Comparatie globala a regulamentelor de confidentialitate a datelor: GDPR, CCPA, LGPD si altele
Organizatiile care opereaza la nivel global trebuie sa navigheze prin multiple regulamente de confidentialitate a datelor. Acest ghid compara principalele cadre legislative de confidentialitate si ofera strategii de implementare pentru conformitate multinationala.
Matrice comparativa a regulamentelor
| Aspect | GDPR (UE) | CCPA/CPRA (California) | LGPD (Brazilia) | PDPA (Singapore) | PIPL (China) | |--------|-----------|------------------------|---------------|------------------|--------------| | Data intrarii in vigoare | Mai 2018 | Ian 2020 / Ian 2023 | Sep 2020 | Iul 2014 / Nov 2020 | Nov 2021 | | Domeniu de aplicare | Rezidenti UE | Rezidenti CA | Rezidenti Brazilia | Organizatii Singapore | Date din China | | Consimtamant implicit | Opt-in | Opt-out | Opt-in | Opt-in | Opt-in | | DPO necesar | Uneori | Nu | Da | Uneori | Da | | Penalitate maxima | 20M EUR sau 4% venituri | 7.500$/incalcare | 2% venituri | 1M S$ | 5% venituri |
Cadru unificat de confidentialitate
Manager central de confidentialitate
from dataclasses import dataclass, field
from datetime import datetime, timedelta
from typing import Dict, List, Optional, Set, Callable
from enum import Enum
import json
class Regulation(Enum):
GDPR = "gdpr"
CCPA = "ccpa"
CPRA = "cpra"
LGPD = "lgpd"
PDPA = "pdpa"
PIPL = "pipl"
class LawfulBasis(Enum):
CONSENT = "consent"
CONTRACT = "contract"
LEGAL_OBLIGATION = "legal_obligation"
VITAL_INTEREST = "vital_interest"
PUBLIC_TASK = "public_task"
LEGITIMATE_INTEREST = "legitimate_interest"
class DataCategory(Enum):
PERSONAL = "personal"
SENSITIVE = "sensitive"
FINANCIAL = "financial"
HEALTH = "health"
BIOMETRIC = "biometric"
GENETIC = "genetic"
CHILDREN = "children"
@dataclass
class DataSubject:
id: str
email: str
country: str
state: Optional[str] = None
is_minor: bool = False
created_at: datetime = field(default_factory=datetime.utcnow)
@dataclass
class ConsentRecord:
id: str
data_subject_id: str
purpose: str
lawful_basis: LawfulBasis
granted: bool
granted_at: Optional[datetime] = None
revoked_at: Optional[datetime] = None
expires_at: Optional[datetime] = None
version: str = "1.0"
proof: Optional[str] = None # Dovada consimtamantului
@dataclass
class DataProcessingActivity:
id: str
name: str
purpose: str
data_categories: List[DataCategory]
lawful_basis: LawfulBasis
retention_period_days: int
cross_border_transfer: bool = False
third_party_sharing: bool = False
automated_decision_making: bool = False
class UnifiedPrivacyManager:
def __init__(self):
self.data_subjects: Dict[str, DataSubject] = {}
self.consents: Dict[str, List[ConsentRecord]] = {}
self.processing_activities: Dict[str, DataProcessingActivity] = {}
self.regulation_handlers: Dict[Regulation, 'RegulationHandler'] = {}
self._initialize_regulation_handlers()
def _initialize_regulation_handlers(self):
"""Initializeaza handler-ele pentru fiecare regulament."""
self.regulation_handlers = {
Regulation.GDPR: GDPRHandler(),
Regulation.CCPA: CCPAHandler(),
Regulation.LGPD: LGPDHandler(),
Regulation.PDPA: PDPAHandler(),
Regulation.PIPL: PIPLHandler()
}
def determine_applicable_regulations(self, data_subject: DataSubject) -> Set[Regulation]:
"""Determina care regulamente se aplica unui subiect de date."""
applicable = set()
# Determinare bazata pe tara
country_mapping = {
# Tari UE
'AT': Regulation.GDPR, 'BE': Regulation.GDPR, 'BG': Regulation.GDPR,
'HR': Regulation.GDPR, 'CY': Regulation.GDPR, 'CZ': Regulation.GDPR,
'DK': Regulation.GDPR, 'EE': Regulation.GDPR, 'FI': Regulation.GDPR,
'FR': Regulation.GDPR, 'DE': Regulation.GDPR, 'GR': Regulation.GDPR,
'HU': Regulation.GDPR, 'IE': Regulation.GDPR, 'IT': Regulation.GDPR,
'LV': Regulation.GDPR, 'LT': Regulation.GDPR, 'LU': Regulation.GDPR,
'MT': Regulation.GDPR, 'NL': Regulation.GDPR, 'PL': Regulation.GDPR,
'PT': Regulation.GDPR, 'RO': Regulation.GDPR, 'SK': Regulation.GDPR,
'SI': Regulation.GDPR, 'ES': Regulation.GDPR, 'SE': Regulation.GDPR,
# SEE
'IS': Regulation.GDPR, 'LI': Regulation.GDPR, 'NO': Regulation.GDPR,
# Altele
'BR': Regulation.LGPD,
'SG': Regulation.PDPA,
'CN': Regulation.PIPL
}
if data_subject.country in country_mapping:
applicable.add(country_mapping[data_subject.country])
# SUA - specific California
if data_subject.country == 'US' and data_subject.state == 'CA':
applicable.add(Regulation.CCPA)
return applicable
def register_consent(self,
data_subject_id: str,
purpose: str,
lawful_basis: LawfulBasis,
granted: bool,
proof: Optional[str] = None) -> ConsentRecord:
"""Inregistreaza consimtamantul cu cerinte specifice fiecarui regulament."""
data_subject = self.data_subjects.get(data_subject_id)
if not data_subject:
raise ValueError(f"Subiectul de date {data_subject_id} nu a fost gasit")
# Determina regulamentele aplicabile
regulations = self.determine_applicable_regulations(data_subject)
# Valideaza cerintele de consimtamant per regulament
for reg in regulations:
handler = self.regulation_handlers.get(reg)
if handler:
validation = handler.validate_consent(
data_subject, purpose, lawful_basis, granted
)
if not validation['valid']:
raise ValueError(f"{reg.value}: {validation['error']}")
# Creeaza inregistrarea de consimtamant
consent = ConsentRecord(
id=f"consent_{data_subject_id}_{datetime.utcnow().timestamp()}",
data_subject_id=data_subject_id,
purpose=purpose,
lawful_basis=lawful_basis,
granted=granted,
granted_at=datetime.utcnow() if granted else None,
proof=proof
)
# Stocheaza consimtamantul
if data_subject_id not in self.consents:
self.consents[data_subject_id] = []
self.consents[data_subject_id].append(consent)
# Inregistreaza pentru audit
self._audit_log(
action="CONSENT_REGISTERED",
data_subject_id=data_subject_id,
details={
"purpose": purpose,
"granted": granted,
"regulations": [r.value for r in regulations]
}
)
return consent
def process_data_request(self,
data_subject_id: str,
request_type: str) -> Dict:
"""Proceseaza cererea subiectului de date (acces, stergere, portabilitate, etc.)."""
data_subject = self.data_subjects.get(data_subject_id)
if not data_subject:
raise ValueError(f"Subiectul de date {data_subject_id} nu a fost gasit")
regulations = self.determine_applicable_regulations(data_subject)
# Obtine cele mai stricte cerinte
requirements = self._get_request_requirements(regulations, request_type)
# Executa cererea
result = {
"request_id": f"req_{data_subject_id}_{datetime.utcnow().timestamp()}",
"request_type": request_type,
"data_subject_id": data_subject_id,
"applicable_regulations": [r.value for r in regulations],
"deadline": datetime.utcnow() + timedelta(days=requirements['deadline_days']),
"status": "processing"
}
if request_type == "access":
result["data"] = self._execute_access_request(data_subject_id, regulations)
elif request_type == "deletion":
result["confirmation"] = self._execute_deletion_request(data_subject_id, regulations)
elif request_type == "portability":
result["export"] = self._execute_portability_request(data_subject_id, regulations)
elif request_type == "rectification":
result["status"] = "pending_data"
elif request_type == "opt_out":
result["confirmation"] = self._execute_opt_out_request(data_subject_id, regulations)
# Inregistreaza pentru audit
self._audit_log(
action=f"DATA_REQUEST_{request_type.upper()}",
data_subject_id=data_subject_id,
details={"request_id": result["request_id"]}
)
return result
def _get_request_requirements(self,
regulations: Set[Regulation],
request_type: str) -> Dict:
"""Obtine cele mai stricte cerinte din toate regulamentele."""
requirements = {
"deadline_days": 30, # Implicit
"identity_verification": True,
"free_of_charge": True,
"extensions_allowed": True
}
for reg in regulations:
handler = self.regulation_handlers.get(reg)
if handler:
reg_requirements = handler.get_request_requirements(request_type)
# Ia termenul cel mai strict
if reg_requirements.get('deadline_days', 30) < requirements['deadline_days']:
requirements['deadline_days'] = reg_requirements['deadline_days']
# Ia optiunile cele mai restrictive
if not reg_requirements.get('extensions_allowed', True):
requirements['extensions_allowed'] = False
return requirements
def _execute_access_request(self,
data_subject_id: str,
regulations: Set[Regulation]) -> Dict:
"""Executa cererea de acces la date."""
# Aduna toate datele subiectului
data = {
"personal_data": self._get_personal_data(data_subject_id),
"processing_purposes": self._get_processing_purposes(data_subject_id),
"recipients": self._get_data_recipients(data_subject_id),
"retention_periods": self._get_retention_info(data_subject_id),
"rights": self._get_applicable_rights(regulations),
"consent_records": [
{
"purpose": c.purpose,
"granted": c.granted,
"granted_at": c.granted_at.isoformat() if c.granted_at else None
}
for c in self.consents.get(data_subject_id, [])
]
}
return data
def _execute_deletion_request(self,
data_subject_id: str,
regulations: Set[Regulation]) -> Dict:
"""Executa cererea de stergere a datelor."""
# Verifica exceptiile
exceptions = self._check_deletion_exceptions(data_subject_id, regulations)
if exceptions:
return {
"deleted": False,
"reason": "Se aplica exceptii legale",
"exceptions": exceptions
}
# Sterge datele
deleted_items = []
# Sterge datele personale
personal_deleted = self._delete_personal_data(data_subject_id)
deleted_items.extend(personal_deleted)
# Sterge inregistrarile de consimtamant (dupa perioada de retentie)
consent_deleted = self._archive_consent_records(data_subject_id)
deleted_items.extend(consent_deleted)
# Notifica tertii
third_party_notifications = self._notify_third_parties_deletion(data_subject_id)
return {
"deleted": True,
"items_deleted": len(deleted_items),
"third_parties_notified": third_party_notifications,
"completed_at": datetime.utcnow().isoformat()
}
def _execute_portability_request(self,
data_subject_id: str,
regulations: Set[Regulation]) -> Dict:
"""Executa cererea de portabilitate a datelor."""
# Exporta in format citibil de masina
data = self._get_portable_data(data_subject_id)
return {
"format": "json",
"data": data,
"generated_at": datetime.utcnow().isoformat(),
"schema_version": "1.0"
}
def _execute_opt_out_request(self,
data_subject_id: str,
regulations: Set[Regulation]) -> Dict:
"""Executa cererea de opt-out (specifica CCPA)."""
# Revoca tot consimtamantul pentru vanzare/partajare
consents = self.consents.get(data_subject_id, [])
revoked = []
for consent in consents:
if consent.purpose in ['sale', 'sharing', 'targeted_advertising']:
consent.granted = False
consent.revoked_at = datetime.utcnow()
revoked.append(consent.purpose)
return {
"opted_out": True,
"purposes_revoked": revoked,
"effective_date": datetime.utcnow().isoformat()
}
def _audit_log(self, action: str, data_subject_id: str, details: Dict):
"""Inregistreaza eveniment de audit."""
event = {
"timestamp": datetime.utcnow().isoformat(),
"action": action,
"data_subject_id": data_subject_id,
"details": details
}
# Stocheaza evenimentul de audit
print(f"AUDIT: {json.dumps(event)}")
# Metode placeholder
def _get_personal_data(self, data_subject_id: str) -> Dict:
return {}
def _get_processing_purposes(self, data_subject_id: str) -> List[str]:
return []
def _get_data_recipients(self, data_subject_id: str) -> List[str]:
return []
def _get_retention_info(self, data_subject_id: str) -> Dict:
return {}
def _get_applicable_rights(self, regulations: Set[Regulation]) -> List[str]:
return []
def _check_deletion_exceptions(self, data_subject_id: str, regulations: Set[Regulation]) -> List[str]:
return []
def _delete_personal_data(self, data_subject_id: str) -> List[str]:
return []
def _archive_consent_records(self, data_subject_id: str) -> List[str]:
return []
def _notify_third_parties_deletion(self, data_subject_id: str) -> int:
return 0
def _get_portable_data(self, data_subject_id: str) -> Dict:
return {}Handler-e specifice fiecarui regulament
class RegulationHandler:
"""Clasa de baza pentru handler-ele regulamentelor."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
raise NotImplementedError
def get_request_requirements(self, request_type: str) -> Dict:
raise NotImplementedError
def get_data_subject_rights(self) -> List[str]:
raise NotImplementedError
class GDPRHandler(RegulationHandler):
"""Handler specific cerintelor GDPR."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# GDPR necesita consimtamant specific pentru fiecare scop
if not purpose:
errors.append("Consimtamantul trebuie sa fie specific scopului")
# Consimtamantul trebuie acordat liber
# Se valideaza prin designul UI/UX
# Consimtamantul pentru minori necesita acordul parental
if data_subject.is_minor and lawful_basis == LawfulBasis.CONSENT:
# Ar trebui sa se verifice consimtamantul parental
pass
# Datele de categorie speciala necesita consimtamant explicit
# Se verifica pe baza categoriei de date
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 30,
"extensions_allowed": True,
"extension_max_days": 60,
"free_of_charge": True,
"identity_verification": True
},
"deletion": {
"deadline_days": 30,
"extensions_allowed": True,
"notify_third_parties": True
},
"portability": {
"deadline_days": 30,
"format": "machine_readable",
"free_of_charge": True
},
"rectification": {
"deadline_days": 30,
"notify_recipients": True
},
"restriction": {
"deadline_days": 30
},
"objection": {
"deadline_days": 30
}
}
return requirements.get(request_type, {"deadline_days": 30})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_be_informed",
"right_of_access",
"right_to_rectification",
"right_to_erasure",
"right_to_restrict_processing",
"right_to_data_portability",
"right_to_object",
"rights_related_to_automated_decision_making"
]
class CCPAHandler(RegulationHandler):
"""Handler specific cerintelor CCPA/CPRA."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# CCPA foloseste model opt-out pentru vanzarea datelor
# Dar necesita opt-in pentru minori
if data_subject.is_minor:
# Minorii 13-16 trebuie sa faca opt-in
# Sub 13 necesita consimtamant parental
if not granted and purpose == 'sale':
errors.append("Vanzarea datelor minorilor necesita consimtamant afirmativ")
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 45,
"extensions_allowed": True,
"extension_max_days": 45,
"free_of_charge": True,
"requests_per_year": 2
},
"deletion": {
"deadline_days": 45,
"notify_service_providers": True
},
"opt_out": {
"deadline_days": 15, # Cerinta CPRA
"no_retaliation": True
},
"correction": { # Adaugare CPRA
"deadline_days": 45
},
"portability": {
"deadline_days": 45,
"format": "machine_readable"
}
}
return requirements.get(request_type, {"deadline_days": 45})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_know",
"right_to_delete",
"right_to_opt_out_of_sale",
"right_to_non_discrimination",
"right_to_correct", # CPRA
"right_to_limit_sensitive_data_use", # CPRA
"right_to_opt_out_of_automated_decision_making" # CPRA
]
class LGPDHandler(RegulationHandler):
"""Handler specific cerintelor LGPD (Brazilia)."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# LGPD necesita consimtamant specific si informat
if lawful_basis == LawfulBasis.CONSENT and not purpose:
errors.append("Consimtamantul trebuie sa specifice scopul")
# Datele copiilor necesita consimtamant parental
if data_subject.is_minor:
# LGPD defineste minorul ca sub 18 ani
pass
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 15,
"format": "simplified_or_complete",
"free_of_charge": True
},
"deletion": {
"deadline_days": 15
},
"portability": {
"deadline_days": 15,
"format": "machine_readable"
},
"anonymization": {
"deadline_days": 15
}
}
return requirements.get(request_type, {"deadline_days": 15})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_confirmation",
"right_to_access",
"right_to_correction",
"right_to_anonymization",
"right_to_deletion",
"right_to_portability",
"right_to_information_about_sharing",
"right_to_withdraw_consent",
"right_to_petition_authority"
]
class PDPAHandler(RegulationHandler):
"""Handler specific cerintelor PDPA (Singapore)."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# PDPA necesita consimtamant pentru colectare, utilizare si dezvaluire
if not purpose:
errors.append("Scopul trebuie specificat")
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 30,
"fee_allowed": True, # PDPA permite o taxa rezonabila
"format": "copy"
},
"correction": {
"deadline_days": 30
}
}
return requirements.get(request_type, {"deadline_days": 30})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_access",
"right_to_correction",
"right_to_withdraw_consent"
]
class PIPLHandler(RegulationHandler):
"""Handler specific cerintelor PIPL (China)."""
def validate_consent(self, data_subject: DataSubject, purpose: str,
lawful_basis: LawfulBasis, granted: bool) -> Dict:
errors = []
# PIPL necesita consimtamant separat pentru date sensibile
# si transfer transfrontalier
if not purpose:
errors.append("Scopul trebuie specificat clar")
return {
"valid": len(errors) == 0,
"error": "; ".join(errors) if errors else None
}
def get_request_requirements(self, request_type: str) -> Dict:
requirements = {
"access": {
"deadline_days": 30, # Raspuns "in timp util"
"free_of_charge": True
},
"deletion": {
"deadline_days": 30,
"conditions": ["purpose_fulfilled", "consent_withdrawn", "contract_terminated"]
},
"portability": {
"deadline_days": 30,
"format": "machine_readable"
}
}
return requirements.get(request_type, {"deadline_days": 30})
def get_data_subject_rights(self) -> List[str]:
return [
"right_to_know",
"right_to_decide",
"right_to_restrict",
"right_to_refuse",
"right_to_access",
"right_to_correction",
"right_to_deletion",
"right_to_portability",
"right_to_request_explanation"
]Conformitatea transferului transfrontalier
class CrossBorderTransferManager:
def __init__(self):
self.transfer_mechanisms = {}
self.adequacy_decisions = self._load_adequacy_decisions()
def _load_adequacy_decisions(self) -> Dict[str, Set[str]]:
"""Incarca deciziile de adecvare per regulament."""
return {
"gdpr": {
# Tari cu decizii de adecvare UE
"AD", "AR", "CA", "FO", "GG", "IL", "IM", "JP",
"JE", "NZ", "KR", "CH", "GB", "UY"
},
"lgpd": {
# Cadrul de adecvare al Braziliei inca in dezvoltare
},
"pipl": {
# China necesita aprobare guvernamentala pentru majoritatea transferurilor
}
}
def assess_transfer(self,
source_country: str,
destination_country: str,
data_categories: List[DataCategory]) -> Dict:
"""Evalueaza cerintele de transfer transfrontalier."""
assessment = {
"source_country": source_country,
"destination_country": destination_country,
"data_categories": [c.value for c in data_categories],
"requirements": [],
"recommended_mechanisms": [],
"risk_level": "low"
}
# Verifica fiecare regulament aplicabil
# UE -> Tara fara adecvare
if source_country in self._get_eu_countries():
if destination_country not in self.adequacy_decisions["gdpr"]:
assessment["requirements"].append({
"regulation": "GDPR",
"requirement": "Mecanism de transfer necesar",
"options": [
"Clauze contractuale standard (SCC)",
"Reguli corporative obligatorii (BCR)",
"Consimtamant explicit",
"Necesar pentru contract"
]
})
assessment["risk_level"] = "medium"
# Datele de categorie speciala cresc riscul
if any(c in [DataCategory.HEALTH, DataCategory.BIOMETRIC] for c in data_categories):
assessment["risk_level"] = "high"
assessment["requirements"].append({
"regulation": "GDPR",
"requirement": "Masuri suplimentare de protectie pentru date sensibile"
})
# China -> Orice tara
if source_country == "CN":
assessment["requirements"].append({
"regulation": "PIPL",
"requirement": "Evaluarea de securitate guvernamentala poate fi necesara",
"threshold": "Date importante sau volum mare de date personale"
})
assessment["requirements"].append({
"regulation": "PIPL",
"requirement": "Consimtamant separat pentru transfer transfrontalier"
})
assessment["risk_level"] = "high"
# Recomanda mecanisme de transfer
assessment["recommended_mechanisms"] = self._recommend_mechanisms(
source_country,
destination_country,
assessment["requirements"]
)
return assessment
def _recommend_mechanisms(self,
source: str,
destination: str,
requirements: List[Dict]) -> List[Dict]:
"""Recomanda mecanisme de transfer adecvate."""
mechanisms = []
for req in requirements:
if req["regulation"] == "GDPR":
if "SCC" in str(req.get("options", [])):
mechanisms.append({
"mechanism": "Clauze contractuale standard (2021)",
"implementation": "Executa noile SCC cu importatorul de date",
"supplementary_measures": [
"Criptarea datelor in tranzit si la repaus",
"Pseudonimizare unde este posibil",
"Controale de acces si logare pentru audit"
]
})
if req["regulation"] == "PIPL":
mechanisms.append({
"mechanism": "Pachet de conformitate PIPL",
"implementation": "Efectueaza evaluarea de securitate si obtine consimtamantul",
"requirements": [
"Evaluarea localizarii datelor",
"Evaluarea impactului de securitate",
"Consimtamant separat pentru transfer",
"Numirea unui reprezentant local"
]
})
return mechanisms
def _get_eu_countries(self) -> Set[str]:
"""Obtine tarile UE/SEE."""
return {
'AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI',
'FR', 'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT', 'LU',
'MT', 'NL', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE',
'IS', 'LI', 'NO'
}Raportarea conformitatii
class PrivacyComplianceReporter:
def __init__(self, privacy_manager: UnifiedPrivacyManager):
self.privacy_manager = privacy_manager
def generate_compliance_report(self,
regulations: List[Regulation],
report_period_start: datetime,
report_period_end: datetime) -> Dict:
"""Genereaza raport complet de conformitate."""
report = {
"report_period": {
"start": report_period_start.isoformat(),
"end": report_period_end.isoformat()
},
"generated_at": datetime.utcnow().isoformat(),
"regulations_covered": [r.value for r in regulations],
"executive_summary": {},
"detailed_metrics": {},
"compliance_status": {},
"recommendations": []
}
# Agrega metricile
metrics = {
"total_data_subjects": len(self.privacy_manager.data_subjects),
"consent_records": sum(
len(consents)
for consents in self.privacy_manager.consents.values()
),
"processing_activities": len(self.privacy_manager.processing_activities),
"data_requests": self._count_data_requests(report_period_start, report_period_end),
"breaches": self._count_breaches(report_period_start, report_period_end)
}
report["detailed_metrics"] = metrics
# Status conformitate per regulament
for reg in regulations:
handler = self.privacy_manager.regulation_handlers.get(reg)
if handler:
report["compliance_status"][reg.value] = self._assess_regulation_compliance(
reg,
handler,
metrics
)
# Genereaza recomandari
report["recommendations"] = self._generate_recommendations(
report["compliance_status"]
)
# Sumar executiv
report["executive_summary"] = {
"overall_compliance": self._calculate_overall_compliance(report["compliance_status"]),
"key_metrics": {
"data_subjects": metrics["total_data_subjects"],
"requests_processed": metrics["data_requests"]["total"],
"avg_response_time_days": metrics["data_requests"]["avg_response_days"]
},
"critical_issues": len([r for r in report["recommendations"] if r["priority"] == "critical"])
}
return report
def _assess_regulation_compliance(self,
regulation: Regulation,
handler: RegulationHandler,
metrics: Dict) -> Dict:
"""Evalueaza conformitatea cu un regulament specific."""
compliance = {
"regulation": regulation.value,
"status": "compliant",
"score": 100,
"checks": []
}
# Verifica numirea DPO (daca este necesara)
if regulation in [Regulation.GDPR, Regulation.LGPD]:
dpo_check = self._check_dpo_appointment()
compliance["checks"].append(dpo_check)
if not dpo_check["passed"]:
compliance["score"] -= 20
# Verifica managementul consimtamantului
consent_check = self._check_consent_management(regulation)
compliance["checks"].append(consent_check)
if not consent_check["passed"]:
compliance["score"] -= 15
# Verifica timpii de raspuns la cererile de date
response_check = self._check_response_times(regulation, handler, metrics)
compliance["checks"].append(response_check)
if not response_check["passed"]:
compliance["score"] -= 25
# Verifica registrele de prelucrare
records_check = self._check_processing_records(regulation)
compliance["checks"].append(records_check)
if not records_check["passed"]:
compliance["score"] -= 15
# Determina statusul general
if compliance["score"] >= 90:
compliance["status"] = "compliant"
elif compliance["score"] >= 70:
compliance["status"] = "partially_compliant"
else:
compliance["status"] = "non_compliant"
return compliance
def _check_dpo_appointment(self) -> Dict:
"""Verifica daca DPO este numit."""
# Verifica configuratia reala a DPO
return {
"check": "Numire DPO",
"passed": True,
"details": "DPO numit si inregistrat"
}
def _check_consent_management(self, regulation: Regulation) -> Dict:
"""Verifica conformitatea managementului consimtamantului."""
return {
"check": "Management consimtamant",
"passed": True,
"details": "Inregistrari de consimtamant mentinute cu granularitatea necesara"
}
def _check_response_times(self,
regulation: Regulation,
handler: RegulationHandler,
metrics: Dict) -> Dict:
"""Verifica timpii de raspuns la cererile de date."""
requirements = handler.get_request_requirements("access")
deadline = requirements.get("deadline_days", 30)
avg_response = metrics["data_requests"]["avg_response_days"]
passed = avg_response <= deadline
return {
"check": "Conformitate timp de raspuns",
"passed": passed,
"details": f"Raspuns mediu: {avg_response} zile (termen limita: {deadline} zile)"
}
def _check_processing_records(self, regulation: Regulation) -> Dict:
"""Verifica registrele de activitati de prelucrare."""
return {
"check": "Registre de prelucrare",
"passed": True,
"details": "ROPA mentinut si actualizat"
}
def _count_data_requests(self, start: datetime, end: datetime) -> Dict:
"""Numara cererile de date in perioada data."""
return {
"total": 150,
"by_type": {
"access": 80,
"deletion": 45,
"portability": 15,
"opt_out": 10
},
"avg_response_days": 12
}
def _count_breaches(self, start: datetime, end: datetime) -> Dict:
"""Numara incalcarile de date in perioada data."""
return {
"total": 0,
"reported_to_authority": 0,
"notified_data_subjects": 0
}
def _calculate_overall_compliance(self, compliance_status: Dict) -> str:
"""Calculeaza statusul general de conformitate."""
scores = [status["score"] for status in compliance_status.values()]
avg_score = sum(scores) / len(scores) if scores else 0
if avg_score >= 90:
return "compliant"
elif avg_score >= 70:
return "partially_compliant"
return "non_compliant"
def _generate_recommendations(self, compliance_status: Dict) -> List[Dict]:
"""Genereaza recomandari de conformitate."""
recommendations = []
for reg, status in compliance_status.items():
for check in status["checks"]:
if not check["passed"]:
recommendations.append({
"regulation": reg,
"area": check["check"],
"priority": "high" if status["score"] < 70 else "medium",
"recommendation": f"Rezolva lacuna de conformitate {check['check']}",
"details": check["details"]
})
return recommendationsBune practici
Conformitate multinationala
- Aplica standardul cel mai strict: Cand se aplica mai multe regulamente, implementeaza cerintele cele mai restrictive
- Management unificat al consimtamantului: Construieste mecanisme de consimtamant care satisfac toate regulamentele aplicabile
- Notificari localizate: Ofera notificari de confidentialitate in limbile locale cu dezvaluiri specifice regulamentelor
- Evaluari periodice: Efectueaza evaluari periodice de conformitate pe masura ce regulamentele evolueaza
Ghid de implementare
- Cartografiaza fluxurile de date pentru a identifica toate regulamentele aplicabile
- Implementeaza procesarea automata a cererilor cu termene configurabile
- Mentine piste de audit complete pentru toate operatiunile de confidentialitate
- Instruieste personalul cu privire la cerintele specifice fiecarui regulament
Conformitatea globala in materie de confidentialitate necesita o abordare sistematica care se adapteaza la cerintele cele mai stricte mentinand eficienta operationala.
Sistemul tau AI e conform cu EU AI Act? Evaluare gratuita de risc - afla in 2 minute →