions, and data handling. Conduct regular assessments of contractor compliance. Supervise implementation. [Ref: APPI Article 22]",
413
+ checks: [
414
+ { id: "APPI-04-C1", description: "Outsourcing contracts executed with required clauses", status: "not-implemented" },
415
+ { id: "APPI-04-C2", description: "Regular contractor compliance assessments", status: "not-implemented" },
416
+ ],
417
+ },
418
+ {
419
+ id: "APPI-05",
420
+ name: "Third-Party Provision Restriction",
421
+ description: "Obtain consent before providing personal data to third parties, with limited exceptions.",
422
+ category: "consent-management",
423
+ framework: "APPI",
424
+ status: "not-implemented",
425
+ severity: "high",
426
+ implementation_guidance: "Obtain prior consent for third-party provision unless an exception applies. When providing to third parties, record: recipient, data items, and date. When receiving data from third parties, verify the acquisition circumstances. Maintain an opt-out mechanism with PPC notification. [Ref: APPI Articles 27-28]",
427
+ checks: [
428
+ { id: "APPI-05-C1", description: "Consent obtained before third-party provision", status: "not-implemented" },
429
+ { id: "APPI-05-C2", description: "Provision records maintained", status: "not-implemented" },
430
+ { id: "APPI-05-C3", description: "Opt-out mechanism with PPC notification", status: "not-implemented" },
431
+ ],
432
+ },
433
+ {
434
+ id: "APPI-06",
435
+ name: "Cross-Border Transfer Requirements",
436
+ description: "Obtain prior consent for providing personal data to third parties in foreign countries.",
437
+ category: "cross-border-transfers",
438
+ framework: "APPI",
439
+ status: "not-implemented",
440
+ severity: "critical",
441
+ implementation_guidance: "Obtain prior consent for cross-border transfers to countries without equivalent protection. Inform data subjects of: destination country, recipient information, and data categories. Transfers to countries with equivalent protection (currently not recognized by PPC) or under adequate exceptions do not require consent. [Ref: APPI Article 28]",
442
+ checks: [
443
+ { id: "APPI-06-C1", description: "Prior consent obtained for cross-border transfers", status: "not-implemented" },
444
+ { id: "APPI-06-C2", description: "Transfer information provided to data subjects", status: "not-implemented" },
445
+ ],
446
+ },
447
+ {
448
+ id: "APPI-07",
449
+ name: "Individual Rights (Disclosure, Correction, Suspension)",
450
+ description: "Implement rights to disclosure, correction, and suspension of use of personal data.",
451
+ category: "data-subject-rights",
452
+ framework: "APPI",
453
+ status: "not-implemented",
454
+ severity: "high",
455
+ implementation_guidance: "Implement: right to request disclosure of retained personal data, right to request correction/addition/deletion (with proof), and right to request suspension of use/third-party provision. Respond within set periods (disclosure: prompt, correction: 2 weeks). Document reasons for refusal if applicable. [Ref: APPI Articles 32-37]",
456
+ checks: [
457
+ { id: "APPI-07-C1", description: "Disclosure request mechanism implemented", status: "not-implemented" },
458
+ { id: "APPI-07-C2", description: "Correction/addition/deletion request mechanism", status: "not-implemented" },
459
+ { id: "APPI-07-C3", description: "Suspension of use/provision request mechanism", status: "not-implemented" },
460
+ ],
461
+ },
462
+ {
463
+ id: "APPI-08",
464
+ name: "Personal Data Breach Notification (PPC)",
465
+ description: "Notify PPC and affected individuals of personal data breaches meeting threshold.",
466
+ category: "incident-management",
467
+ framework: "APPI",
468
+ status: "not-implemented",
469
+ severity: "critical",
470
+ implementation_guidance: "Report breaches to PPC promptly when involving sensitive information or potentially causing financial damage, or when affecting 1,000+ individuals. Report within 3-5 days ideally. Include: incident facts, data items, cause, damage, countermeasures. Notify affected individuals for breaches likely to cause damage. [Ref: APPI Article 26; PPC Breach Reporting Guidelines]",
471
+ checks: [
472
+ { id: "APPI-08-C1", description: "PPC breach notification procedure for threshold breaches", status: "not-implemented" },
473
+ { id: "APPI-08-C2", description: "Individual notification for harmful breaches", status: "not-implemented" },
474
+ { id: "APPI-08-C3", description: "Breach records maintained", status: "not-implemented" },
475
+ ],
476
+ },
477
+ {
478
+ id: "APPI-09",
479
+ name: "Personal Information Protection Officer",
480
+ description: "Designate a Personal Information Protection Officer and establish internal structures.",
481
+ category: "privacy-governance",
482
+ framework: "APPI",
483
+ status: "not-implemented",
484
+ severity: "high",
485
+ implementation_guidance: "Designate a person responsible for personal information protection. Establish contact point for individual requests and complaints. Maintain a description of personal data processing. Provide training to employees handling personal data. [Ref: APPI Article 25; PPC Management Guidelines]",
486
+ checks: [
487
+ { id: "APPI-09-C1", description: "Protection officer designated and documented", status: "not-implemented" },
488
+ { id: "APPI-09-C2", description: "Internal request/complaint handling structure", status: "not-implemented" },
489
+ ],
490
+ },
491
+ {
492
+ id: "APPI-10",
493
+ name: "Anonymously Processed Information",
494
+ description: "Comply with APPA requirements when creating and providing anonymously processed information.",
495
+ category: "data-inventory",
496
+ framework: "APPI",
497
+ status: "not-implemented",
498
+ severity: "medium",
499
+ implementation_guidance: "When creating anonymously processed data: delete or alter descriptions that identify individuals, prevent re-identification. Document anonymisation methods. When providing, conduct appropriate checks. Avoid combining with other data that could re-identify individuals. [Ref: APPI Articles 36-38]",
500
+ checks: [
501
+ { id: "APPI-10-C1", description: "Anonymisation procedures documented", status: "not-implemented" },
502
+ { id: "APPI-10-C2", description: "Re-identification risk assessed", status: "not-implemented" },
503
+ ],
504
+ },
505
+ ];
506
+ return {
507
+ id: "jp-appi",
508
+ name: "Japan APPI Pack (2022 Amendment)",
509
+ description: "Comprehensive Japan Act on the Protection of Personal Information controls: purpose specification, proper acquisition, security control measures, outsourcing supervision, third-party provision, cross-border transfer consent, individual rights (disclosure/correction/suspension), PPC breach notification, and anonymously processed information.",
510
+ version: "1.0.0",
511
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
512
+ controls,
513
+ frameworks: ["APPI"],
514
+ };
515
+ }
516
+ // ============================================================
517
+ // SOUTH KOREA — PIPA (Personal Information Protection Act, amended 2023)
518
+ // Regulator: Personal Information Protection Commission (PIPC)
519
+ // ============================================================
520
+ export function createSouthKoreaPIPAPolicyPack() {
521
+ const controls = [
522
+ {
523
+ id: "PIPA-01",
524
+ name: "Personal Information Processing Policy (공개)",
525
+ description: "Draft, publish, and maintain a personal information processing policy in Korean.",
526
+ category: "privacy-governance",
527
+ framework: "PIPA",
528
+ status: "not-implemented",
529
+ severity: "critical",
530
+ implementation_guidance: "Publish a privacy policy including: items collected, purpose, retention/use period, third-party provision, outsourcing, cross-border transfer, data subject rights, and DPO contact. Publish on website homepage. Use plain Korean language. Review and update annually. [Ref: PIPA Article 17]",
531
+ checks: [
532
+ { id: "PIPA-01-C1", description: "Privacy policy published in Korean on homepage", status: "not-implemented" },
533
+ { id: "PIPA-01-C2", description: "All PIPA-required items included", status: "not-implemented" },
534
+ { id: "PIPA-01-C3", description: "Annual review documented", status: "not-implemented" },
535
+ ],
536
+ },
537
+ {
538
+ id: "PIPA-02",
539
+ name: "Separate Consent Requirements",
540
+ description: "Obtain separate consent for each purpose, sensitive data, third-party provision, and cross-border transfers.",
541
+ category: "consent-management",
542
+ framework: "PIPA",
543
+ status: "not-implemented",
544
+ severity: "critical",
545
+ implementation_guidance: "Obtain separate consent for: each processing purpose, sensitive information (ideology, creed, union membership, political opinions, health, sexual life, biometric, criminal records), unique identifiers (RRN, passport), third-party provision, and cross-border transfers. Use non-pre-checked boxes. Provide opt-out mechanisms. [Ref: PIPA Articles 17, 23, 24, 28]",
546
+ checks: [
547
+ { id: "PIPA-02-C1", description: "Separate consent per purpose, sensitive data, third-party, and transfer", status: "not-implemented" },
548
+ { id: "PIPA-02-C2", description: "Non-pre-checked boxes used", status: "not-implemented" },
549
+ { id: "PIPA-02-C3", description: "Consent withdrawal mechanisms available", status: "not-implemented" },
550
+ ],
551
+ },
552
+ {
553
+ id: "PIPA-03",
554
+ name: "Privacy Impact Assessment",
555
+ description: "Conduct PIAs for processing likely to infringe on privacy rights.",
556
+ category: "privacy-governance",
557
+ framework: "PIPA",
558
+ status: "not-implemented",
559
+ severity: "high",
560
+ implementation_guidance: "Conduct PIAs for: public agencies processing personal information, large-scale processing, sensitive information processing, new technologies (AI, IoT), and systematic profiling. Submit PIA results to PIPC if public sector. Implement mitigation measures. Review periodically. [Ref: PIPA Article 33; PIPA Enforcement Decree Article 25]",
561
+ checks: [
562
+ { id: "PIPA-03-C1", description: "PIA criteria established", status: "not-implemented" },
563
+ { id: "PIPA-03-C2", description: "PIAs conducted and documented", status: "not-implemented" },
564
+ ],
565
+ },
566
+ {
567
+ id: "PIPA-04",
568
+ name: "Data Protection Officer (Korea)",
569
+ description: "Designate a Chief Privacy Officer (CPO) if required by scale thresholds.",
570
+ category: "privacy-governance",
571
+ framework: "PIPA",
572
+ status: "not-implemented",
573
+ severity: "high",
574
+ implementation_guidance: "Designate a CPO if processing personal information of 10,000+ data subjects (public), 10,000+ (private with 50+ employees), or 1,000+ sensitive information. CPO must: establish privacy policies, conduct audits, handle complaints, liaise with PIPC. Register CPO with PIPC. [Ref: PIPA Article 30]",
575
+ checks: [
576
+ { id: "PIPA-04-C1", description: "CPO designated if threshold met", status: "not-implemented" },
577
+ { id: "PIPA-04-C2", description: "CPO registered with PIPC", status: "not-implemented" },
578
+ ],
579
+ },
580
+ {
581
+ id: "PIPA-05",
582
+ name: "Security Measures (Technical, Physical, Administrative)",
583
+ description: "Implement technical, physical, and administrative security measures for personal information.",
584
+ category: "security-controls",
585
+ framework: "PIPA",
586
+ status: "not-implemented",
587
+ severity: "critical",
588
+ implementation_guidance: "Technical: access control, encryption, security programs. Physical: access control to processing facilities, document security. Administrative: internal policies, employee training, access privilege management, regular audits. Special measures for unique identifiers (RRN). Maintain security measure documentation. [Ref: PIPA Article 29; Enforcement Rule Article 14]",
589
+ checks: [
590
+ { id: "PIPA-05-C1", description: "Technical security measures implemented and documented", status: "not-implemented" },
591
+ { id: "PIPA-05-C2", description: "Physical security measures implemented", status: "not-implemented" },
592
+ { id: "PIPA-05-C3", description: "Administrative security measures implemented", status: "not-implemented" },
593
+ { id: "PIPA-05-C4", description: "Special RRN protection measures", status: "not-implemented" },
594
+ ],
595
+ },
596
+ {
597
+ id: "PIPA-06",
598
+ name: "KISA/PIPC Breach Notification",
599
+ description: "Notify PIPC/KISA and affected individuals of personal data breaches without delay.",
600
+ category: "incident-management",
601
+ framework: "PIPA",
602
+ status: "not-implemented",
603
+ severity: "critical",
604
+ implementation_guidance: "Notify PIPC without delay when breach involves: personal information of 1,000+ subjects, sensitive information, or RRN. Notify affected individuals when breach is likely to cause harm. Include: items leaked, time/place, countermeasures, damage mitigation. Submit written report within 5 days. [Ref: PIPA Article 34]",
605
+ checks: [
606
+ { id: "PIPA-06-C1", description: "PIPC notification procedure for threshold breaches", status: "not-implemented" },
607
+ { id: "PIPA-06-C2", description: "Individual notification for harmful breaches", status: "not-implemented" },
608
+ { id: "PIPA-06-C3", description: "Written report within 5 days", status: "not-implemented" },
609
+ ],
610
+ },
611
+ {
612
+ id: "PIPA-07",
613
+ name: "Data Subject Rights (Korea)",
614
+ description: "Implement PIPA data subject rights including reading and suspension requests.",
615
+ category: "data-subject-rights",
616
+ framework: "PIPA",
617
+ status: "not-implemented",
618
+ severity: "high",
619
+ implementation_guidance: "Implement: access to personal information, suspension of processing, correction/deletion, and deletion of consented data. Respond within 10-15 days. Provide reasons for refusal if applicable. Implement digital request mechanisms. Ensure portability of personal information. [Ref: PIPA Articles 35-38]",
620
+ checks: [
621
+ { id: "PIPA-07-C1", description: "All PIPA rights implemented", status: "not-implemented" },
622
+ { id: "PIPA-07-C2", description: "Response within 10-15 days", status: "not-implemented" },
623
+ { id: "PIPA-07-C3", description: "Suspension of processing mechanism available", status: "not-implemented" },
624
+ ],
625
+ },
626
+ {
627
+ id: "PIPA-08",
628
+ name: "Resident Registration Number (RRN) Protection",
629
+ description: "Implement special protections for Resident Registration Numbers and other unique identifiers.",
630
+ category: "security-controls",
631
+ framework: "PIPA",
632
+ status: "not-implemented",
633
+ severity: "critical",
634
+ implementation_guidance: "Do not collect RRN unless specifically permitted by law. Store RRN encrypted with strong key management. Limit access to authorized personnel only. Implement audit logging for all RRN access. Never use RRN for identification beyond legally permitted purposes. Delete RRN when purpose is fulfilled. [Ref: PIPA Article 24; PIPA Enforcement Decree Article 19]",
635
+ checks: [
636
+ { id: "PIPA-08-C1", description: "RRN collection limited to legally permitted purposes", status: "not-implemented" },
637
+ { id: "PIPA-08-C2", description: "RRN encrypted with strong key management", status: "not-implemented" },
638
+ { id: "PIPA-08-C3", description: "RRN access audit logging implemented", status: "not-implemented" },
639
+ ],
640
+ },
641
+ {
642
+ id: "PIPA-09",
643
+ name: "Cross-Border Transfer (Korea)",
644
+ description: "Obtain separate consent and document safeguards for cross-border personal data transfers.",
645
+ category: "cross-border-transfers",
646
+ framework: "PIPA",
647
+ status: "not-implemented",
648
+ severity: "high",
649
+ implementation_guidance: "Obtain separate consent for cross-border transfers specifying: destination country, recipient, purpose, data items, retention period. Implement safeguards (contracts, equivalent protection). Allow withdrawal of consent. Document transfer register. [Ref: PIPA Article 28]",
650
+ checks: [
651
+ { id: "PIPA-09-C1", description: "Separate consent for cross-border transfers", status: "not-implemented" },
652
+ { id: "PIPA-09-C2", description: "Transfer register maintained", status: "not-implemented" },
653
+ ],
654
+ },
655
+ {
656
+ id: "PIPA-10",
657
+ name: "Outsourcing Management",
658
+ description: "Execute contracts with outsourced processors and maintain an outsourcing register.",
659
+ category: "vendor-management",
660
+ framework: "PIPA",
661
+ status: "not-implemented",
662
+ severity: "high",
663
+ implementation_guidance: "Execute contracts with processors specifying: processing scope, security measures, sub-contractor restrictions, and data handling. Maintain an outsourcing register published on the website. Conduct periodic assessments. Notify data subjects of outsourcing. [Ref: PIPA Article 27]",
664
+ checks: [
665
+ { id: "PIPA-10-C1", description: "Outsourcing contracts executed", status: "not-implemented" },
666
+ { id: "PIPA-10-C2", description: "Outsourcing register published", status: "not-implemented" },
667
+ ],
668
+ },
669
+ ];
670
+ return {
671
+ id: "kr-pipa",
672
+ name: "South Korea PIPA Pack (2023 Amendment)",
673
+ description: "Comprehensive South Korea PIPA controls: privacy policy publication, separate consent requirements, PIA, CPO designation, three-tier security measures, RRN protection, KISA/PIPC breach notification, data subject rights, cross-border transfers, and outsourcing management.",
674
+ version: "1.0.0",
675
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
676
+ controls,
677
+ frameworks: ["PIPA"],
678
+ };
679
+ }
680
+ // ============================================================
681
+ // CHINA — PIPL (Personal Information Protection Law, effective Nov 1, 2021)
682
+ // Regulator: Cyberspace Administration of China (CAC)
683
+ // ============================================================
684
+ export function createChinaPIPLPolicyPack() {
685
+ const controls = [
686
+ {
687
+ id: "PIPL-01",
688
+ name: "Legal Basis and Consent",
689
+ description: "Identify legal basis and obtain valid consent for personal information processing.",
690
+ category: "consent-management",
691
+ framework: "PIPL",
692
+ status: "not-implemented",
693
+ severity: "critical",
694
+ implementation_guidance: "Obtain consent that is: freely given, informed, voluntary, and clear. Alternatively, process based on: contract performance, legal obligations, public health, news reporting, or legally permitted circumstances. Consent must be for specific purposes, with clear affirmative action. Single consent cannot bundle multiple purposes. [Ref: PIPL Articles 13-14]",
695
+ checks: [
696
+ { id: "PIPL-01-C1", description: "Legal basis documented per processing activity", status: "not-implemented" },
697
+ { id: "PIPL-01-C2", description: "Consent is freely given, informed, voluntary, clear", status: "not-implemented" },
698
+ { id: "PIPL-01-C3", description: "No bundled consent for multiple purposes", status: "not-implemented" },
699
+ ],
700
+ },
701
+ {
702
+ id: "PIPL-02",
703
+ name: "Privacy Policy (Chinese Language)",
704
+ description: "Publish a comprehensive privacy policy in clear, plain Chinese language.",
705
+ category: "privacy-governance",
706
+ framework: "PIPL",
707
+ status: "not-implemented",
708
+ severity: "critical",
709
+ implementation_guidance: "Publish privacy policy including: handler identity, contact person, processing purposes/methods, data categories, retention, data subject rights, and mechanisms. Use clear, plain Chinese. Display prominently. Make it accessible, easy to read, and convenient to save. [Ref: PIPL Article 17]",
710
+ checks: [
711
+ { id: "PIPL-02-C1", description: "Privacy policy published in Chinese with all required items", status: "not-implemented" },
712
+ { id: "PIPL-02-C2", description: "Policy displayed prominently and accessible", status: "not-implemented" },
713
+ ],
714
+ },
715
+ {
716
+ id: "PIPL-03",
717
+ name: "Sensitive Personal Information Controls",
718
+ description: "Obtain separate consent and implement stricter controls for sensitive personal information.",
719
+ category: "consent-management",
720
+ framework: "PIPL",
721
+ status: "not-implemented",
722
+ severity: "critical",
723
+ implementation_guidance: "Sensitive PI includes: biometrics, religious beliefs, specific identity, medical health, financial accounts, location tracking, minors under 14. Obtain separate consent with necessity explanation. Implement stricter access controls and encryption. Conduct PIPIA (Personal Information Protection Impact Assessment). Minimize collection. [Ref: PIPL Articles 28-32]",
724
+ checks: [
725
+ { id: "PIPL-03-C1", description: "Sensitive PI identified and classified", status: "not-implemented" },
726
+ { id: "PIPL-03-C2", description: "Separate consent with necessity explanation", status: "not-implemented" },
727
+ { id: "PIPL-03-C3", description: "Stricter security controls for sensitive PI", status: "not-implemented" },
728
+ { id: "PIPL-03-C4", description: "PIPIA conducted for sensitive data processing", status: "not-implemented" },
729
+ ],
730
+ },
731
+ {
732
+ id: "PIPL-04",
733
+ name: "Data Localization",
734
+ description: "Store personal information of Chinese residents within mainland China when required.",
735
+ category: "cross-border-transfers",
736
+ framework: "PIPL",
737
+ status: "not-implemented",
738
+ severity: "critical",
739
+ implementation_guidance: "Store PI within China for: Critical Information Infrastructure Operators (CIIO), and handlers processing PI of 1,000,000+ individuals or transferring 100,000+ non-sensitive or 10,000+ sensitive PI abroad. Implement technical controls ensuring affected data remains within China. [Ref: PIPL Article 40; Data Export Security Assessment Measures]",
740
+ checks: [
741
+ { id: "PIPL-04-C1", description: "Data localization thresholds assessed", status: "not-implemented" },
742
+ { id: "PIPL-04-C2", description: "Technical controls enforce China data residency", status: "not-implemented" },
743
+ ],
744
+ },
745
+ {
746
+ id: "PIPL-05",
747
+ name: "CAC Cross-Border Transfer Assessment",
748
+ description: "Complete required CAC assessments before transferring personal information abroad.",
749
+ category: "cross-border-transfers",
750
+ framework: "PIPL",
751
+ status: "not-implemented",
752
+ severity: "critical",
753
+ implementation_guidance: "Complete: CAC Security Assessment for large-scale transfers, CAC Standard Contract filing, or CAC certification. Obtain separate informed consent from individuals. Inform: purpose, recipient, data items, retention, rights. Conduct PIPIA before transfer. Maintain transfer records. [Ref: PIPL Article 38-39; CAC Standard Contract Measures]",
754
+ checks: [
755
+ { id: "PIPL-05-C1", description: "Appropriate CAC mechanism completed (assessment/contract/certification)", status: "not-implemented" },
756
+ { id: "PIPL-05-C2", description: "Separate consent from individuals obtained", status: "not-implemented" },
757
+ { id: "PIPL-05-C3", description: "PIPIA conducted before transfer", status: "not-implemented" },
758
+ ],
759
+ },
760
+ {
761
+ id: "PIPL-06",
762
+ name: "PIPL Individual Rights",
763
+ description: "Implement all PIPL data subject rights including right to refuse profiling.",
764
+ category: "data-subject-rights",
765
+ framework: "PIPL",
766
+ status: "not-implemented",
767
+ severity: "high",
768
+ implementation_guidance: "Implement rights: know/access, copy, correct, delete, restrict, portability, explain/refuse automated decisions, withdraw consent, delete deceased user's data. Respond within 15 working days. Provide clear mechanisms. Do not refuse on technical grounds. [Ref: PIPL Articles 44-49]",
769
+ checks: [
770
+ { id: "PIPL-06-C1", description: "All PIPL rights implemented", status: "not-implemented" },
771
+ { id: "PIPL-06-C2", description: "Automated decision explanation and refusal", status: "not-implemented" },
772
+ { id: "PIPL-06-C3", description: "Responses within 15 working days", status: "not-implemented" },
773
+ ],
774
+ },
775
+ {
776
+ id: "PIPL-07",
777
+ name: "Personal Information Protection Impact Assessment (PIPIA)",
778
+ description: "Conduct PIPIA before high-risk processing activities.",
779
+ category: "privacy-governance",
780
+ framework: "PIPL",
781
+ status: "not-implemented",
782
+ severity: "high",
783
+ implementation_guidance: "Conduct PIPIA for: sensitive PI, automated decision-making/profiling, entrusting/outsourcing, public disclosure, cross-border transfers. Document: processing purpose, necessity, impact assessment, risk mitigation. PIPIA records kept for at least 3 years. [Ref: PIPL Article 55-56]",
784
+ checks: [
785
+ { id: "PIPL-07-C1", description: "PIPIA criteria established for triggering activities", status: "not-implemented" },
786
+ { id: "PIPL-07-C2", description: "PIPIA records maintained for 3+ years", status: "not-implemented" },
787
+ ],
788
+ },
789
+ {
790
+ id: "PIPL-08",
791
+ name: "Automated Decision-Making Controls",
792
+ description: "Implement safeguards for automated decisions, profiling, and algorithmic recommendations.",
793
+ category: "data-subject-rights",
794
+ framework: "PIPL",
795
+ status: "not-implemented",
796
+ severity: "high",
797
+ implementation_guidance: "Provide transparency about automated decisions. Do not use automated decisions that produce unreasonable differential treatment. Provide opt-out and explanation mechanisms. Ensure decisions do not discriminate based on personal characteristics. [Ref: PIPL Article 24; Algorithm Recommendation Management Provisions]",
798
+ checks: [
799
+ { id: "PIPL-08-C1", description: "Automated decision transparency implemented", status: "not-implemented" },
800
+ { id: "PIPL-08-C2", description: "Opt-out and explanation available", status: "not-implemented" },
801
+ { id: "PIPL-08-C3", description: "Non-discrimination safeguards in place", status: "not-implemented" },
802
+ ],
803
+ },
804
+ {
805
+ id: "PIPL-09",
806
+ name: "Personal Information Handler Representative",
807
+ description: "Designate a person in charge of personal information protection.",
808
+ category: "privacy-governance",
809
+ framework: "PIPL",
810
+ status: "not-implemented",
811
+ severity: "medium",
812
+ implementation_guidance: "Designate a person responsible for personal information protection. Publicize their name and contact information. Establish a dedicated department or designate personnel for large-scale processing. [Ref: PIPL Article 52]",
813
+ checks: [
814
+ { id: "PIPL-09-C1", description: "Protection representative designated", status: "not-implemented" },
815
+ { id: "PIPL-09-C2", description: "Contact information publicized", status: "not-implemented" },
816
+ ],
817
+ },
818
+ {
819
+ id: "PIPL-10",
820
+ name: "Children's Personal Information (Under 14)",
821
+ description: "Implement special protections for minors under 14 as sensitive personal information.",
822
+ category: "consent-management",
823
+ framework: "PIPL",
824
+ status: "not-implemented",
825
+ severity: "high",
826
+ implementation_guidance: "Treat children's PI as sensitive. Obtain consent from guardian. Create a dedicated handler rule for minors' data. Appoint a person responsible for children's PI. Minimize collection. Do not target children with profiling or behavioral advertising. [Ref: PIPL Article 31; Children's PI Network Protection Provisions]",
827
+ checks: [
828
+ { id: "PIPL-10-C1", description: "Guardian consent obtained for minors under 14", status: "not-implemented" },
829
+ { id: "PIPL-10-C2", description: "Dedicated children's PI handling rules established", status: "not-implemented" },
830
+ { id: "PIPL-10-C3", description: "No behavioral advertising targeting minors", status: "not-implemented" },
831
+ ],
832
+ },
833
+ {
834
+ id: "PIPL-11",
835
+ name: "Breach Notification (PIPL)",
836
+ description: "Notify authorities and affected individuals of personal information security incidents.",
837
+ category: "incident-management",
838
+ framework: "PIPL",
839
+ status: "not-implemented",
840
+ severity: "critical",
841
+ implementation_guidance: "Immediately take remedial measures for security incidents. Notify authorities and affected individuals when a leak/tampering/loss occurs or may cause harm. Include: type of data, cause, and harm. Maintain remedial measures and documentation. Report to CAC if required. [Ref: PIPL Article 57]",
842
+ checks: [
843
+ { id: "PIPL-11-C1", description: "Incident response and remedial procedures", status: "not-implemented" },
844
+ { id: "PIPL-11-C2", description: "Authority notification for harmful incidents", status: "not-implemented" },
845
+ { id: "PIPL-11-C3", description: "Individual notification with required details", status: "not-implemented" },
846
+ ],
847
+ },
848
+ ];
849
+ return {
850
+ id: "cn-pipl",
851
+ name: "China PIPL Pack (Effective Nov 2021)",
852
+ description: "Comprehensive China PIPL controls: consent/legal basis, Chinese-language privacy policy, sensitive PI controls, data localization (CIIO/thresholds), CAC cross-border assessment (security/contract/certification), PIPIA, automated decision controls, children's protection (under 14), and breach notification.",
853
+ version: "1.0.0",
854
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
855
+ controls,
856
+ frameworks: ["PIPL"],
857
+ };
858
+ }
859
+ // ============================================================
860
+ // INDIA — DPDPA (Digital Personal Data Protection Act 2023)
861
+ // Regulator: Data Protection Board of India
862
+ // ============================================================
863
+ export function createIndiaDPDPAPolicyPack() {
864
+ const controls = [
865
+ {
866
+ id: "DPDPA-01",
867
+ name: "Consent Manager Framework",
868
+ description: "Implement interoperable consent management through DPDP-approved Consent Manager platforms.",
869
+ category: "consent-management",
870
+ framework: "DPDPA",
871
+ status: "not-implemented",
872
+ severity: "critical",
873
+ implementation_guidance: "Integrate with interoperable Consent Managers registered with the Data Protection Board. Consent must be: free, specific, informed, unconditional, unambiguous, and with clear affirmative action. Provide ability to withdraw consent through the same Consent Manager. Maintain verifiable consent records. [Ref: DPDPA Section 5-6]",
874
+ checks: [
875
+ { id: "DPDPA-01-C1", description: "Consent Manager integration implemented", status: "not-implemented" },
876
+ { id: "DPDPA-01-C2", description: "Consent withdrawal via Consent Manager", status: "not-implemented" },
877
+ { id: "DPDPA-01-C3", description: "Verifiable consent records maintained", status: "not-implemented" },
878
+ ],
879
+ },
880
+ {
881
+ id: "DPDPA-02",
882
+ name: "Notice Requirements",
883
+ description: "Provide clear notices describing personal data processing in multiple languages.",
884
+ category: "privacy-governance",
885
+ framework: "DPDPA",
886
+ status: "not-implemented",
887
+ severity: "high",
888
+ implementation_guidance: "Provide notices in clear, plain language (English and Indian languages) containing: personal data items, processing purpose, data fiduciary rights, data principal rights, manner of withdrawal, grievance redressal mechanism. Notices must be available in specified languages. [Ref: DPDPA Section 5]",
889
+ checks: [
890
+ { id: "DPDPA-02-C1", description: "Notices provided in multiple languages", status: "not-implemented" },
891
+ { id: "DPDPA-02-C2", description: "All required notice items included", status: "not-implemented" },
892
+ ],
893
+ },
894
+ {
895
+ id: "DPDPA-03",
896
+ name: "Data Principal Rights",
897
+ description: "Implement DPDPA rights for data principals.",
898
+ category: "data-subject-rights",
899
+ framework: "DPDPA",
900
+ status: "not-implemented",
901
+ severity: "high",
902
+ implementation_guidance: "Implement: access to data summary, correction/erasure, grievance redressal, and nomination (rights after death/incapacity). Provide a dedicated grievance officer contact. Respond within prescribed timeframes. Do not charge fees for basic rights. [Ref: DPDPA Sections 11-14]",
903
+ checks: [
904
+ { id: "DPDPA-03-C1", description: "Access and correction mechanisms implemented", status: "not-implemented" },
905
+ { id: "DPDPA-03-C2", description: "Grievance redressal officer designated", status: "not-implemented" },
906
+ { id: "DPDPA-03-C3", description: "Nomination mechanism available", status: "not-implemented" },
907
+ ],
908
+ },
909
+ {
910
+ id: "DPDPA-04",
911
+ name: "Significant Data Fiduciary Obligations",
912
+ description: "Comply with enhanced obligations if designated as a Significant Data Fiduciary (SDF).",
913
+ category: "privacy-governance",
914
+ framework: "DPDPA",
915
+ status: "not-implemented",
916
+ severity: "high",
917
+ implementation_guidance: "If designated as SDF by the Central Government: appoint a DPO based in India, conduct DPIAs, conduct independent data audits, and implement additional measures. The DPO shall be responsible to the Board of Directors. Report DPIA results and audit findings. [Ref: DPDPA Section 10]",
918
+ checks: [
919
+ { id: "DPDPA-04-C1", description: "SDF status assessment documented", status: "not-implemented" },
920
+ { id: "DPDPA-04-C2", description: "India-based DPO appointed if SDF", status: "not-implemented" },
921
+ { id: "DPDPA-04-C3", description: "DPIAs and audits conducted if SDF", status: "not-implemented" },
922
+ ],
923
+ },
924
+ {
925
+ id: "DPDPA-05",
926
+ name: "Children's Data Protection",
927
+ description: "Implement special protections for children's personal data (under 18).",
928
+ category: "consent-management",
929
+ framework: "DPDPA",
930
+ status: "not-implemented",
931
+ severity: "high",
932
+ implementation_guidance: "Obtain verifiable consent from a parent/guardian before processing children's data. Do not process children's data in a manner likely to cause detrimental effect on well-being. Do not track, target, or conduct behavioral monitoring of children or advertising aimed at children. [Ref: DPDPA Section 9]",
933
+ checks: [
934
+ { id: "DPDPA-05-C1", description: "Verifiable parental consent mechanism", status: "not-implemented" },
935
+ { id: "DPDPA-05-C2", description: "No behavioral monitoring/targeting of children", status: "not-implemented" },
936
+ ],
937
+ },
938
+ {
939
+ id: "DPDPA-06",
940
+ name: "Breach Notification (DPDPA)",
941
+ description: "Notify the Data Protection Board and affected individuals of personal data breaches.",
942
+ category: "incident-management",
943
+ framework: "DPDPA",
944
+ status: "not-implemented",
945
+ severity: "critical",
946
+ implementation_guidance: "Notify the Data Protection Board of any personal data breach. Provide detailed description of: the breach, its extent, and mitigation measures. Notify affected individuals if the Board determines it necessary. Maintain breach documentation. Report within prescribed timelines. [Ref: DPDPA Section 8(6)]",
947
+ checks: [
948
+ { id: "DPDPA-06-C1", description: "Board notification procedure implemented", status: "not-implemented" },
949
+ { id: "DPDPA-06-C2", description: "Individual notification when required", status: "not-implemented" },
950
+ { id: "DPDPA-06-C3", description: "Breach register maintained", status: "not-implemented" },
951
+ ],
952
+ },
953
+ {
954
+ id: "DPDPA-07",
955
+ name: "Cross-Border Transfers (India)",
956
+ description: "Ensure cross-border transfers comply with DPDPA transfer rules.",
957
+ category: "cross-border-transfers",
958
+ framework: "DPDPA",
959
+ status: "not-implemented",
960
+ severity: "high",
961
+ implementation_guidance: "Transfer personal data only to countries not on the negative list published by the Central Government. Ensure adequate level of data protection in destination country. Inform data principals of transfer arrangements. Maintain transfer documentation. [Ref: DPDPA Section 16]",
962
+ checks: [
963
+ { id: "DPDPA-07-C1", description: "Negative list checked before transfer", status: "not-implemented" },
964
+ { id: "DPDPA-07-C2", description: "Adequate protection ensured", status: "not-implemented" },
965
+ ],
966
+ },
967
+ {
968
+ id: "DPDPA-08",
969
+ name: "Exemptions for Legitimate Uses",
970
+ description: "Document processing exemptions for voluntary provision, legitimate uses, and other exceptions.",
971
+ category: "consent-management",
972
+ framework: "DPDPA",
973
+ status: "not-implemented",
974
+ severity: "medium",
975
+ implementation_guidance: "Document processing without consent for: voluntarily provided data (with notice), employment, medical emergency, disaster, lawful investigation, research/archives/statistical purposes, or other legitimate uses notified by the government. [Ref: DPDPA Section 7]",
976
+ checks: [
977
+ { id: "DPDPA-08-C1", description: "Legitimate use exemptions documented where applicable", status: "not-implemented" },
978
+ { id: "DPDPA-08-C2", description: "Notice still provided for exempt processing", status: "not-implemented" },
979
+ ],
980
+ },
981
+ ];
982
+ return {
983
+ id: "in-dpdpa",
984
+ name: "India DPDPA Pack (2023)",
985
+ description: "Comprehensive India Digital Personal Data Protection Act controls: Consent Manager framework, multi-language notices, data principal rights (incl. nomination), Significant Data Fiduciary obligations, children's protection (under 18), Data Protection Board breach notification, and cross-border transfer rules.",
986
+ version: "1.0.0",
987
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
988
+ controls,
989
+ frameworks: ["DPDPA"],
990
+ };
991
+ }