@greenarmor/ges-policy-engine 1.2.8 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/index.d.ts +7 -0
  2. package/dist/index.js +51 -0
  3. package/dist/packs/countries.d.ts +13 -0
  4. package/dist/packs/countries.js +156 -0
  5. package/dist/packs/privacy-africa-me.d.ts +4 -0
  6. package/dist/packs/privacy-africa-me.js +369 -0
  7. package/dist/packs/privacy-americas.d.ts +4 -0
  8. package/dist/packs/privacy-americas.js +509 -0
  9. package/dist/packs/privacy-asia.d.ts +7 -0
  10. package/dist/packs/privacy-asia.js +991 -0
  11. package/dist/packs/privacy-core.d.ts +2 -0
  12. package/dist/packs/privacy-core.js +643 -0
  13. package/dist/packs/privacy-countries.d.ts +15 -0
  14. package/dist/packs/privacy-countries.js +805 -0
  15. package/dist/packs/privacy-europe.d.ts +3 -0
  16. package/dist/packs/privacy-europe.js +372 -0
  17. package/package.json +3 -3
package/dist/packs/privacy-europe.d.ts ADDED
@@ -0,0 +1,3 @@
1
+ import type { PolicyPack } from "@greenarmor/ges-core";
2
+ export declare function createUKGDPRPolicyPack(): PolicyPack;
3
+ export declare function createSwissFADPPolicyPack(): PolicyPack;
package/dist/packs/privacy-europe.js ADDED
@@ -0,0 +1,372 @@
1
+ // ============================================================
2
+ // UK GDPR — UNITED KINGDOM GENERAL DATA PROTECTION REGULATION
3
+ // UK Data Protection Act 2018 + UK GDPR (retained EU law)
4
+ // ============================================================
5
+ export function createUKGDPRPolicyPack() {
6
+ const controls = [
7
+ // --- Registration & Accountability ---
8
+ {
9
+ id: "UK-GDPR-01",
10
+ name: "ICO Registration",
11
+ description: "Register with the UK Information Commissioner's Office (ICO) as a data controller or processor if required.",
12
+ category: "privacy-governance",
13
+ framework: "UK-GDPR",
14
+ status: "not-implemented",
15
+ severity: "critical",
16
+ implementation_guidance: "Register with the ICO and pay the annual data protection fee if processing personal data (unless exempt). Maintain accurate registration entries describing processing purposes. Update registration when processing activities change. The ICO registration number must be available for inspection. [Ref: DPA 2018 Part 3 Section 137; ICO Registration Guidance]",
17
+ checks: [
18
+ { id: "UK-GDPR-01-C1", description: "ICO registration completed and current", status: "not-implemented" },
19
+ { id: "UK-GDPR-01-C2", description: "Annual data protection fee paid", status: "not-implemented" },
20
+ { id: "UK-GDPR-01-C3", description: "Registration entries reviewed and updated", status: "not-implemented" },
21
+ ],
22
+ },
23
+ {
24
+ id: "UK-GDPR-02",
25
+ name: "Data Protection Officer (UK)",
26
+ description: "Designate a Data Protection Officer where required under UK GDPR and ensure ICO notification.",
27
+ category: "privacy-governance",
28
+ framework: "UK-GDPR",
29
+ status: "not-implemented",
30
+ severity: "high",
31
+ implementation_guidance: "Designate a DPO if: a public authority (unless exempt), core activities require large-scale regular and systematic monitoring, or large-scale processing of special category data. Submit DPO contact details to the ICO. DPO must report to highest management level, operate independently, and not receive instructions on how to perform tasks. [Ref: UK GDPR Article 37; DPA 2018 Part 3 Section 69]",
32
+ checks: [
33
+ { id: "UK-GDPR-02-C1", description: "DPO designated if required", status: "not-implemented" },
34
+ { id: "UK-GDPR-02-C2", description: "DPO contact details submitted to ICO", status: "not-implemented" },
35
+ { id: "UK-GDPR-02-C3", description: "DPO independence and reporting line documented", status: "not-implemented" },
36
+ ],
37
+ },
38
+ {
39
+ id: "UK-GDPR-03",
40
+ name: "Records of Processing Activities (UK)",
41
+ description: "Maintain ROPA documenting all UK personal data processing activities.",
42
+ category: "data-inventory",
43
+ framework: "UK-GDPR",
44
+ status: "not-implemented",
45
+ severity: "critical",
46
+ implementation_guidance: "Maintain written records of processing activities including: controller/processor details, processing purposes, data categories, data subject categories, recipient categories, third-country transfers, retention periods, and security measures. Organizations with fewer than 250 employees are exempt unless processing is likely to risk rights, not occasional, or involves special category/criminal data. [Ref: UK GDPR Article 30]",
47
+ checks: [
48
+ { id: "UK-GDPR-03-C1", description: "ROPA maintained with all Article 30 required fields", status: "not-implemented" },
49
+ { id: "UK-GDPR-03-C2", description: "ROPA reviewed and updated when processing changes", status: "not-implemented" },
50
+ { id: "UK-GDPR-03-C3", description: "Exemption assessment documented if applicable", status: "not-implemented" },
51
+ ],
52
+ },
53
+ // --- Special Category & Criminal Data ---
54
+ {
55
+ id: "UK-GDPR-04",
56
+ name: "Special Category Data Conditions",
57
+ description: "Identify the Article 9 condition AND a Schedule 1 DPA 2018 condition for processing special category data under UK law.",
58
+ category: "consent-management",
59
+ framework: "UK-GDPR",
60
+ status: "not-implemented",
61
+ severity: "critical",
62
+ implementation_guidance: "For special category data (race, ethnicity, political, religious, trade union, genetic, biometric, health, sex life, sexual orientation), identify both a UK GDPR Article 9 condition AND a Schedule 1 of the DPA 2018 condition. Some Schedule 1 conditions require an 'appropriate policy document'. For criminal offence data, identify a Article 10 condition and Schedule 1 Part 2 condition. [Ref: UK GDPR Article 9-10; DPA 2018 Schedule 1]",
63
+ checks: [
64
+ { id: "UK-GDPR-04-C1", description: "Article 9 condition identified for each special category processing", status: "not-implemented" },
65
+ { id: "UK-GDPR-04-C2", description: "Schedule 1 DPA 2018 condition identified", status: "not-implemented" },
66
+ { id: "UK-GDPR-04-C3", description: "Appropriate policy document in place where required", status: "not-implemented" },
67
+ ],
68
+ },
69
+ // --- Lawful Basis & Consent ---
70
+ {
71
+ id: "UK-GDPR-05",
72
+ name: "Lawful Basis for Processing (UK)",
73
+ description: "Document and communicate the lawful basis for each processing activity under UK GDPR Article 6.",
74
+ category: "consent-management",
75
+ framework: "UK-GDPR",
76
+ status: "not-implemented",
77
+ severity: "high",
78
+ implementation_guidance: "Identify and document the Article 6 lawful basis for each processing activity: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Conduct Legitimate Interests Assessments (LIAs) where relying on that basis. Include the lawful basis in privacy notices. For children's data, ensure consent is given or authorized by a holder of parental responsibility (under 13 in UK). [Ref: UK GDPR Article 6; ICO Guidance on Children]",
79
+ checks: [
80
+ { id: "UK-GDPR-05-C1", description: "Lawful basis documented per processing activity", status: "not-implemented" },
81
+ { id: "UK-GDPR-05-C2", description: "Legitimate Interest Assessments conducted where applicable", status: "not-implemented" },
82
+ { id: "UK-GDPR-05-C3", description: "Children's data protections (age 13 threshold) implemented", status: "not-implemented" },
83
+ ],
84
+ },
85
+ // --- Individual Rights ---
86
+ {
87
+ id: "UK-GDPR-06",
88
+ name: "UK Data Subject Rights",
89
+ description: "Implement all UK GDPR data subject rights with ICO-compliant response procedures.",
90
+ category: "data-subject-rights",
91
+ framework: "UK-GDPR",
92
+ status: "not-implemented",
93
+ severity: "critical",
94
+ implementation_guidance: "Implement rights: access (Article 15), rectification (16), erasure (17), restriction (18), portability (20), objection (21), and automated decision-making (22). Respond within one month (extendable by two months for complex requests). Provide free first copy of data. Use ICO guidance for handling requests that are manifestly unfounded or excessive. [Ref: UK GDPR Articles 12-22]",
95
+ checks: [
96
+ { id: "UK-GDPR-06-C1", description: "All 7 data subject rights implemented", status: "not-implemented" },
97
+ { id: "UK-GDPR-06-C2", description: "Response within one month with extension procedure", status: "not-implemented" },
98
+ { id: "UK-GDPR-06-C3", description: "Manifestly unfounded/excessive request handling documented", status: "not-implemented" },
99
+ ],
100
+ },
101
+ // --- Privacy by Design & DPIA ---
102
+ {
103
+ id: "UK-GDPR-07",
104
+ name: "Data Protection Impact Assessment (DPIA)",
105
+ description: "Conduct DPIAs for high-risk processing under UK GDPR and ICO guidance.",
106
+ category: "privacy-governance",
107
+ framework: "UK-GDPR",
108
+ status: "not-implemented",
109
+ severity: "high",
110
+ implementation_guidance: "Conduct DPIAs for: large-scale special category data, systematic monitoring of public areas, systematic and extensive profiling, large-scale processing of vulnerable groups. Follow ICO DPIA template. Consult the ICO if high residual risks remain. Review DPIAs when processing changes. [Ref: UK GDPR Article 35; ICO DPIA Guidance]",
111
+ checks: [
112
+ { id: "UK-GDPR-07-C1", description: "DPIA screening criteria established", status: "not-implemented" },
113
+ { id: "UK-GDPR-07-C2", description: "DPIAs conducted for high-risk processing", status: "not-implemented" },
114
+ { id: "UK-GDPR-07-C3", description: "ICO prior consultation when residual high risk", status: "not-implemented" },
115
+ ],
116
+ },
117
+ // --- International Transfers ---
118
+ {
119
+ id: "UK-GDPR-08",
120
+ name: "UK International Transfer Mechanisms",
121
+ description: "Use UK-approved transfer mechanisms for international personal data transfers.",
122
+ category: "cross-border-transfers",
123
+ framework: "UK-GDPR",
124
+ status: "not-implemented",
125
+ severity: "critical",
126
+ implementation_guidance: "Transfer to adequate countries per UK adequacy regulations (EEA, Gibraltar, and others as designated). For non-adequate countries use: International Data Transfer Agreement (IDTA), UK Addendum to EU SCCs, Binding Corporate Rules (BCRs), or derogations (Article 49). Conduct Transfer Risk Assessments (TRAs) per ICO guidance. [Ref: UK GDPR Chapter V; ICO International Transfers Guidance]",
127
+ checks: [
128
+ { id: "UK-GDPR-08-C1", description: "Transfer register maintained with mechanism per transfer", status: "not-implemented" },
129
+ { id: "UK-GDPR-08-C2", description: "IDTA or UK Addendum executed for non-adequate transfers", status: "not-implemented" },
130
+ { id: "UK-GDPR-08-C3", description: "Transfer Risk Assessments conducted per ICO guidance", status: "not-implemented" },
131
+ { id: "UK-GDPR-08-C4", description: "UK adequacy regulations monitored for updates", status: "not-implemented" },
132
+ ],
133
+ },
134
+ // --- Security ---
135
+ {
136
+ id: "UK-GDPR-09",
137
+ name: "Security of Processing (UK)",
138
+ description: "Implement appropriate technical and organizational security measures per UK GDPR Article 32.",
139
+ category: "security-controls",
140
+ framework: "UK-GDPR",
141
+ status: "not-implemented",
142
+ severity: "critical",
143
+ implementation_guidance: "Implement measures appropriate to risk: pseudonymisation, encryption, confidentiality, integrity, availability, resilience, and restoration procedures. Follow ICO security guidance. Regularly test and evaluate effectiveness. Document security risk assessments. [Ref: UK GDPR Article 32; ICO Security Guidance]",
144
+ checks: [
145
+ { id: "UK-GDPR-09-C1", description: "Security measures documented and risk-assessed", status: "not-implemented" },
146
+ { id: "UK-GDPR-09-C2", description: "Encryption and pseudonymisation implemented", status: "not-implemented" },
147
+ { id: "UK-GDPR-09-C3", description: "Measures tested and evaluated regularly", status: "not-implemented" },
148
+ ],
149
+ },
150
+ // --- Breach Notification ---
151
+ {
152
+ id: "UK-GDPR-10",
153
+ name: "ICO Breach Notification",
154
+ description: "Notify the ICO of personal data breaches within 72 hours and notify affected individuals when high risk.",
155
+ category: "incident-management",
156
+ framework: "UK-GDPR",
157
+ status: "not-implemented",
158
+ severity: "critical",
159
+ implementation_guidance: "Notify the ICO within 72 hours of becoming aware of a personal data breach posing risk to individuals (unless unlikely to result in risk). Use the ICO's personal data breach reporting service. If high risk to individuals, notify them without undue delay. Document all breaches including those not requiring notification. [Ref: UK GDPR Article 33-34; ICO Breach Reporting Guidance]",
160
+ checks: [
161
+ { id: "UK-GDPR-10-C1", description: "ICO 72-hour notification procedure implemented", status: "not-implemented" },
162
+ { id: "UK-GDPR-10-C2", description: "Individual notification for high-risk breaches", status: "not-implemented" },
163
+ { id: "UK-GDPR-10-C3", description: "Internal breach register maintained", status: "not-implemented" },
164
+ ],
165
+ },
166
+ // --- Processor Management ---
167
+ {
168
+ id: "UK-GDPR-11",
169
+ name: "Data Processor Contracts (UK)",
170
+ description: "Execute Article 28-compliant data processing contracts with all processors.",
171
+ category: "vendor-management",
172
+ framework: "UK-GDPR",
173
+ status: "not-implemented",
174
+ severity: "high",
175
+ implementation_guidance: "Execute written contracts with processors covering: subject matter, duration, nature/purpose, data types, data subject obligations, processor duties (act on documented instructions, confidentiality, security, sub-processor controls, data return/deletion, audit assistance). Use ICO-approved contract templates. [Ref: UK GDPR Article 28]",
176
+ checks: [
177
+ { id: "UK-GDPR-11-C1", description: "Article 28 contracts executed with all processors", status: "not-implemented" },
178
+ { id: "UK-GDPR-11-C2", description: "Sub-processor flow-down terms included", status: "not-implemented" },
179
+ { id: "UK-GDPR-11-C3", description: "Contracts reviewed for ICO compliance", status: "not-implemented" },
180
+ ],
181
+ },
182
+ // --- Accountability & Governance ---
183
+ {
184
+ id: "UK-GDPR-12",
185
+ name: "Accountability Principle (UK)",
186
+ description: "Demonstrate compliance with UK GDPR accountability principle through documented evidence.",
187
+ category: "privacy-governance",
188
+ framework: "UK-GDPR",
189
+ status: "not-implemented",
190
+ severity: "high",
191
+ implementation_guidance: "Maintain evidence of compliance: policies, procedures, training records, DPIAs, audit results, ROPA, consent records, contracts, breach records, and DPO reports. Conduct annual self-assessments using the ICO accountability framework. Implement a data protection by design approach. [Ref: UK GDPR Article 5(2); ICO Accountability Framework]",
192
+ checks: [
193
+ { id: "UK-GDPR-12-C1", description: "Accountability evidence maintained and organized", status: "not-implemented" },
194
+ { id: "UK-GDPR-12-C2", description: "Annual ICO accountability self-assessment conducted", status: "not-implemented" },
195
+ { id: "UK-GDPR-12-C3", description: "Data protection by design integrated into projects", status: "not-implemented" },
196
+ ],
197
+ },
198
+ // --- Direct Marketing ---
199
+ {
200
+ id: "UK-GDPR-13",
201
+ name: "Direct Marketing (PECR)",
202
+ description: "Comply with Privacy and Electronic Communications Regulations (PECR) for marketing.",
203
+ category: "consent-management",
204
+ framework: "UK-GDPR",
205
+ status: "not-implemented",
206
+ severity: "high",
207
+ implementation_guidance: "Obtain consent before sending electronic marketing (email, SMS, in-app) to individuals. Provide clear opt-out in every message. Honor opt-outs promptly. For existing customers (soft opt-in), ensure similar products/services and clear opt-out. PECR works alongside UK GDPR for marketing. [Ref: PECR; ICO Direct Marketing Guidance]",
208
+ checks: [
209
+ { id: "UK-GDPR-13-C1", description: "PECR-compliant consent obtained for electronic marketing", status: "not-implemented" },
210
+ { id: "UK-GDPR-13-C2", description: "Opt-out mechanism in every marketing message", status: "not-implemented" },
211
+ { id: "UK-GDPR-13-C3", description: "Soft opt-in criteria assessed for existing customers", status: "not-implemented" },
212
+ ],
213
+ },
214
+ // --- UK Representative ---
215
+ {
216
+ id: "UK-GDPR-14",
217
+ name: "UK Representative",
218
+ description: "Appoint a UK representative if offering goods/services or monitoring individuals in the UK from outside the UK.",
219
+ category: "privacy-governance",
220
+ framework: "UK-GDPR",
221
+ status: "not-implemented",
222
+ severity: "medium",
223
+ implementation_guidance: "If based outside the UK and processing UK personal data related to offering goods/services or behavior monitoring, appoint a UK-based representative. The representative acts as a point of contact for data subjects and the ICO. Document the representative appointment and make contact details available to data subjects. [Ref: UK GDPR Article 27]",
224
+ checks: [
225
+ { id: "UK-GDPR-14-C1", description: "UK representative appointed if applicable", status: "not-implemented" },
226
+ { id: "UK-GDPR-14-C2", description: "Representative contact details available to data subjects", status: "not-implemented" },
227
+ ],
228
+ },
229
+ ];
230
+ return {
231
+ id: "uk-gdpr",
232
+ name: "UK GDPR & Data Protection Act 2018 Pack",
233
+ description: "Comprehensive UK data protection controls covering UK GDPR articles and DPA 2018: ICO registration, special category data conditions (Schedule 1), PECR direct marketing, IDTA/UK Addendum transfers, and ICO 72-hour breach notification.",
234
+ version: "1.0.0",
235
+ project_types: ["saas", "generic-web-application", "api-backend", "mobile-application"],
236
+ controls,
237
+ frameworks: ["UK-GDPR"],
238
+ };
239
+ }
240
+ // ============================================================
241
+ // SWITZERLAND — FADP (Federal Act on Data Protection, revFADP)
242
+ // In effect: September 1, 2023
243
+ // ============================================================
244
+ export function createSwissFADPPolicyPack() {
245
+ const controls = [
246
+ {
247
+ id: "FADP-01",
248
+ name: "Data Protection Officer / Advisor",
249
+ description: "Designate a data protection advisor if processing high-risk personal data on a large scale.",
250
+ category: "privacy-governance",
251
+ framework: "FADP",
252
+ status: "not-implemented",
253
+ severity: "high",
254
+ implementation_guidance: "Designate a data protection advisor if a data security risk assessment indicates a high risk to personality or fundamental rights, particularly for large-scale or sensitive data processing. The advisor maintains the data processing register, advises on DPIAs, and liaises with the FDPIC. [Ref: FADP Article 10]",
255
+ checks: [
256
+ { id: "FADP-01-C1", description: "Risk assessment conducted to determine advisor requirement", status: "not-implemented" },
257
+ { id: "FADP-01-C2", description: "Advisor designated if high-risk threshold met", status: "not-implemented" },
258
+ ],
259
+ },
260
+ {
261
+ id: "FADP-02",
262
+ name: "Principles of Data Processing",
263
+ description: "Comply with FADP principles: lawfulness, proportionality, purpose, transparency, and accuracy.",
264
+ category: "consent-management",
265
+ framework: "FADP",
266
+ status: "not-implemented",
267
+ severity: "critical",
268
+ implementation_guidance: "Process personal data lawfully, in good faith, and proportionally. Process only for the purpose indicated at collection, which must be recognizable. Process special categories (health, biometric, genetic, racial, religious, political, trade union, sexual) only with explicit consent or narrow legal exceptions. [Ref: FADP Articles 6-7]",
269
+ checks: [
270
+ { id: "FADP-02-C1", description: "Processing purposes documented and communicated", status: "not-implemented" },
271
+ { id: "FADP-02-C2", description: "Explicit consent obtained for special category data", status: "not-implemented" },
272
+ { id: "FADP-02-C3", description: "Proportionality assessment conducted", status: "not-implemented" },
273
+ ],
274
+ },
275
+ {
276
+ id: "FADP-03",
277
+ name: "Transparency and Information Duties",
278
+ description: "Provide information to data subjects about data collection and processing.",
279
+ category: "privacy-governance",
280
+ framework: "FADP",
281
+ status: "not-implemented",
282
+ severity: "high",
283
+ implementation_guidance: "When collecting personal data, actively inform data subjects of: controller identity, processing purpose, data categories, recipients, retention, cross-border transfers, and data subject rights. For data obtained from third parties, inform within a reasonable timeframe. Publish privacy notices in clear language. [Ref: FADP Article 19]",
284
+ checks: [
285
+ { id: "FADP-03-C1", description: "Privacy notices published with all FADP-required information", status: "not-implemented" },
286
+ { id: "FADP-03-C2", description: "Third-party data subjects informed within reasonable time", status: "not-implemented" },
287
+ ],
288
+ },
289
+ {
290
+ id: "FADP-04",
291
+ name: "Data Subject Rights",
292
+ description: "Implement FADP data subject rights including access, correction, destruction, and objection.",
293
+ category: "data-subject-rights",
294
+ framework: "FADP",
295
+ status: "not-implemented",
296
+ severity: "high",
297
+ implementation_guidance: "Implement rights: information about processing, access to personal data, correction of inaccurate data, destruction of unlawfully processed data, objection to direct marketing/profiling, and restriction. Respond within 30 days (extendable by 60). Provide free access. Charge reasonable fees for copies. [Ref: FADP Articles 25-27]",
298
+ checks: [
299
+ { id: "FADP-04-C1", description: "All FADP data subject rights implemented", status: "not-implemented" },
300
+ { id: "FADP-04-C2", description: "Response within 30 days with extension procedure", status: "not-implemented" },
301
+ { id: "FADP-04-C3", description: "Direct marketing objection respected", status: "not-implemented" },
302
+ ],
303
+ },
304
+ {
305
+ id: "FADP-05",
306
+ name: "Data Security and Breach Notification",
307
+ description: "Implement appropriate security measures and notify the FDPIC of qualifying data breaches.",
308
+ category: "security-controls",
309
+ framework: "FADP",
310
+ status: "not-implemented",
311
+ severity: "critical",
312
+ implementation_guidance: "Implement appropriate technical and organizational security measures based on risk. Maintain a data processing register. Notify the FDPIC as soon as possible when a data breach is likely to result in a high risk to the personality or fundamental rights of data subjects. The FDPIC may then inform the public. [Ref: FADP Articles 7, 24]",
313
+ checks: [
314
+ { id: "FADP-05-C1", description: "Security measures documented and risk-assessed", status: "not-implemented" },
315
+ { id: "FADP-05-C2", description: "Data processing register maintained", status: "not-implemented" },
316
+ { id: "FADP-05-C3", description: "FDPIC breach notification procedure for high-risk breaches", status: "not-implemented" },
317
+ ],
318
+ },
319
+ {
320
+ id: "FADP-06",
321
+ name: "Cross-Border Data Transfers",
322
+ description: "Ensure adequate protection for personal data transferred outside Switzerland.",
323
+ category: "cross-border-transfers",
324
+ framework: "FADP",
325
+ status: "not-implemented",
326
+ severity: "high",
327
+ implementation_guidance: "Transfer to countries providing adequate protection (the Swiss FDPIC recognizes EU/EEA and certain other countries as adequate). For non-adequate countries, use safeguards: SCCs (Swiss-specific or EU SCCs with Swiss modifications), BCRs, or FDPIC-approved mechanisms. Conduct transfer assessments. [Ref: FADP Article 16]",
328
+ checks: [
329
+ { id: "FADP-06-C1", description: "Adequacy assessment conducted per destination country", status: "not-implemented" },
330
+ { id: "FADP-06-C2", description: "Swiss SCCs or equivalent safeguards for non-adequate transfers", status: "not-implemented" },
331
+ { id: "FADP-06-C3", description: "FDPIC adequacy list monitored", status: "not-implemented" },
332
+ ],
333
+ },
334
+ {
335
+ id: "FADP-07",
336
+ name: "DPIA for High-Risk Processing",
337
+ description: "Conduct Data Protection Impact Assessments for processing likely to result in high risks.",
338
+ category: "privacy-governance",
339
+ framework: "FADP",
340
+ status: "not-implemented",
341
+ severity: "medium",
342
+ implementation_guidance: "Conduct a DPIA before processing that is likely to result in high risks to personality or fundamental rights, such as: systematic monitoring, large-scale processing of sensitive data, profiling with significant effects, or innovative technologies. Document DPIA methodology, risks, and mitigation measures. [Ref: FADP Article 22-23]",
343
+ checks: [
344
+ { id: "FADP-07-C1", description: "DPIA criteria established for high-risk processing", status: "not-implemented" },
345
+ { id: "FADP-07-C2", description: "DPIAs documented with risk assessments", status: "not-implemented" },
346
+ ],
347
+ },
348
+ {
349
+ id: "FADP-08",
350
+ name: "Processor Management (FADP)",
351
+ description: "Execute written contracts with processors processing personal data on behalf of the controller.",
352
+ category: "vendor-management",
353
+ framework: "FADP",
354
+ status: "not-implemented",
355
+ severity: "high",
356
+ implementation_guidance: "Execute written contracts with processors covering: processing only on documented instructions, security obligations, confidentiality, sub-processor controls, data return/deletion, and audit assistance. Processors are jointly and severally liable with controllers for compliance. [Ref: FADP Article 9]",
357
+ checks: [
358
+ { id: "FADP-08-C1", description: "Written contracts with all processors", status: "not-implemented" },
359
+ { id: "FADP-08-C2", description: "Contracts include FADP Article 9 requirements", status: "not-implemented" },
360
+ ],
361
+ },
362
+ ];
363
+ return {
364
+ id: "ch-fadp",
365
+ name: "Switzerland FADP Pack (revFADP 2023)",
366
+ description: "Comprehensive Swiss Federal Act on Data Protection controls: FDPIC requirements, FADP principles (Articles 6-7), transparency duties (Article 19), data subject rights (Articles 25-27), cross-border transfers (Article 16), DPIA (Articles 22-23), and breach notification (Article 24).",
367
+ version: "1.0.0",
368
+ project_types: ["saas", "generic-web-application", "api-backend"],
369
+ controls,
370
+ frameworks: ["FADP"],
371
+ };
372
+ }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "dependencies": {
3
- "@greenarmor/ges-compliance-engine": "1.2.8",
4
- "@greenarmor/ges-core": "1.2.8"
3
+ "@greenarmor/ges-compliance-engine": "1.3.0",
4
+ "@greenarmor/ges-core": "1.3.0"
5
5
  },
6
6
  "description": "GESF Policy Engine - Policy packs management and enforcement",
7
7
  "devDependencies": {
@@ -25,7 +25,7 @@
25
25
  "name": "@greenarmor/ges-policy-engine",
26
26
  "type": "module",
27
27
  "types": "./dist/index.d.ts",
28
- "version": "1.2.8",
28
+ "version": "1.3.0",
29
29
  "scripts": {
30
30
  "build": "tsc",
31
31
  "clean": "rm -rf dist tsconfig.tsbuildinfo",