dpnmw/agents
1
0
Fork 0
mirror of https://github.com/wshobson/agents.git synced 2026-03-18 09:37:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add 5 new specialized agents with 20 skills

Browse Source 
Add domain expert agents with comprehensive skill sets:
- service-mesh-expert (cloud-infrastructure): Istio/Linkerd patterns, mTLS, observability
- event-sourcing-architect (backend-development): CQRS, event stores, projections, sagas
- vector-database-engineer (llm-application-dev): embeddings, similarity search, hybrid search
- monorepo-architect (developer-essentials): Nx, Turborepo, Bazel, pnpm workspaces
- threat-modeling-expert (security-scanning): STRIDE, attack trees, security requirements

Update all documentation to reflect correct counts:
- 67 plugins, 99 agents, 107 skills, 71 commands
This commit is contained in:
Seth Hobson
2025-12-16 16:00:58 -05:00
parent c7ad381360
commit 01d93fc227
58 changed files with 24830 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

507
plugins/hr-legal-compliance/skills/employment-contract-templates/SKILL.md Normal file
View File

@@ -0,0 +1,507 @@
---
name: employment-contract-templates
description: Create employment contracts, offer letters, and HR policy documents following legal best practices. Use when drafting employment agreements, creating HR policies, or standardizing employment documentation.
---
# Employment Contract Templates
Templates and patterns for creating legally sound employment documentation including contracts, offer letters, and HR policies.
## When to Use This Skill
- Drafting employment contracts
- Creating offer letters
- Writing employee handbooks
- Developing HR policies
- Standardizing employment documentation
- Onboarding documentation
## Core Concepts
### 1. Employment Document Types
| Document | Purpose | When Used |
|----------|---------|-----------|
| **Offer Letter** | Initial job offer | Pre-hire |
| **Employment Contract** | Formal agreement | Hire |
| **Employee Handbook** | Policies & procedures | Onboarding |
| **NDA** | Confidentiality | Before access |
| **Non-Compete** | Competition restriction | Hire/Exit |
### 2. Key Legal Considerations
```
Employment Relationship:
├── At-Will vs. Contract
├── Employee vs. Contractor
├── Full-Time vs. Part-Time
├── Exempt vs. Non-Exempt
└── Jurisdiction-Specific Requirements
```
**DISCLAIMER: These templates are for informational purposes only and do not constitute legal advice. Consult with qualified legal counsel before using any employment documents.**
## Templates
### Template 1: Offer Letter
```markdown
# EMPLOYMENT OFFER LETTER
[Company Letterhead]
Date: [DATE]
[Candidate Name]
[Address]
[City, State ZIP]
Dear [Candidate Name],
We are pleased to extend an offer of employment for the position of [JOB TITLE]
at [COMPANY NAME]. We believe your skills and experience will be valuable
additions to our team.
## Position Details
**Title:** [Job Title]
**Department:** [Department]
**Reports To:** [Manager Name/Title]
**Location:** [Office Location / Remote]
**Start Date:** [Proposed Start Date]
**Employment Type:** [Full-Time/Part-Time], [Exempt/Non-Exempt]
## Compensation
**Base Salary:** $[AMOUNT] per [year/hour], paid [bi-weekly/semi-monthly/monthly]
**Bonus:** [Eligible for annual bonus of up to X% based on company and individual
performance / Not applicable]
**Equity:** [X shares of stock options vesting over 4 years with 1-year cliff /
Not applicable]
## Benefits
You will be eligible for our standard benefits package, including:
- Health insurance (medical, dental, vision) effective [date]
- 401(k) with [X]% company match
- [X] days paid time off per year
- [X] paid holidays
- [Other benefits]
Full details will be provided during onboarding.
## Contingencies
This offer is contingent upon:
- Successful completion of background check
- Verification of your right to work in [Country]
- Execution of required employment documents including:
- Confidentiality Agreement
- [Non-Compete Agreement, if applicable]
- [IP Assignment Agreement]
## At-Will Employment
Please note that employment with [Company Name] is at-will. This means that
either you or the Company may terminate the employment relationship at any time,
with or without cause or notice. This offer letter does not constitute a
contract of employment for any specific period.
## Acceptance
To accept this offer, please sign below and return by [DEADLINE DATE]. This
offer will expire if not accepted by that date.
We are excited about the possibility of you joining our team. If you have any
questions, please contact [HR Contact] at [email/phone].
Sincerely,
_________________________
[Hiring Manager Name]
[Title]
[Company Name]
---
## ACCEPTANCE
I accept this offer of employment and agree to the terms stated above.
Signature: _________________________
Printed Name: _________________________
Date: _________________________
Anticipated Start Date: _________________________
```
### Template 2: Employment Agreement (Contract Position)
```markdown
# EMPLOYMENT AGREEMENT
This Employment Agreement ("Agreement") is entered into as of [DATE]
("Effective Date") by and between:
**Employer:** [COMPANY LEGAL NAME], a [State] [corporation/LLC]
with principal offices at [Address] ("Company")
**Employee:** [EMPLOYEE NAME], an individual residing at [Address] ("Employee")
## 1. EMPLOYMENT
1.1 **Position.** The Company agrees to employ Employee as [JOB TITLE],
reporting to [Manager Title]. Employee accepts such employment subject to
the terms of this Agreement.
1.2 **Duties.** Employee shall perform duties consistent with their position,
including but not limited to:
- [Primary duty 1]
- [Primary duty 2]
- [Primary duty 3]
- Other duties as reasonably assigned
1.3 **Best Efforts.** Employee agrees to devote their full business time,
attention, and best efforts to the Company's business during employment.
1.4 **Location.** Employee's primary work location shall be [Location/Remote].
[Travel requirements, if any.]
## 2. TERM
2.1 **Employment Period.** This Agreement shall commence on [START DATE] and
continue until terminated as provided herein.
2.2 **At-Will Employment.** [FOR AT-WILL STATES] Notwithstanding anything
herein, employment is at-will and may be terminated by either party at any
time, with or without cause or notice.
[OR FOR FIXED TERM:]
2.2 **Fixed Term.** This Agreement is for a fixed term of [X] months/years,
ending on [END DATE], unless terminated earlier as provided herein or extended
by mutual written agreement.
## 3. COMPENSATION
3.1 **Base Salary.** Employee shall receive a base salary of $[AMOUNT] per year,
payable in accordance with the Company's standard payroll practices, subject to
applicable withholdings.
3.2 **Bonus.** Employee may be eligible for an annual discretionary bonus of up
to [X]% of base salary, based on [criteria]. Bonus payments are at Company's
sole discretion and require active employment at payment date.
3.3 **Equity.** [If applicable] Subject to Board approval and the Company's
equity incentive plan, Employee shall be granted [X shares/options] under the
terms of a separate Stock Option Agreement.
3.4 **Benefits.** Employee shall be entitled to participate in benefit plans
offered to similarly situated employees, subject to plan terms and eligibility
requirements.
3.5 **Expenses.** Company shall reimburse Employee for reasonable business
expenses incurred in accordance with Company policy.
## 4. CONFIDENTIALITY
4.1 **Confidential Information.** Employee acknowledges access to confidential
and proprietary information including: trade secrets, business plans, customer
lists, financial data, technical information, and other non-public information
("Confidential Information").
4.2 **Non-Disclosure.** During and after employment, Employee shall not
disclose, use, or permit use of any Confidential Information except as required
for their duties or with prior written consent.
4.3 **Return of Materials.** Upon termination, Employee shall immediately return
all Company property and Confidential Information in any form.
4.4 **Survival.** Confidentiality obligations survive termination indefinitely
for trade secrets and for [3] years for other Confidential Information.
## 5. INTELLECTUAL PROPERTY
5.1 **Work Product.** All inventions, discoveries, works, and developments
created by Employee during employment, relating to Company's business, or using
Company resources ("Work Product") shall be Company's sole property.
5.2 **Assignment.** Employee hereby assigns to Company all rights in Work
Product, including all intellectual property rights.
5.3 **Assistance.** Employee agrees to execute documents and take actions
necessary to perfect Company's rights in Work Product.
5.4 **Prior Inventions.** Attached as Exhibit A is a list of any prior
inventions that Employee wishes to exclude from this Agreement.
## 6. NON-COMPETITION AND NON-SOLICITATION
[NOTE: Enforceability varies by jurisdiction. Consult local counsel.]
6.1 **Non-Competition.** During employment and for [12] months after
termination, Employee shall not, directly or indirectly, engage in any business
competitive with Company's business within [Geographic Area].
6.2 **Non-Solicitation of Customers.** During employment and for [12] months
after termination, Employee shall not solicit any customer of the Company for
competing products or services.
6.3 **Non-Solicitation of Employees.** During employment and for [12] months
after termination, Employee shall not recruit or solicit any Company employee
to leave Company employment.
## 7. TERMINATION
7.1 **By Company for Cause.** Company may terminate immediately for Cause,
defined as:
(a) Material breach of this Agreement
(b) Conviction of a felony
(c) Fraud, dishonesty, or gross misconduct
(d) Failure to perform duties after written notice and cure period
7.2 **By Company Without Cause.** Company may terminate without Cause upon
[30] days written notice.
7.3 **By Employee.** Employee may terminate upon [30] days written notice.
7.4 **Severance.** [If applicable] Upon termination without Cause, Employee
shall receive [X] weeks base salary as severance, contingent upon execution
of a release agreement.
7.5 **Effect of Termination.** Upon termination:
- All compensation earned through termination date shall be paid
- Unvested equity shall be forfeited
- Benefits terminate per plan terms
- Sections 4, 5, 6, 8, and 9 survive termination
## 8. GENERAL PROVISIONS
8.1 **Entire Agreement.** This Agreement constitutes the entire agreement and
supersedes all prior negotiations, representations, and agreements.
8.2 **Amendments.** This Agreement may be amended only by written agreement
signed by both parties.
8.3 **Governing Law.** This Agreement shall be governed by the laws of [State],
without regard to conflicts of law principles.
8.4 **Dispute Resolution.** [Arbitration clause or jurisdiction selection]
8.5 **Severability.** If any provision is unenforceable, it shall be modified
to the minimum extent necessary, and remaining provisions shall remain in effect.
8.6 **Notices.** Notices shall be in writing and delivered to addresses above.
8.7 **Assignment.** Employee may not assign this Agreement. Company may assign
to a successor.
8.8 **Waiver.** Failure to enforce any provision shall not constitute waiver.
## 9. ACKNOWLEDGMENTS
Employee acknowledges:
- Having read and understood this Agreement
- Having opportunity to consult with counsel
- Agreeing to all terms voluntarily
---
IN WITNESS WHEREOF, the parties have executed this Agreement as of the
Effective Date.
**[COMPANY NAME]**
By: _________________________
Name: [Authorized Signatory]
Title: [Title]
Date: _________________________
**EMPLOYEE**
Signature: _________________________
Name: [Employee Name]
Date: _________________________
---
## EXHIBIT A: PRIOR INVENTIONS
[Employee to list any prior inventions, if any, or write "None"]
_________________________
```
### Template 3: Employee Handbook Policy Section
```markdown
# EMPLOYEE HANDBOOK - POLICY SECTION
## EMPLOYMENT POLICIES
### Equal Employment Opportunity
[Company Name] is an equal opportunity employer. We do not discriminate based on
race, color, religion, sex, sexual orientation, gender identity, national
origin, age, disability, veteran status, or any other protected characteristic.
This policy applies to all employment practices including:
- Recruitment and hiring
- Compensation and benefits
- Training and development
- Promotions and transfers
- Termination
### Anti-Harassment Policy
[Company Name] is committed to providing a workplace free from harassment.
Harassment based on any protected characteristic is strictly prohibited.
**Prohibited Conduct Includes:**
- Unwelcome sexual advances or requests for sexual favors
- Offensive comments, jokes, or slurs
- Physical conduct such as assault or unwanted touching
- Visual conduct such as displaying offensive images
- Threatening, intimidating, or hostile acts
**Reporting Procedure:**
1. Report to your manager, HR, or any member of leadership
2. Reports may be made verbally or in writing
3. Anonymous reports are accepted via [hotline/email]
**Investigation:**
All reports will be promptly investigated. Retaliation against anyone who
reports harassment is strictly prohibited and will result in disciplinary
action up to termination.
### Work Hours and Attendance
**Standard Hours:** [8:00 AM - 5:00 PM, Monday through Friday]
**Core Hours:** [10:00 AM - 3:00 PM] - Employees expected to be available
**Flexible Work:** [Policy on remote work, flexible scheduling]
**Attendance Expectations:**
- Notify your manager as soon as possible if you will be absent
- Excessive unexcused absences may result in disciplinary action
- [X] unexcused absences in [Y] days considered excessive
### Paid Time Off (PTO)
**PTO Accrual:**
| Years of Service | Annual PTO Days |
|------------------|-----------------|
| 0-2 years | 15 days |
| 3-5 years | 20 days |
| 6+ years | 25 days |
**PTO Guidelines:**
- PTO accrues per pay period
- Maximum accrual: [X] days (use it or lose it after)
- Request PTO at least [2] weeks in advance
- Manager approval required
- PTO may not be taken during [blackout periods]
### Sick Leave
- [X] days sick leave per year
- May be used for personal illness or family member care
- Doctor's note required for absences exceeding [3] days
### Holidays
The following paid holidays are observed:
- New Year's Day
- Martin Luther King Jr. Day
- Presidents Day
- Memorial Day
- Independence Day
- Labor Day
- Thanksgiving Day
- Day after Thanksgiving
- Christmas Day
- [Floating holiday]
### Code of Conduct
All employees are expected to:
- Act with integrity and honesty
- Treat colleagues, customers, and partners with respect
- Protect company confidential information
- Avoid conflicts of interest
- Comply with all laws and regulations
- Report any violations of this code
**Violations may result in disciplinary action up to and including termination.**
### Technology and Communication
**Acceptable Use:**
- Company technology is for business purposes
- Limited personal use is permitted if it doesn't interfere with work
- No illegal activities or viewing inappropriate content
**Monitoring:**
- Company reserves the right to monitor company systems
- Employees should have no expectation of privacy on company devices
**Security:**
- Use strong passwords and enable 2FA
- Report security incidents immediately
- Lock devices when unattended
### Social Media Policy
**Personal Social Media:**
- Clearly state opinions are your own, not the company's
- Do not share confidential company information
- Be respectful and professional
**Company Social Media:**
- Only authorized personnel may post on behalf of the company
- Follow brand guidelines
- Escalate negative comments to [Marketing/PR]
---
## ACKNOWLEDGMENT
I acknowledge that I have received a copy of the Employee Handbook and
understand that:
1. I am responsible for reading and understanding its contents
2. The handbook does not create a contract of employment
3. Policies may be changed at any time at the company's discretion
4. Employment is at-will [if applicable]
I agree to abide by the policies and procedures outlined in this handbook.
Employee Signature: _________________________
Employee Name (Print): _________________________
Date: _________________________
```
## Best Practices
### Do's
- **Consult legal counsel** - Employment law varies by jurisdiction
- **Keep copies signed** - Document all agreements
- **Update regularly** - Laws and policies change
- **Be clear and specific** - Avoid ambiguity
- **Train managers** - On policies and procedures
### Don'ts
- **Don't use generic templates** - Customize for your jurisdiction
- **Don't make promises** - That could create implied contracts
- **Don't discriminate** - In language or application
- **Don't forget at-will language** - Where applicable
- **Don't skip review** - Have legal counsel review all documents
## Resources
- [SHRM Employment Templates](https://www.shrm.org/)
- [Department of Labor](https://www.dol.gov/)
- [EEOC Guidance](https://www.eeoc.gov/)
- State-specific labor departments

616
plugins/hr-legal-compliance/skills/gdpr-data-handling/SKILL.md Normal file
View File

@@ -0,0 +1,616 @@
---
name: gdpr-data-handling
description: Implement GDPR-compliant data handling with consent management, data subject rights, and privacy by design. Use when building systems that process EU personal data, implementing privacy controls, or conducting GDPR compliance reviews.
---
# GDPR Data Handling
Practical implementation guide for GDPR-compliant data processing, consent management, and privacy controls.
## When to Use This Skill
- Building systems that process EU personal data
- Implementing consent management
- Handling data subject requests (DSRs)
- Conducting GDPR compliance reviews
- Designing privacy-first architectures
- Creating data processing agreements
## Core Concepts
### 1. Personal Data Categories
| Category | Examples | Protection Level |
|----------|----------|------------------|
| **Basic** | Name, email, phone | Standard |
| **Sensitive (Art. 9)** | Health, religion, ethnicity | Explicit consent |
| **Criminal (Art. 10)** | Convictions, offenses | Official authority |
| **Children's** | Under 16 data | Parental consent |
### 2. Legal Bases for Processing
```
Article 6 - Lawful Bases:
├── Consent: Freely given, specific, informed
├── Contract: Necessary for contract performance
├── Legal Obligation: Required by law
├── Vital Interests: Protecting someone's life
├── Public Interest: Official functions
└── Legitimate Interest: Balanced against rights
```
### 3. Data Subject Rights
```
Right to Access (Art. 15) ─┐
Right to Rectification (Art. 16) │
Right to Erasure (Art. 17) │ Must respond
Right to Restrict (Art. 18) │ within 1 month
Right to Portability (Art. 20) │
Right to Object (Art. 21) ─┘
```
## Implementation Patterns
### Pattern 1: Consent Management
```javascript
// Consent data model
const consentSchema = {
userId: String,
consents: [{
purpose: String, // 'marketing', 'analytics', etc.
granted: Boolean,
timestamp: Date,
source: String, // 'web_form', 'api', etc.
version: String, // Privacy policy version
ipAddress: String, // For proof
userAgent: String // For proof
}],
auditLog: [{
action: String, // 'granted', 'withdrawn', 'updated'
purpose: String,
timestamp: Date,
source: String
}]
};
// Consent service
class ConsentManager {
async recordConsent(userId, purpose, granted, metadata) {
const consent = {
purpose,
granted,
timestamp: new Date(),
source: metadata.source,
version: await this.getCurrentPolicyVersion(),
ipAddress: metadata.ipAddress,
userAgent: metadata.userAgent
};
// Store consent
await this.db.consents.updateOne(
{ userId },
{
$push: {
consents: consent,
auditLog: {
action: granted ? 'granted' : 'withdrawn',
purpose,
timestamp: consent.timestamp,
source: metadata.source
}
}
},
{ upsert: true }
);
// Emit event for downstream systems
await this.eventBus.emit('consent.changed', {
userId,
purpose,
granted,
timestamp: consent.timestamp
});
}
async hasConsent(userId, purpose) {
const record = await this.db.consents.findOne({ userId });
if (!record) return false;
const latestConsent = record.consents
.filter(c => c.purpose === purpose)
.sort((a, b) => b.timestamp - a.timestamp)[0];
return latestConsent?.granted === true;
}
async getConsentHistory(userId) {
const record = await this.db.consents.findOne({ userId });
return record?.auditLog || [];
}
}
```
```html
<!-- GDPR-compliant consent UI -->
<div class="consent-banner" role="dialog" aria-labelledby="consent-title">
<h2 id="consent-title">Cookie Preferences</h2>
<p>We use cookies to improve your experience. Select your preferences below.</p>
<form id="consent-form">
<!-- Necessary - always on, no consent needed -->
<div class="consent-category">
<input type="checkbox" id="necessary" checked disabled>
<label for="necessary">
<strong>Necessary</strong>
<span>Required for the website to function. Cannot be disabled.</span>
</label>
</div>
<!-- Analytics - requires consent -->
<div class="consent-category">
<input type="checkbox" id="analytics" name="analytics">
<label for="analytics">
<strong>Analytics</strong>
<span>Help us understand how you use our site.</span>
</label>
</div>
<!-- Marketing - requires consent -->
<div class="consent-category">
<input type="checkbox" id="marketing" name="marketing">
<label for="marketing">
<strong>Marketing</strong>
<span>Personalized ads based on your interests.</span>
</label>
</div>
<div class="consent-actions">
<button type="button" id="accept-all">Accept All</button>
<button type="button" id="reject-all">Reject All</button>
<button type="submit">Save Preferences</button>
</div>
<p class="consent-links">
<a href="/privacy-policy">Privacy Policy</a> |
<a href="/cookie-policy">Cookie Policy</a>
</p>
</form>
</div>
```
### Pattern 2: Data Subject Access Request (DSAR)
```python
from datetime import datetime, timedelta
from typing import Dict, List, Optional
import json
class DSARHandler:
"""Handle Data Subject Access Requests."""
RESPONSE_DEADLINE_DAYS = 30
EXTENSION_ALLOWED_DAYS = 60 # For complex requests
def __init__(self, data_sources: List['DataSource']):
self.data_sources = data_sources
async def submit_request(
self,
request_type: str, # 'access', 'erasure', 'rectification', 'portability'
user_id: str,
verified: bool,
details: Optional[Dict] = None
) -> str:
"""Submit a new DSAR."""
request = {
'id': self.generate_request_id(),
'type': request_type,
'user_id': user_id,
'status': 'pending_verification' if not verified else 'processing',
'submitted_at': datetime.utcnow(),
'deadline': datetime.utcnow() + timedelta(days=self.RESPONSE_DEADLINE_DAYS),
'details': details or {},
'audit_log': [{
'action': 'submitted',
'timestamp': datetime.utcnow(),
'details': 'Request received'
}]
}
await self.db.dsar_requests.insert_one(request)
await self.notify_dpo(request)
return request['id']
async def process_access_request(self, request_id: str) -> Dict:
"""Process a data access request."""
request = await self.get_request(request_id)
if request['type'] != 'access':
raise ValueError("Not an access request")
# Collect data from all sources
user_data = {}
for source in self.data_sources:
try:
data = await source.get_user_data(request['user_id'])
user_data[source.name] = data
except Exception as e:
user_data[source.name] = {'error': str(e)}
# Format response
response = {
'request_id': request_id,
'generated_at': datetime.utcnow().isoformat(),
'data_categories': list(user_data.keys()),
'data': user_data,
'retention_info': await self.get_retention_info(),
'processing_purposes': await self.get_processing_purposes(),
'third_party_recipients': await self.get_recipients()
}
# Update request status
await self.update_request(request_id, 'completed', response)
return response
async def process_erasure_request(self, request_id: str) -> Dict:
"""Process a right to erasure request."""
request = await self.get_request(request_id)
if request['type'] != 'erasure':
raise ValueError("Not an erasure request")
results = {}
exceptions = []
for source in self.data_sources:
try:
# Check for legal exceptions
can_delete, reason = await source.can_delete(request['user_id'])
if can_delete:
await source.delete_user_data(request['user_id'])
results[source.name] = 'deleted'
else:
exceptions.append({
'source': source.name,
'reason': reason # e.g., 'legal retention requirement'
})
results[source.name] = f'retained: {reason}'
except Exception as e:
results[source.name] = f'error: {str(e)}'
response = {
'request_id': request_id,
'completed_at': datetime.utcnow().isoformat(),
'results': results,
'exceptions': exceptions
}
await self.update_request(request_id, 'completed', response)
return response
async def process_portability_request(self, request_id: str) -> bytes:
"""Generate portable data export."""
request = await self.get_request(request_id)
user_data = await self.process_access_request(request_id)
# Convert to machine-readable format (JSON)
portable_data = {
'export_date': datetime.utcnow().isoformat(),
'format_version': '1.0',
'data': user_data['data']
}
return json.dumps(portable_data, indent=2, default=str).encode()
```
### Pattern 3: Data Retention
```python
from datetime import datetime, timedelta
from enum import Enum
class RetentionBasis(Enum):
CONSENT = "consent"
CONTRACT = "contract"
LEGAL_OBLIGATION = "legal_obligation"
LEGITIMATE_INTEREST = "legitimate_interest"
class DataRetentionPolicy:
"""Define and enforce data retention policies."""
POLICIES = {
'user_account': {
'retention_period_days': 365 * 3, # 3 years after last activity
'basis': RetentionBasis.CONTRACT,
'trigger': 'last_activity_date',
'archive_before_delete': True
},
'transaction_records': {
'retention_period_days': 365 * 7, # 7 years for tax
'basis': RetentionBasis.LEGAL_OBLIGATION,
'trigger': 'transaction_date',
'archive_before_delete': True,
'legal_reference': 'Tax regulations require 7 year retention'
},
'marketing_consent': {
'retention_period_days': 365 * 2, # 2 years
'basis': RetentionBasis.CONSENT,
'trigger': 'consent_date',
'archive_before_delete': False
},
'support_tickets': {
'retention_period_days': 365 * 2,
'basis': RetentionBasis.LEGITIMATE_INTEREST,
'trigger': 'ticket_closed_date',
'archive_before_delete': True
},
'analytics_data': {
'retention_period_days': 365, # 1 year
'basis': RetentionBasis.CONSENT,
'trigger': 'collection_date',
'archive_before_delete': False,
'anonymize_instead': True
}
}
async def apply_retention_policies(self):
"""Run retention policy enforcement."""
for data_type, policy in self.POLICIES.items():
cutoff_date = datetime.utcnow() - timedelta(
days=policy['retention_period_days']
)
if policy.get('anonymize_instead'):
await self.anonymize_old_data(data_type, cutoff_date)
else:
if policy.get('archive_before_delete'):
await self.archive_data(data_type, cutoff_date)
await self.delete_old_data(data_type, cutoff_date)
await self.log_retention_action(data_type, cutoff_date)
async def anonymize_old_data(self, data_type: str, before_date: datetime):
"""Anonymize data instead of deleting."""
# Example: Replace identifying fields with hashes
if data_type == 'analytics_data':
await self.db.analytics.update_many(
{'collection_date': {'$lt': before_date}},
{'$set': {
'user_id': None,
'ip_address': None,
'device_id': None,
'anonymized': True,
'anonymized_date': datetime.utcnow()
}}
)
```
### Pattern 4: Privacy by Design
```python
class PrivacyFirstDataModel:
"""Example of privacy-by-design data model."""
# Separate PII from behavioral data
user_profile_schema = {
'user_id': str, # UUID, not sequential
'email_hash': str, # Hashed for lookups
'created_at': datetime,
# Minimal data collection
'preferences': {
'language': str,
'timezone': str
}
}
# Encrypted at rest
user_pii_schema = {
'user_id': str,
'email': str, # Encrypted
'name': str, # Encrypted
'phone': str, # Encrypted (optional)
'address': dict, # Encrypted (optional)
'encryption_key_id': str
}
# Pseudonymized behavioral data
analytics_schema = {
'session_id': str, # Not linked to user_id
'pseudonym_id': str, # Rotating pseudonym
'events': list,
'device_category': str, # Generalized, not specific
'country': str, # Not city-level
}
class DataMinimization:
"""Implement data minimization principles."""
@staticmethod
def collect_only_needed(form_data: dict, purpose: str) -> dict:
"""Filter form data to only fields needed for purpose."""
REQUIRED_FIELDS = {
'account_creation': ['email', 'password'],
'newsletter': ['email'],
'purchase': ['email', 'name', 'address', 'payment'],
'support': ['email', 'message']
}
allowed = REQUIRED_FIELDS.get(purpose, [])
return {k: v for k, v in form_data.items() if k in allowed}
@staticmethod
def generalize_location(ip_address: str) -> str:
"""Generalize IP to country level only."""
import geoip2.database
reader = geoip2.database.Reader('GeoLite2-Country.mmdb')
try:
response = reader.country(ip_address)
return response.country.iso_code
except:
return 'UNKNOWN'
```
### Pattern 5: Breach Notification
```python
from datetime import datetime
from enum import Enum
class BreachSeverity(Enum):
LOW = "low"
MEDIUM = "medium"
HIGH = "high"
CRITICAL = "critical"
class BreachNotificationHandler:
"""Handle GDPR breach notification requirements."""
AUTHORITY_NOTIFICATION_HOURS = 72
AFFECTED_NOTIFICATION_REQUIRED_SEVERITY = BreachSeverity.HIGH
async def report_breach(
self,
description: str,
data_types: List[str],
affected_count: int,
severity: BreachSeverity
) -> dict:
"""Report and handle a data breach."""
breach = {
'id': self.generate_breach_id(),
'reported_at': datetime.utcnow(),
'description': description,
'data_types_affected': data_types,
'affected_individuals_count': affected_count,
'severity': severity.value,
'status': 'investigating',
'timeline': [{
'event': 'breach_reported',
'timestamp': datetime.utcnow(),
'details': description
}]
}
await self.db.breaches.insert_one(breach)
# Immediate notifications
await self.notify_dpo(breach)
await self.notify_security_team(breach)
# Authority notification required within 72 hours
if self.requires_authority_notification(severity, data_types):
breach['authority_notification_deadline'] = (
datetime.utcnow() + timedelta(hours=self.AUTHORITY_NOTIFICATION_HOURS)
)
await self.schedule_authority_notification(breach)
# Affected individuals notification
if severity.value in [BreachSeverity.HIGH.value, BreachSeverity.CRITICAL.value]:
await self.schedule_individual_notifications(breach)
return breach
def requires_authority_notification(
self,
severity: BreachSeverity,
data_types: List[str]
) -> bool:
"""Determine if supervisory authority must be notified."""
# Always notify for sensitive data
sensitive_types = ['health', 'financial', 'credentials', 'biometric']
if any(t in sensitive_types for t in data_types):
return True
# Notify for medium+ severity
return severity in [BreachSeverity.MEDIUM, BreachSeverity.HIGH, BreachSeverity.CRITICAL]
async def generate_authority_report(self, breach_id: str) -> dict:
"""Generate report for supervisory authority."""
breach = await self.get_breach(breach_id)
return {
'organization': {
'name': self.config.org_name,
'contact': self.config.dpo_contact,
'registration': self.config.registration_number
},
'breach': {
'nature': breach['description'],
'categories_affected': breach['data_types_affected'],
'approximate_number_affected': breach['affected_individuals_count'],
'likely_consequences': self.assess_consequences(breach),
'measures_taken': await self.get_remediation_measures(breach_id),
'measures_proposed': await self.get_proposed_measures(breach_id)
},
'timeline': breach['timeline'],
'submitted_at': datetime.utcnow().isoformat()
}
```
## Compliance Checklist
```markdown
## GDPR Implementation Checklist
### Legal Basis
- [ ] Documented legal basis for each processing activity
- [ ] Consent mechanisms meet GDPR requirements
- [ ] Legitimate interest assessments completed
### Transparency
- [ ] Privacy policy is clear and accessible
- [ ] Processing purposes clearly stated
- [ ] Data retention periods documented
### Data Subject Rights
- [ ] Access request process implemented
- [ ] Erasure request process implemented
- [ ] Portability export available
- [ ] Rectification process available
- [ ] Response within 30-day deadline
### Security
- [ ] Encryption at rest implemented
- [ ] Encryption in transit (TLS)
- [ ] Access controls in place
- [ ] Audit logging enabled
### Breach Response
- [ ] Breach detection mechanisms
- [ ] 72-hour notification process
- [ ] Breach documentation system
### Documentation
- [ ] Records of processing activities (Art. 30)
- [ ] Data protection impact assessments
- [ ] Data processing agreements with vendors
```
## Best Practices
### Do's
- **Minimize data collection** - Only collect what's needed
- **Document everything** - Processing activities, legal bases
- **Encrypt PII** - At rest and in transit
- **Implement access controls** - Need-to-know basis
- **Regular audits** - Verify compliance continuously
### Don'ts
- **Don't pre-check consent boxes** - Must be opt-in
- **Don't bundle consent** - Separate purposes separately
- **Don't retain indefinitely** - Define and enforce retention
- **Don't ignore DSARs** - 30-day response required
- **Don't transfer without safeguards** - SCCs or adequacy decisions
## Resources
- [GDPR Full Text](https://gdpr-info.eu/)
- [ICO Guidance](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/)
- [EDPB Guidelines](https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en)