Cross-border transfers annotated with SCC references

Related rules

From the same buckets as this rule.

• Critical

  Idempotent Right to Erasure across all stores

  Provide a single idempotency-keyed erasure workflow that scrubs PII in primary DB, caches, search indices, and object storage; emit an audit event with erasure_request_id. (GDPR Art. 17)

  compliance-gdprprivacy-pii+2
• High

  Encrypt PII at rest using application-layer crypto

  Encrypt sensitive columns (e.g., email, phone) with managed keys; ensure DB connection enforces TLS. Store only ciphertext; compare via deterministic token/hashes when needed. (GDPR Art. 32)

  compliance-gdprsecurity-hardening+1
• High

  Enforce retention with explicit TTL per data category

  PII tables must include an expires_at (or retention_policy) column and a scheduled deletion/archival job aligned to data category. No indefinite retention. (GDPR Art. 5(1)(e))

  compliance-gdprprivacy-pii+2