bmad-plus 0.9.0 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/LICENSE +21 -21
- package/README.md +106 -86
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +30 -3
- package/readme-international/README.de.md +8 -3
- package/readme-international/README.es.md +8 -3
- package/readme-international/README.fr.md +8 -3
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/bmad-plus-cli.js +5 -3
- package/tools/cli/commands/autoconfig.js +23 -59
- package/tools/cli/commands/doctor.js +14 -0
- package/tools/cli/commands/install.js +29 -128
- package/tools/cli/commands/memory.js +1 -0
- package/tools/cli/commands/scan.js +44 -42
- package/tools/cli/commands/uninstall.js +10 -5
- package/tools/cli/commands/update.js +21 -3
- package/tools/cli/lib/ide-config.js +259 -0
- package/tools/cli/lib/memory-init.js +0 -1
- package/tools/cli/lib/pack-copy.js +84 -84
- package/tools/cli/lib/packs.js +16 -8
- package/tools/cli/lib/stack-detect.js +102 -0
- package/tools/cli/lib/validate.js +50 -0
|
@@ -1,272 +1,272 @@
|
|
|
1
|
-
# LGPD Compliance Programme Reference
|
|
2
|
-
|
|
3
|
-
## Programme Template & Key Documents
|
|
4
|
-
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
## 1. LGPD Compliance Roadmap
|
|
8
|
-
|
|
9
|
-
### Phase 1 — Foundation (Months 1–3)
|
|
10
|
-
- [ ] Appoint DPO (Encarregado) — publish contact on website
|
|
11
|
-
- [ ] Conduct personal data inventory / data mapping
|
|
12
|
-
- [ ] Identify all processing activities and responsible owners
|
|
13
|
-
- [ ] Create Records of Processing Activities (RoPA)
|
|
14
|
-
- [ ] Conduct initial LGPD gap assessment
|
|
15
|
-
|
|
16
|
-
### Phase 2 — Remediation (Months 3–6)
|
|
17
|
-
- [ ] Map legal basis to each processing activity (Arts. 7, 11)
|
|
18
|
-
- [ ] Draft/update privacy notices (Art. 9)
|
|
19
|
-
- [ ] Update consent mechanisms — ensure validity (Art. 8)
|
|
20
|
-
- [ ] Implement data subject rights fulfilment procedures
|
|
21
|
-
- [ ] Conduct Data Protection Impact Assessment (RIPD) for high-risk processing
|
|
22
|
-
- [ ] Review and update supplier/processor contracts (Art. 39)
|
|
23
|
-
- [ ] Implement security technical and administrative measures (Art. 46)
|
|
24
|
-
- [ ] Establish international transfer compliance (Arts. 33–36)
|
|
25
|
-
|
|
26
|
-
### Phase 3 — Operationalisation (Months 6–9)
|
|
27
|
-
- [ ] Train all employees on LGPD obligations
|
|
28
|
-
- [ ] Implement automated data subject request workflow
|
|
29
|
-
- [ ] Establish breach detection and notification procedure (Art. 48)
|
|
30
|
-
- [ ] Implement data retention and disposal schedule
|
|
31
|
-
- [ ] Create internal LGPD governance committee
|
|
32
|
-
- [ ] Conduct privacy by design review of new products/services
|
|
33
|
-
|
|
34
|
-
### Phase 4 — Ongoing Compliance
|
|
35
|
-
- [ ] Annual LGPD gap reassessment
|
|
36
|
-
- [ ] RIPD for any new high-risk processing
|
|
37
|
-
- [ ] Monitor ANPD guidance and resolution updates
|
|
38
|
-
- [ ] Regular employee training refreshers
|
|
39
|
-
- [ ] Annual DPO report to management
|
|
40
|
-
- [ ] Incident response drills
|
|
41
|
-
|
|
42
|
-
---
|
|
43
|
-
|
|
44
|
-
## 2. Records of Processing Activities (RoPA) Template
|
|
45
|
-
|
|
46
|
-
*Per Art. 37 LGPD and ANPD Resolution No. 2/2022*
|
|
47
|
-
|
|
48
|
-
| Field | Description |
|
|
49
|
-
|-------|-------------|
|
|
50
|
-
| Processing Activity Name | e.g., "Customer Account Management" |
|
|
51
|
-
| Controller | Legal name, CNPJ |
|
|
52
|
-
| DPO Contact | Name, email, phone |
|
|
53
|
-
| Processor(s) | If applicable — name, CNPJ, role |
|
|
54
|
-
| Purpose | Specific, legitimate purpose |
|
|
55
|
-
| Legal Basis | Art. 7 or Art. 11 basis; if LI, balancing test reference |
|
|
56
|
-
| Categories of Data | e.g., identification, financial, health, biometric |
|
|
57
|
-
| Sensitive Data? | Yes/No; if yes, basis under Art. 11 |
|
|
58
|
-
| Children's Data? | Yes/No; consent mechanism |
|
|
59
|
-
| Data Subjects | Categories: customers, employees, suppliers, etc. |
|
|
60
|
-
| Recipients/Sharing | Internal departments; external third parties |
|
|
61
|
-
| International Transfers | Countries; transfer mechanism |
|
|
62
|
-
| Retention Period | Duration; basis for retention or deletion |
|
|
63
|
-
| Security Measures | Technical and administrative measures summary |
|
|
64
|
-
| RIPD Reference | If DPIA/RIPD was conducted — reference number |
|
|
65
|
-
| Last Updated | Date |
|
|
66
|
-
|
|
67
|
-
---
|
|
68
|
-
|
|
69
|
-
## 3. Data Subject Request (DSR) Procedure
|
|
70
|
-
|
|
71
|
-
### Step 1 — Receive
|
|
72
|
-
- Provide accessible request channel (web form, email, in-person)
|
|
73
|
-
- Log every request: date, requestor identity, type of request
|
|
74
|
-
- Send acknowledgement within 1 business day
|
|
75
|
-
|
|
76
|
-
### Step 2 — Verify Identity
|
|
77
|
-
- Request minimum necessary identity proof (name + CPF + account reference)
|
|
78
|
-
- Do not require excessive documentation — proportionate to risk
|
|
79
|
-
- For requests on behalf of another: require valid power of attorney
|
|
80
|
-
|
|
81
|
-
### Step 3 — Classify Request
|
|
82
|
-
| Request Type | LGPD Article | Typical Response |
|
|
83
|
-
|-------------|-------------|-----------------|
|
|
84
|
-
| Confirmation of processing | Art. 18, I | Immediate (simplified) |
|
|
85
|
-
| Access to data | Art. 18, II | 15 days (full report) |
|
|
86
|
-
| Correction | Art. 18, III | Without undue delay |
|
|
87
|
-
| Anonymisation/blocking/deletion | Art. 18, IV | Without undue delay |
|
|
88
|
-
| Portability | Art. 18, V | ANPD format (pending) |
|
|
89
|
-
| Deletion of consent-based data | Art. 18, VI | Without undue delay |
|
|
90
|
-
| Information about sharing | Art. 18, VII | Without undue delay |
|
|
91
|
-
| Consent denial consequences | Art. 18, VIII | Without undue delay |
|
|
92
|
-
| Consent revocation | Art. 18, IX | Without undue delay |
|
|
93
|
-
| Automated decision review | Art. 20 | Upon request |
|
|
94
|
-
|
|
95
|
-
### Step 4 — Assess Exemptions
|
|
96
|
-
Controller may decline if (Art. 18, §3º):
|
|
97
|
-
- Data subject or third party would be harmed
|
|
98
|
-
- National security
|
|
99
|
-
- Financial intelligence or fiscal activities
|
|
100
|
-
- Criminal/civil investigations
|
|
101
|
-
- Economic or financial protection of public entity
|
|
102
|
-
Must inform data subject of exemption applied and right to complain to ANPD.
|
|
103
|
-
|
|
104
|
-
### Step 5 — Respond
|
|
105
|
-
- Free of charge
|
|
106
|
-
- Clear, accessible language
|
|
107
|
-
- Immediate for simplified responses; 15 days for full access report
|
|
108
|
-
- Log response and retain record
|
|
109
|
-
|
|
110
|
-
---
|
|
111
|
-
|
|
112
|
-
## 4. Data Protection Impact Assessment (RIPD) Template
|
|
113
|
-
|
|
114
|
-
*Relatório de Impacto à Proteção de Dados Pessoais — Art. 38 LGPD*
|
|
115
|
-
|
|
116
|
-
### Section 1 — Processing Description
|
|
117
|
-
- Name and purpose of processing activity
|
|
118
|
-
- Legal basis (Art. 7 or Art. 11)
|
|
119
|
-
- Categories of personal data and data subjects
|
|
120
|
-
- Volume and frequency of processing
|
|
121
|
-
- Systems and technologies used
|
|
122
|
-
- Third parties involved (processors, sub-processors)
|
|
123
|
-
- International transfers
|
|
124
|
-
|
|
125
|
-
### Section 2 — Necessity and Proportionality Assessment
|
|
126
|
-
- Is the processing necessary for the stated purpose?
|
|
127
|
-
- Could the purpose be achieved with less data (necessity principle)?
|
|
128
|
-
- Is the retention period proportionate?
|
|
129
|
-
- Could anonymisation or pseudonymisation reduce risk?
|
|
130
|
-
|
|
131
|
-
### Section 3 — Risk Identification
|
|
132
|
-
| Risk | Likelihood | Impact | Risk Level |
|
|
133
|
-
|------|-----------|--------|-----------|
|
|
134
|
-
| Unauthorised access | High/Med/Low | High/Med/Low | High/Med/Low |
|
|
135
|
-
| Data loss or deletion | ... | ... | ... |
|
|
136
|
-
| Unlawful disclosure | ... | ... | ... |
|
|
137
|
-
| Discriminatory use | ... | ... | ... |
|
|
138
|
-
| Inaccurate data | ... | ... | ... |
|
|
139
|
-
|
|
140
|
-
### Section 4 — Mitigation Measures
|
|
141
|
-
For each identified risk:
|
|
142
|
-
- Technical measure to be implemented
|
|
143
|
-
- Administrative/process measure
|
|
144
|
-
- Residual risk after mitigation
|
|
145
|
-
- Responsible party and implementation date
|
|
146
|
-
|
|
147
|
-
### Section 5 — DPO Opinion
|
|
148
|
-
- DPO name and review date
|
|
149
|
-
- DPO recommendation: Proceed / Proceed with conditions / Do not proceed
|
|
150
|
-
- Conditions/recommendations if applicable
|
|
151
|
-
|
|
152
|
-
### Section 6 — Management Approval
|
|
153
|
-
- Controller representative signature and date
|
|
154
|
-
- Decision: Proceed / Modify / Cancel processing
|
|
155
|
-
|
|
156
|
-
---
|
|
157
|
-
|
|
158
|
-
## 5. Breach Notification Template
|
|
159
|
-
|
|
160
|
-
### Preliminary ANPD Notification (within 3 working days)
|
|
161
|
-
*ANPD Resolution CD/ANPD No. 15/2024*
|
|
162
|
-
|
|
163
|
-
**Portal:** https://www.gov.br/anpd/pt-br/assuntos/incidentes-de-seguranca
|
|
164
|
-
|
|
165
|
-
Fields required:
|
|
166
|
-
- Controller identification (name, CNPJ, DPO contact)
|
|
167
|
-
- Date incident detected; date notification submitted
|
|
168
|
-
- Description of incident (what happened)
|
|
169
|
-
- Approximate categories of data affected
|
|
170
|
-
- Approximate number of data subjects affected
|
|
171
|
-
- Immediate containment measures taken
|
|
172
|
-
- Preliminary risk assessment
|
|
173
|
-
|
|
174
|
-
### Full ANPD Report (within 20 working days)
|
|
175
|
-
Additional fields:
|
|
176
|
-
- Root cause analysis
|
|
177
|
-
- Full scope of data affected (categories, volume)
|
|
178
|
-
- Full list of systems/regions affected
|
|
179
|
-
- All corrective and preventive measures implemented
|
|
180
|
-
- Communication to data subjects (if required)
|
|
181
|
-
- Updated risk assessment
|
|
182
|
-
|
|
183
|
-
### Data Subject Notification (when required)
|
|
184
|
-
Notify when: likely to cause significant harm to data subjects (Art. 48, §1º)
|
|
185
|
-
|
|
186
|
-
Content:
|
|
187
|
-
- Nature of the incident
|
|
188
|
-
- What data was affected
|
|
189
|
-
- Risks to the data subject
|
|
190
|
-
- Measures taken by controller
|
|
191
|
-
- Contact for questions (DPO)
|
|
192
|
-
- How to exercise rights
|
|
193
|
-
|
|
194
|
-
---
|
|
195
|
-
|
|
196
|
-
## 6. DPO (Encarregado) Job Description
|
|
197
|
-
|
|
198
|
-
### Mandatory Functions (Art. 41, §2º)
|
|
199
|
-
1. Accept complaints and communications from data subjects
|
|
200
|
-
2. Receive communications from ANPD and take necessary action
|
|
201
|
-
3. Guide employees and contractors on LGPD obligations
|
|
202
|
-
4. Perform other duties defined by controller or ANPD
|
|
203
|
-
|
|
204
|
-
### Recommended Additional Functions
|
|
205
|
-
- Maintain and update RoPA
|
|
206
|
-
- Coordinate DPIAs (RIPDs)
|
|
207
|
-
- Monitor ANPD regulatory updates
|
|
208
|
-
- Conduct or oversee LGPD training
|
|
209
|
-
- Review new products/services for privacy compliance
|
|
210
|
-
- Manage data subject rights requests
|
|
211
|
-
- Coordinate breach response
|
|
212
|
-
- Liaise with legal counsel on LGPD matters
|
|
213
|
-
- Produce annual DPO report for management
|
|
214
|
-
|
|
215
|
-
### DPO Publication Requirement (Art. 41, §1º)
|
|
216
|
-
Controller must publish DPO identity and contact details — typically on:
|
|
217
|
-
- Company website (privacy policy page)
|
|
218
|
-
- Privacy notice / cookie notice
|
|
219
|
-
- Any form collecting personal data
|
|
220
|
-
|
|
221
|
-
### DPO Exemptions (ANPD Resolution No. 2/2022)
|
|
222
|
-
Micro and small enterprises (ME/EPP) with low-risk processing activities may be exempt from mandatory DPO appointment, but must still designate a contact point for data subjects.
|
|
223
|
-
|
|
224
|
-
---
|
|
225
|
-
|
|
226
|
-
## 7. LGPD Gap Assessment Checklist
|
|
227
|
-
|
|
228
|
-
### Governance
|
|
229
|
-
- [ ] DPO appointed and published (Art. 41)
|
|
230
|
-
- [ ] LGPD policy approved by senior management
|
|
231
|
-
- [ ] Privacy governance committee or equivalent
|
|
232
|
-
- [ ] Annual LGPD review scheduled
|
|
233
|
-
|
|
234
|
-
### Data Inventory
|
|
235
|
-
- [ ] Personal data inventory complete
|
|
236
|
-
- [ ] RoPA maintained and up to date (Art. 37)
|
|
237
|
-
- [ ] Sensitive data identified and documented
|
|
238
|
-
- [ ] Children's data identified and documented
|
|
239
|
-
|
|
240
|
-
### Legal Basis
|
|
241
|
-
- [ ] Legal basis documented for every processing activity
|
|
242
|
-
- [ ] Sensitive data uses Art. 11 basis only
|
|
243
|
-
- [ ] Legitimate interest balancing tests completed (Art. 10)
|
|
244
|
-
- [ ] Consent records maintained (Art. 8)
|
|
245
|
-
|
|
246
|
-
### Data Subject Rights
|
|
247
|
-
- [ ] DSR intake mechanism in place (Art. 18)
|
|
248
|
-
- [ ] Response within 15 days (access) / without undue delay (other rights)
|
|
249
|
-
- [ ] Automated decisions review process (Art. 20)
|
|
250
|
-
- [ ] Consent revocation mechanism (Art. 18, IX)
|
|
251
|
-
|
|
252
|
-
### Vendors / Processors
|
|
253
|
-
- [ ] Processor agreements include LGPD terms (Art. 39)
|
|
254
|
-
- [ ] Sub-processor oversight documented
|
|
255
|
-
- [ ] International transfers compliance (Arts. 33–36)
|
|
256
|
-
|
|
257
|
-
### Security
|
|
258
|
-
- [ ] Technical security measures implemented (Art. 46)
|
|
259
|
-
- [ ] Administrative security measures implemented (Art. 46)
|
|
260
|
-
- [ ] Privacy by design embedded in product development (Art. 49)
|
|
261
|
-
- [ ] Breach detection and response procedure (Art. 48)
|
|
262
|
-
- [ ] ANPD 3-day notification process documented
|
|
263
|
-
|
|
264
|
-
### Transparency
|
|
265
|
-
- [ ] Privacy notices published for all processing activities (Art. 9)
|
|
266
|
-
- [ ] Cookie notice/consent tool (where applicable)
|
|
267
|
-
- [ ] Children's consent mechanism (Art. 14)
|
|
268
|
-
|
|
269
|
-
### High-Risk Processing
|
|
270
|
-
- [ ] RIPD (DPIA) process established (Art. 38)
|
|
271
|
-
- [ ] RIPDs completed for high-risk processing activities
|
|
272
|
-
- [ ] Large-scale profiling assessed
|
|
1
|
+
# LGPD Compliance Programme Reference
|
|
2
|
+
|
|
3
|
+
## Programme Template & Key Documents
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## 1. LGPD Compliance Roadmap
|
|
8
|
+
|
|
9
|
+
### Phase 1 — Foundation (Months 1–3)
|
|
10
|
+
- [ ] Appoint DPO (Encarregado) — publish contact on website
|
|
11
|
+
- [ ] Conduct personal data inventory / data mapping
|
|
12
|
+
- [ ] Identify all processing activities and responsible owners
|
|
13
|
+
- [ ] Create Records of Processing Activities (RoPA)
|
|
14
|
+
- [ ] Conduct initial LGPD gap assessment
|
|
15
|
+
|
|
16
|
+
### Phase 2 — Remediation (Months 3–6)
|
|
17
|
+
- [ ] Map legal basis to each processing activity (Arts. 7, 11)
|
|
18
|
+
- [ ] Draft/update privacy notices (Art. 9)
|
|
19
|
+
- [ ] Update consent mechanisms — ensure validity (Art. 8)
|
|
20
|
+
- [ ] Implement data subject rights fulfilment procedures
|
|
21
|
+
- [ ] Conduct Data Protection Impact Assessment (RIPD) for high-risk processing
|
|
22
|
+
- [ ] Review and update supplier/processor contracts (Art. 39)
|
|
23
|
+
- [ ] Implement security technical and administrative measures (Art. 46)
|
|
24
|
+
- [ ] Establish international transfer compliance (Arts. 33–36)
|
|
25
|
+
|
|
26
|
+
### Phase 3 — Operationalisation (Months 6–9)
|
|
27
|
+
- [ ] Train all employees on LGPD obligations
|
|
28
|
+
- [ ] Implement automated data subject request workflow
|
|
29
|
+
- [ ] Establish breach detection and notification procedure (Art. 48)
|
|
30
|
+
- [ ] Implement data retention and disposal schedule
|
|
31
|
+
- [ ] Create internal LGPD governance committee
|
|
32
|
+
- [ ] Conduct privacy by design review of new products/services
|
|
33
|
+
|
|
34
|
+
### Phase 4 — Ongoing Compliance
|
|
35
|
+
- [ ] Annual LGPD gap reassessment
|
|
36
|
+
- [ ] RIPD for any new high-risk processing
|
|
37
|
+
- [ ] Monitor ANPD guidance and resolution updates
|
|
38
|
+
- [ ] Regular employee training refreshers
|
|
39
|
+
- [ ] Annual DPO report to management
|
|
40
|
+
- [ ] Incident response drills
|
|
41
|
+
|
|
42
|
+
---
|
|
43
|
+
|
|
44
|
+
## 2. Records of Processing Activities (RoPA) Template
|
|
45
|
+
|
|
46
|
+
*Per Art. 37 LGPD and ANPD Resolution No. 2/2022*
|
|
47
|
+
|
|
48
|
+
| Field | Description |
|
|
49
|
+
|-------|-------------|
|
|
50
|
+
| Processing Activity Name | e.g., "Customer Account Management" |
|
|
51
|
+
| Controller | Legal name, CNPJ |
|
|
52
|
+
| DPO Contact | Name, email, phone |
|
|
53
|
+
| Processor(s) | If applicable — name, CNPJ, role |
|
|
54
|
+
| Purpose | Specific, legitimate purpose |
|
|
55
|
+
| Legal Basis | Art. 7 or Art. 11 basis; if LI, balancing test reference |
|
|
56
|
+
| Categories of Data | e.g., identification, financial, health, biometric |
|
|
57
|
+
| Sensitive Data? | Yes/No; if yes, basis under Art. 11 |
|
|
58
|
+
| Children's Data? | Yes/No; consent mechanism |
|
|
59
|
+
| Data Subjects | Categories: customers, employees, suppliers, etc. |
|
|
60
|
+
| Recipients/Sharing | Internal departments; external third parties |
|
|
61
|
+
| International Transfers | Countries; transfer mechanism |
|
|
62
|
+
| Retention Period | Duration; basis for retention or deletion |
|
|
63
|
+
| Security Measures | Technical and administrative measures summary |
|
|
64
|
+
| RIPD Reference | If DPIA/RIPD was conducted — reference number |
|
|
65
|
+
| Last Updated | Date |
|
|
66
|
+
|
|
67
|
+
---
|
|
68
|
+
|
|
69
|
+
## 3. Data Subject Request (DSR) Procedure
|
|
70
|
+
|
|
71
|
+
### Step 1 — Receive
|
|
72
|
+
- Provide accessible request channel (web form, email, in-person)
|
|
73
|
+
- Log every request: date, requestor identity, type of request
|
|
74
|
+
- Send acknowledgement within 1 business day
|
|
75
|
+
|
|
76
|
+
### Step 2 — Verify Identity
|
|
77
|
+
- Request minimum necessary identity proof (name + CPF + account reference)
|
|
78
|
+
- Do not require excessive documentation — proportionate to risk
|
|
79
|
+
- For requests on behalf of another: require valid power of attorney
|
|
80
|
+
|
|
81
|
+
### Step 3 — Classify Request
|
|
82
|
+
| Request Type | LGPD Article | Typical Response |
|
|
83
|
+
|-------------|-------------|-----------------|
|
|
84
|
+
| Confirmation of processing | Art. 18, I | Immediate (simplified) |
|
|
85
|
+
| Access to data | Art. 18, II | 15 days (full report) |
|
|
86
|
+
| Correction | Art. 18, III | Without undue delay |
|
|
87
|
+
| Anonymisation/blocking/deletion | Art. 18, IV | Without undue delay |
|
|
88
|
+
| Portability | Art. 18, V | ANPD format (pending) |
|
|
89
|
+
| Deletion of consent-based data | Art. 18, VI | Without undue delay |
|
|
90
|
+
| Information about sharing | Art. 18, VII | Without undue delay |
|
|
91
|
+
| Consent denial consequences | Art. 18, VIII | Without undue delay |
|
|
92
|
+
| Consent revocation | Art. 18, IX | Without undue delay |
|
|
93
|
+
| Automated decision review | Art. 20 | Upon request |
|
|
94
|
+
|
|
95
|
+
### Step 4 — Assess Exemptions
|
|
96
|
+
Controller may decline if (Art. 18, §3º):
|
|
97
|
+
- Data subject or third party would be harmed
|
|
98
|
+
- National security
|
|
99
|
+
- Financial intelligence or fiscal activities
|
|
100
|
+
- Criminal/civil investigations
|
|
101
|
+
- Economic or financial protection of public entity
|
|
102
|
+
Must inform data subject of exemption applied and right to complain to ANPD.
|
|
103
|
+
|
|
104
|
+
### Step 5 — Respond
|
|
105
|
+
- Free of charge
|
|
106
|
+
- Clear, accessible language
|
|
107
|
+
- Immediate for simplified responses; 15 days for full access report
|
|
108
|
+
- Log response and retain record
|
|
109
|
+
|
|
110
|
+
---
|
|
111
|
+
|
|
112
|
+
## 4. Data Protection Impact Assessment (RIPD) Template
|
|
113
|
+
|
|
114
|
+
*Relatório de Impacto à Proteção de Dados Pessoais — Art. 38 LGPD*
|
|
115
|
+
|
|
116
|
+
### Section 1 — Processing Description
|
|
117
|
+
- Name and purpose of processing activity
|
|
118
|
+
- Legal basis (Art. 7 or Art. 11)
|
|
119
|
+
- Categories of personal data and data subjects
|
|
120
|
+
- Volume and frequency of processing
|
|
121
|
+
- Systems and technologies used
|
|
122
|
+
- Third parties involved (processors, sub-processors)
|
|
123
|
+
- International transfers
|
|
124
|
+
|
|
125
|
+
### Section 2 — Necessity and Proportionality Assessment
|
|
126
|
+
- Is the processing necessary for the stated purpose?
|
|
127
|
+
- Could the purpose be achieved with less data (necessity principle)?
|
|
128
|
+
- Is the retention period proportionate?
|
|
129
|
+
- Could anonymisation or pseudonymisation reduce risk?
|
|
130
|
+
|
|
131
|
+
### Section 3 — Risk Identification
|
|
132
|
+
| Risk | Likelihood | Impact | Risk Level |
|
|
133
|
+
|------|-----------|--------|-----------|
|
|
134
|
+
| Unauthorised access | High/Med/Low | High/Med/Low | High/Med/Low |
|
|
135
|
+
| Data loss or deletion | ... | ... | ... |
|
|
136
|
+
| Unlawful disclosure | ... | ... | ... |
|
|
137
|
+
| Discriminatory use | ... | ... | ... |
|
|
138
|
+
| Inaccurate data | ... | ... | ... |
|
|
139
|
+
|
|
140
|
+
### Section 4 — Mitigation Measures
|
|
141
|
+
For each identified risk:
|
|
142
|
+
- Technical measure to be implemented
|
|
143
|
+
- Administrative/process measure
|
|
144
|
+
- Residual risk after mitigation
|
|
145
|
+
- Responsible party and implementation date
|
|
146
|
+
|
|
147
|
+
### Section 5 — DPO Opinion
|
|
148
|
+
- DPO name and review date
|
|
149
|
+
- DPO recommendation: Proceed / Proceed with conditions / Do not proceed
|
|
150
|
+
- Conditions/recommendations if applicable
|
|
151
|
+
|
|
152
|
+
### Section 6 — Management Approval
|
|
153
|
+
- Controller representative signature and date
|
|
154
|
+
- Decision: Proceed / Modify / Cancel processing
|
|
155
|
+
|
|
156
|
+
---
|
|
157
|
+
|
|
158
|
+
## 5. Breach Notification Template
|
|
159
|
+
|
|
160
|
+
### Preliminary ANPD Notification (within 3 working days)
|
|
161
|
+
*ANPD Resolution CD/ANPD No. 15/2024*
|
|
162
|
+
|
|
163
|
+
**Portal:** https://www.gov.br/anpd/pt-br/assuntos/incidentes-de-seguranca
|
|
164
|
+
|
|
165
|
+
Fields required:
|
|
166
|
+
- Controller identification (name, CNPJ, DPO contact)
|
|
167
|
+
- Date incident detected; date notification submitted
|
|
168
|
+
- Description of incident (what happened)
|
|
169
|
+
- Approximate categories of data affected
|
|
170
|
+
- Approximate number of data subjects affected
|
|
171
|
+
- Immediate containment measures taken
|
|
172
|
+
- Preliminary risk assessment
|
|
173
|
+
|
|
174
|
+
### Full ANPD Report (within 20 working days)
|
|
175
|
+
Additional fields:
|
|
176
|
+
- Root cause analysis
|
|
177
|
+
- Full scope of data affected (categories, volume)
|
|
178
|
+
- Full list of systems/regions affected
|
|
179
|
+
- All corrective and preventive measures implemented
|
|
180
|
+
- Communication to data subjects (if required)
|
|
181
|
+
- Updated risk assessment
|
|
182
|
+
|
|
183
|
+
### Data Subject Notification (when required)
|
|
184
|
+
Notify when: likely to cause significant harm to data subjects (Art. 48, §1º)
|
|
185
|
+
|
|
186
|
+
Content:
|
|
187
|
+
- Nature of the incident
|
|
188
|
+
- What data was affected
|
|
189
|
+
- Risks to the data subject
|
|
190
|
+
- Measures taken by controller
|
|
191
|
+
- Contact for questions (DPO)
|
|
192
|
+
- How to exercise rights
|
|
193
|
+
|
|
194
|
+
---
|
|
195
|
+
|
|
196
|
+
## 6. DPO (Encarregado) Job Description
|
|
197
|
+
|
|
198
|
+
### Mandatory Functions (Art. 41, §2º)
|
|
199
|
+
1. Accept complaints and communications from data subjects
|
|
200
|
+
2. Receive communications from ANPD and take necessary action
|
|
201
|
+
3. Guide employees and contractors on LGPD obligations
|
|
202
|
+
4. Perform other duties defined by controller or ANPD
|
|
203
|
+
|
|
204
|
+
### Recommended Additional Functions
|
|
205
|
+
- Maintain and update RoPA
|
|
206
|
+
- Coordinate DPIAs (RIPDs)
|
|
207
|
+
- Monitor ANPD regulatory updates
|
|
208
|
+
- Conduct or oversee LGPD training
|
|
209
|
+
- Review new products/services for privacy compliance
|
|
210
|
+
- Manage data subject rights requests
|
|
211
|
+
- Coordinate breach response
|
|
212
|
+
- Liaise with legal counsel on LGPD matters
|
|
213
|
+
- Produce annual DPO report for management
|
|
214
|
+
|
|
215
|
+
### DPO Publication Requirement (Art. 41, §1º)
|
|
216
|
+
Controller must publish DPO identity and contact details — typically on:
|
|
217
|
+
- Company website (privacy policy page)
|
|
218
|
+
- Privacy notice / cookie notice
|
|
219
|
+
- Any form collecting personal data
|
|
220
|
+
|
|
221
|
+
### DPO Exemptions (ANPD Resolution No. 2/2022)
|
|
222
|
+
Micro and small enterprises (ME/EPP) with low-risk processing activities may be exempt from mandatory DPO appointment, but must still designate a contact point for data subjects.
|
|
223
|
+
|
|
224
|
+
---
|
|
225
|
+
|
|
226
|
+
## 7. LGPD Gap Assessment Checklist
|
|
227
|
+
|
|
228
|
+
### Governance
|
|
229
|
+
- [ ] DPO appointed and published (Art. 41)
|
|
230
|
+
- [ ] LGPD policy approved by senior management
|
|
231
|
+
- [ ] Privacy governance committee or equivalent
|
|
232
|
+
- [ ] Annual LGPD review scheduled
|
|
233
|
+
|
|
234
|
+
### Data Inventory
|
|
235
|
+
- [ ] Personal data inventory complete
|
|
236
|
+
- [ ] RoPA maintained and up to date (Art. 37)
|
|
237
|
+
- [ ] Sensitive data identified and documented
|
|
238
|
+
- [ ] Children's data identified and documented
|
|
239
|
+
|
|
240
|
+
### Legal Basis
|
|
241
|
+
- [ ] Legal basis documented for every processing activity
|
|
242
|
+
- [ ] Sensitive data uses Art. 11 basis only
|
|
243
|
+
- [ ] Legitimate interest balancing tests completed (Art. 10)
|
|
244
|
+
- [ ] Consent records maintained (Art. 8)
|
|
245
|
+
|
|
246
|
+
### Data Subject Rights
|
|
247
|
+
- [ ] DSR intake mechanism in place (Art. 18)
|
|
248
|
+
- [ ] Response within 15 days (access) / without undue delay (other rights)
|
|
249
|
+
- [ ] Automated decisions review process (Art. 20)
|
|
250
|
+
- [ ] Consent revocation mechanism (Art. 18, IX)
|
|
251
|
+
|
|
252
|
+
### Vendors / Processors
|
|
253
|
+
- [ ] Processor agreements include LGPD terms (Art. 39)
|
|
254
|
+
- [ ] Sub-processor oversight documented
|
|
255
|
+
- [ ] International transfers compliance (Arts. 33–36)
|
|
256
|
+
|
|
257
|
+
### Security
|
|
258
|
+
- [ ] Technical security measures implemented (Art. 46)
|
|
259
|
+
- [ ] Administrative security measures implemented (Art. 46)
|
|
260
|
+
- [ ] Privacy by design embedded in product development (Art. 49)
|
|
261
|
+
- [ ] Breach detection and response procedure (Art. 48)
|
|
262
|
+
- [ ] ANPD 3-day notification process documented
|
|
263
|
+
|
|
264
|
+
### Transparency
|
|
265
|
+
- [ ] Privacy notices published for all processing activities (Art. 9)
|
|
266
|
+
- [ ] Cookie notice/consent tool (where applicable)
|
|
267
|
+
- [ ] Children's consent mechanism (Art. 14)
|
|
268
|
+
|
|
269
|
+
### High-Risk Processing
|
|
270
|
+
- [ ] RIPD (DPIA) process established (Art. 38)
|
|
271
|
+
- [ ] RIPDs completed for high-risk processing activities
|
|
272
|
+
- [ ] Large-scale profiling assessed
|