合规审查工具 - 自动检查业务计划、产品功能、营销活动的法律合规性 | GDPR/CCPA/HIPAA

compliance-check by anthropics/knowledge-work-plugins

209 周安装量

10,300 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/anthropics/knowledge-work-plugins --skill compliance-check

自动化法律合规风险管理

🇨🇳中文介绍

/compliance-check -- 合规审查

如果您看到不熟悉的占位符或需要检查连接了哪些工具，请参阅 CONNECTORS.md。

对拟议的行动、产品功能、营销活动或业务计划进行合规性检查。

重要提示：此命令协助法律工作流程，但不提供法律建议。合规性评估应由合格的法律专业人士审查。监管要求变化频繁；请务必通过权威来源核实当前要求。

使用方法

/compliance-check $ARGUMENTS

我需要您提供的信息

描述您计划做什么。例如：

"我们想推出一个有现金奖励的推荐计划"
"我们正在为移动应用添加生物识别身份验证"
"我们需要在美国数据中心处理欧盟客户的数据"
"营销部门想在广告中使用客户推荐"

输出

## 合规性检查：[计划名称]

### 摘要
[快速评估：可以执行 / 有条件执行 / 需要进一步审查]

### 适用的法规与政策
| 法规/政策 | 相关性 | 关键要求 |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / 等] | [如何适用] | [您需要做什么] |

### 要求
| # | 要求 | 状态 | 所需行动 |
|---|-------------|--------|---------------|
| 1 | [要求] | [已满足 / 未满足 / 未知] | [需要做什么] |

### 风险领域
| 风险 | 严重性 | 缓解措施 |
|------|----------|------------|
| [风险] | [高/中/低] | [如何解决] |

### 建议行动
1. [最重要的行动]
2. [第二优先级]
3. [第三优先级]

### 所需审批
| 审批人 | 原因 | 状态 |
|----------|-----|--------|
| [人员/团队] | [原因] | [待处理] |

### 建议进一步审查
[建议外部法律顾问或专家审查的领域]

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

GDPR（通用数据保护条例）

适用范围：适用于处理欧盟/欧洲经济区内个人个人数据的行为，无论处理组织位于何处。

内部法律团队的关键义务：

合法依据：为每项处理活动识别并记录合法依据（同意、合同、合法利益、法律义务、重大利益、公共任务）
数据主体权利：在30天内（复杂请求可延长60天）响应访问、更正、删除、可携性、限制处理和反对的请求
数据保护影响评估：对于可能对个人造成高风险的处理活动是必需的
违规通知：在意识到个人数据泄露后72小时内通知监管机构；如果风险较高，应及时通知受影响的个人
处理活动记录：维护第30条规定的处理活动记录
国际传输：确保向欧洲经济区外传输时有适当的保障措施（标准合同条款、充分性决定、有约束力的公司规则）
数据保护官要求：如果需要（公共机构、大规模处理特殊类别数据、大规模系统性监控），应任命数据保护官

常见的内部法律接触点：

审查供应商数据处理协议是否符合GDPR
就隐私设计原则要求向产品团队提供建议
回应监管机构的问询
管理跨境数据传输机制
审查同意机制和隐私声明

CCPA / CPRA（加州消费者隐私法案 / 加州隐私权利法案）

适用范围：适用于收集加州居民个人信息并达到收入、数据量或数据销售门槛的企业。

知情权：消费者可以要求披露收集、使用和共享的个人信息
删除权：消费者可以要求删除其个人信息
选择退出权：消费者可以选择退出个人信息的销售或共享
更正权：消费者可以要求更正不准确的个人信息（CPRA新增）
限制使用敏感个人信息权：消费者可以限制敏感个人信息用于特定目的（CPRA新增）
非歧视：不得歧视行使权利的消费者
隐私声明：必须在收集时或之前提供隐私声明，说明收集的个人信息类别和目的
服务提供商协议：与服务提供商的合同必须限制个人信息用于指定的商业目的

响应时间表：

在10个工作日内确认收到
在45个日历日内做出实质性回应（可延长45天并通知）

其他需要关注的关键法规

法规	司法管辖区	关键区别点
LGPD（巴西）	巴西	与GDPR类似；要求任命DPO；由巴西国家数据保护局执行
POPIA（南非）	南非	信息监管机构监督；要求处理活动注册
PIPEDA（加拿大）	加拿大（联邦）	基于同意的框架；隐私专员办公室监督；正在现代化
PDPA（新加坡）	新加坡	谢绝来电登记册；强制性违规通知；个人数据保护委员会执行
隐私法（澳大利亚）	澳大利亚	澳大利亚隐私原则；可通知的数据泄露计划
PIPL（中国）	中国	严格的跨境传输规则；数据本地化要求；国家网信办监督
英国GDPR	英国	脱欧后的英国版本；信息专员办公室监督；与欧盟GDPR类似，但有英国特定的充分性决定

数据处理协议审查清单

审查数据处理协议或数据处理附录时，请核实以下内容：

必需要素（GDPR第28条）

处理主题和期限：明确定义处理的范围和期限
性质和目的：具体描述将发生什么处理以及原因
个人数据类型：正在处理的个人数据类别
数据主体类别：处理谁的的个人数据
控制者义务和权利：控制者的指示和监督权

仅根据书面指示处理：处理者承诺仅根据控制者的指示进行处理（法律要求除外）
保密性：授权处理的人员已承诺保密
安全措施：描述了适当的技术和组织措施（引用第32条）
子处理者要求：
- 书面授权要求（一般或特定）
- 如果是一般授权：变更通知并给予反对机会
- 子处理者通过书面协议受相同义务约束
- 处理者仍对子处理者的表现负责
协助数据主体行使权利：处理者将协助控制者响应数据主体请求
安全和违规协助：处理者将协助履行安全义务、违规通知、数据保护影响评估和事先咨询
删除或返还：终止时，删除或返还所有个人数据（由控制者选择），并删除现有副本，除非法律要求保留
审计权：控制者有权进行审计和检查（或接受第三方审计报告）
违规通知：处理者将及时（理想情况下在24-48小时内；必须使控制者能够满足72小时的监管截止日期）通知控制者个人数据泄露

已识别传输机制：标准合同条款、充分性决定、有约束力的公司规则或其他有效机制
标准合同条款版本：如果适用，使用当前欧盟标准合同条款（2021年6月版本）
正确模块：选择了适当的标准合同条款模块（控制者到处理者、控制者到控制者、处理者到处理者、处理者到控制者）
传输影响评估：如果传输到没有充分性决定的国家，已完成评估
补充措施：技术、组织或合同措施，以解决传输影响评估中发现的差距
英国附录：如果涉及英国个人数据，包含英国国际数据传输附录

责任：数据处理协议的责任条款与主服务协议一致（或不冲突）
终止条款一致：数据处理协议的期限与服务协议一致
数据位置：指定的处理位置是可接受的
安全标准：要求的具体安全标准或认证（SOC 2、ISO 27001等）
保险：数据处理活动有足够的保险覆盖

常见的数据处理协议问题

问题	风险	标准立场
未通知的笼统子处理者授权	失去对处理链的控制	要求通知并有权反对
违规通知时间 > 72小时	可能妨碍及时监管通知	要求在24-48小时内通知
无审计权（或仅通过第三方报告进行审计）	无法核实合规性	接受SOC 2 Type II + 在有原因时有权审计
未指定数据删除时间表	数据无限期保留	要求在终止后30-90天内删除
未指定数据处理位置	数据可能在任何地方处理	要求披露处理位置
过时的标准合同条款	无效的传输机制	要求使用当前欧盟标准合同条款（2021年版本）

数据主体请求处理

收到数据主体请求时：

识别请求类型：
- 访问（个人数据副本）
- 更正（纠正不准确数据）
- 删除/擦除（"被遗忘权"）
- 限制处理
- 数据可携性（结构化、机器可读格式）
- 反对处理
- 选择退出销售/共享（CCPA/CPRA）
- 限制使用敏感个人信息（CPRA）
识别适用的法规：
- 数据主体位于何处？
- 根据您组织的存在和活动，哪些法律适用？
- 具体要求和时间表是什么？
验证身份：
- 确认请求者是其声称的身份
- 使用与数据敏感性相称的合理验证措施
- 不要要求过多的文件
记录请求：
- 收到日期
- 请求类型
- 请求者身份
- 适用法规
- 响应截止日期
- 指定处理人

法规	初步确认	实质性响应	延期
GDPR	未指定（最佳实践：及时）	30天	+60天（需通知）
CCPA/CPRA	10个工作日	45个日历日	+45天（需通知）
英国GDPR	未指定（最佳实践：及时）	30天	+60天（需通知）
LGPD	未指定	15天	有限延期

豁免和例外情况

在满足请求之前，检查是否有任何豁免适用：

各法规常见的豁免：

法律索赔的辩护或确立
要求保留的法律义务
公共利益或官方授权
表达和信息自由（针对删除请求）
公共利益或科学/历史研究的存档

组织特定的考虑因素：

诉讼保留：受法律保留约束的数据不能被删除
监管保留：财务记录、雇佣记录和其他类别可能有强制保留期
第三方权利：满足请求可能对他人的权利产生不利影响

收集请求者在所有系统中的所有个人数据
应用任何豁免并记录依据
准备响应：满足请求或解释为何（全部或部分）无法满足
如果拒绝（全部或部分）：引用拒绝的具体法律依据
告知请求者其有权向监管机构提出投诉
记录响应并保留请求和响应的记录

保持对以下方面发展的了解：

监管指导：监管机构（信息专员办公室、法国国家信息与自由委员会、联邦贸易委员会、州检察长等）的新指南或更新指南
执法行动：表明监管重点的罚款、命令和和解
立法变化：新的隐私法律、现有法律的修正案、实施细则
行业标准：ISO 27001、SOC 2、NIST框架和特定行业要求的更新
跨境传输发展：充分性决定、标准合同条款更新、数据本地化要求

订阅监管机构的通讯（新闻通讯、RSS订阅、官方公告）
关注相关法律出版物以获取新发展的分析
审查行业协会更新以获取特定行业的指导
维护法规日历，记录已知的即将到来的截止日期、生效日期和合规里程碑
向法律团队通报影响组织处理活动的重大发展

在以下情况下，将监管发展情况上报给高级法律顾问或领导层：

新法规或指南直接影响组织的核心业务活动
组织所在行业的执法行动表明监管审查加强
即将到来的合规截止日期需要组织变革
组织依赖的数据传输机制受到质疑或失效
监管机构启动涉及组织的问询或调查

具体说明 — "我们想给所有用户发邮件"比"营销活动"更好。
包含地理区域 — 合规要求因司法管辖区而异。
提及数据 — 涉及哪些个人数据？这决定了大多数合规要求。

🇺🇸English

/compliance-check -- Compliance Review

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.

Run a compliance check on a proposed action, product feature, marketing campaign, or business initiative.

Important : This command assists with legal workflows but does not provide legal advice. Compliance assessments should be reviewed by qualified legal professionals. Regulatory requirements change frequently; always verify current requirements with authoritative sources.

Usage

/compliance-check $ARGUMENTS

What I Need From You

Describe what you're planning to do. Examples:

"We want to launch a referral program with cash rewards"
"We're adding biometric authentication to our mobile app"
"We need to process EU customer data in our US data center"
"Marketing wants to use customer testimonials in ads"

Output

## Compliance Check: [Initiative]

### Summary
[Quick assessment: Proceed / Proceed with conditions / Requires further review]

### Applicable Regulations and Policies
| Regulation/Policy | Relevance | Key Requirements |
|-------------------|-----------|-----------------|
| [GDPR / CCPA / HIPAA / etc.] | [How it applies] | [What you need to do] |

### Requirements
| # | Requirement | Status | Action Needed |
|---|-------------|--------|---------------|
| 1 | [Requirement] | [Met / Not Met / Unknown] | [What to do] |

### Risk Areas
| Risk | Severity | Mitigation |
|------|----------|------------|
| [Risk] | [High/Med/Low] | [How to address] |

### Recommended Actions
1. [Most important action]
2. [Second priority]
3. [Third priority]

### Approvals Needed
| Approver | Why | Status |
|----------|-----|--------|
| [Person/Team] | [Reason] | [Pending] |

### Further Review Recommended
[Areas where outside counsel or specialist review is advised]

Privacy Regulation Overview

GDPR (General Data Protection Regulation)

Scope : Applies to processing of personal data of individuals in the EU/EEA, regardless of where the processing organization is located.

Key Obligations for In-House Legal Teams :

Lawful basis : Identify and document lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation, vital interest, public task)
Data subject rights : Respond to access, rectification, erasure, portability, restriction, and objection requests within 30 days (extendable by 60 days for complex requests)
Data protection impact assessments (DPIAs) : Required for processing likely to result in high risk to individuals
Breach notification : Notify supervisory authority within 72 hours of becoming aware of a personal data breach; notify affected individuals without undue delay if high risk
Records of processing : Maintain Article 30 records of processing activities
International transfers : Ensure appropriate safeguards for transfers outside EEA (SCCs, adequacy decisions, BCRs)
DPO requirement : Appoint a Data Protection Officer if required (public authority, large-scale processing of special categories, large-scale systematic monitoring)

Common In-House Legal Touchpoints :

Reviewing vendor DPAs for GDPR compliance
Advising product teams on privacy by design requirements
Responding to supervisory authority inquiries
Managing cross-border data transfer mechanisms
Reviewing consent mechanisms and privacy notices

CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)

Scope : Applies to businesses that collect personal information of California residents and meet revenue, data volume, or data sale thresholds.

Key Obligations :

Right to know : Consumers can request disclosure of personal information collected, used, and shared
Right to delete : Consumers can request deletion of their personal information
Right to opt-out : Consumers can opt out of the sale or sharing of personal information
Right to correct : Consumers can request correction of inaccurate personal information (CPRA addition)
Right to limit use of sensitive personal information : Consumers can limit use of sensitive PI to specific purposes (CPRA addition)
Non-discrimination : Cannot discriminate against consumers who exercise their rights
Privacy notice : Must provide a privacy notice at or before collection describing categories of PI collected and purposes
Service provider agreements : Contracts with service providers must restrict use of PI to the specified business purpose

Response Timelines :

Acknowledge receipt within 10 business days
Respond substantively within 45 calendar days (extendable by 45 days with notice)

Other Key Regulations to Monitor

Regulation	Jurisdiction	Key Differentiators
LGPD (Brazil)	Brazil	Similar to GDPR; requires DPO appointment; National Data Protection Authority (ANPD) enforcement
POPIA (South Africa)	South Africa	Information Regulator oversight; required registration of processing
PIPEDA (Canada)	Canada (federal)	Consent-based framework; OPC oversight; being modernized
PDPA (Singapore)	Singapore	Do Not Call registry; mandatory breach notification; PDPC enforcement
Privacy Act (Australia)	Australia	Australian Privacy Principles (APPs); notifiable data breaches scheme
PIPL (China)	China	Strict cross-border transfer rules; data localization requirements; CAC oversight
UK GDPR	United Kingdom

DPA Review Checklist

When reviewing a Data Processing Agreement or Data Processing Addendum, verify the following:

Required Elements (GDPR Article 28)

Subject matter and duration : Clearly defined scope and term of processing
Nature and purpose : Specific description of what processing will occur and why
Type of personal data : Categories of personal data being processed
Categories of data subjects : Whose personal data is being processed
Controller obligations and rights : Controller's instructions and oversight rights

Processor Obligations

Process only on documented instructions : Processor commits to process only per controller's instructions (with exception for legal requirements)
Confidentiality : Personnel authorized to process have committed to confidentiality
Security measures : Appropriate technical and organizational measures described (Article 32 reference)
Sub-processor requirements :
- Written authorization requirement (general or specific)
- If general authorization: notification of changes with opportunity to object
- Sub-processors bound by same obligations via written agreement
- Processor remains liable for sub-processor performance
Data subject rights assistance : Processor will assist controller in responding to data subject requests
Security and breach assistance : Processor will assist with security obligations, breach notification, DPIAs, and prior consultation
Deletion or return : On termination, delete or return all personal data (at controller's choice) and delete existing copies unless legal retention required
Audit rights : Controller has right to conduct audits and inspections (or accept third-party audit reports)
Breach notification : Processor will notify controller of personal data breaches without undue delay (ideally within 24-48 hours; must enable controller to meet 72-hour regulatory deadline)

International Transfers

Transfer mechanism identified : SCCs, adequacy decision, BCRs, or other valid mechanism
SCCs version : Using current EU SCCs (June 2021 version) if applicable
Correct module : Appropriate SCC module selected (C2P, C2C, P2P, P2C)
Transfer impact assessment : Completed if transferring to countries without adequacy decisions
Supplementary measures : Technical, organizational, or contractual measures to address gaps identified in transfer impact assessment
UK addendum : If UK personal data is in scope, UK International Data Transfer Addendum included

Practical Considerations

Liability : DPA liability provisions align with (or don't conflict with) the main services agreement
Termination alignment : DPA term aligns with the services agreement
Data locations : Processing locations specified and acceptable
Security standards : Specific security standards or certifications required (SOC 2, ISO 27001, etc.)
Insurance : Adequate insurance coverage for data processing activities

Common DPA Issues

Issue	Risk	Standard Position
Blanket sub-processor authorization without notification	Loss of control over processing chain	Require notification with right to object
Breach notification timeline > 72 hours	May prevent timely regulatory notification	Require notification within 24-48 hours
No audit rights (or audit rights only via third-party reports)	Cannot verify compliance	Accept SOC 2 Type II + right to audit upon cause
Data deletion timeline not specified	Data retained indefinitely	Require deletion within 30-90 days of termination
No data processing locations specified	Data could be processed anywhere	Require disclosure of processing locations
Outdated SCCs	Invalid transfer mechanism	Require current EU SCCs (2021 version)

Data Subject Request Handling

Request Intake

When a data subject request is received:

Identify the request type :
- Access (copy of personal data)
- Rectification (correction of inaccurate data)
- Erasure / deletion ("right to be forgotten")
- Restriction of processing
- Data portability (structured, machine-readable format)
- Objection to processing
- Opt-out of sale/sharing (CCPA/CPRA)
- Limit use of sensitive personal information (CPRA)
Identify applicable regulation(s) :
- Where is the data subject located?
- Which laws apply based on your organization's presence and activities?
- What are the specific requirements and timelines?
Verify identity :
- Confirm the requester is who they claim to be
- Use reasonable verification measures proportionate to the sensitivity of the data
- Do not require excessive documentation
Log the request :
- Date received
- Request type
- Requester identity
- Applicable regulation
- Response deadline
- Assigned handler

Response Timelines

Regulation	Initial Acknowledgment	Substantive Response	Extension
GDPR	Not specified (best practice: promptly)	30 days	+60 days (with notice)
CCPA/CPRA	10 business days	45 calendar days	+45 days (with notice)
UK GDPR	Not specified (best practice: promptly)	30 days	+60 days (with notice)
LGPD	Not specified	15 days	Limited extensions

Exemptions and Exceptions

Before fulfilling a request, check whether any exemptions apply:

Common exemptions across regulations :

Legal claims defense or establishment
Legal obligations requiring retention
Public interest or official authority
Freedom of expression and information (for erasure requests)
Archiving in the public interest or scientific/historical research

Organization-specific considerations :

Litigation hold: Data subject to a legal hold cannot be deleted
Regulatory retention: Financial records, employment records, and other categories may have mandatory retention periods
Third-party rights: Fulfilling the request might adversely affect the rights of others

Response Process

Gather all personal data of the requester across systems
Apply any exemptions and document the basis
Prepare response: fulfill the request or explain why (in whole or part) it cannot be fulfilled
If denying (in whole or part): cite the specific legal basis for denial
Inform the requester of their right to lodge a complaint with the supervisory authority
Document the response and retain records of the request and response

Regulatory Monitoring Basics

What to Monitor

Maintain awareness of developments in:

Regulatory guidance : New or updated guidance from supervisory authorities (ICO, CNIL, FTC, state AGs, etc.)
Enforcement actions : Fines, orders, and settlements that signal regulatory priorities
Legislative changes : New privacy laws, amendments to existing laws, implementing regulations
Industry standards : Updates to ISO 27001, SOC 2, NIST frameworks, and sector-specific requirements
Cross-border transfer developments : Adequacy decisions, SCC updates, data localization requirements

Monitoring Approach

Subscribe to regulatory authority communications (newsletters, RSS feeds, official announcements)
Track relevant legal publications for analysis of new developments
Review industry association updates for sector-specific guidance
Maintain a regulatory calendar of known upcoming deadlines, effective dates, and compliance milestones
Brief the legal team on material developments that affect the organization's processing activities

Escalation Criteria

Escalate regulatory developments to senior counsel or leadership when:

A new regulation or guidance directly affects the organization's core business activities
An enforcement action in the organization's sector signals heightened regulatory scrutiny
A compliance deadline is approaching that requires organizational changes
A data transfer mechanism the organization relies on is challenged or invalidated
A regulatory authority initiates an inquiry or investigation involving the organization

Tips

Be specific — "We want to email all our users" is better than "marketing campaign."
Include the geography — Compliance requirements vary by jurisdiction.
Mention the data — What personal data is involved? This drives most compliance requirements.

Weekly Installs

209

Repository

anthropics/know…-plugins

GitHub Stars

10.3K

First Seen

11 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

gemini-cli200

opencode199

codex199

cursor199

kimi-cli198

amp198

通过 LiteLLM 代理让 Claude Code 对接 GitHub Copilot 运行 | 高级变通方案指南

31,600 周安装