From 0785ff446a3d1435ecb4c1334a0d06f9db8d385d Mon Sep 17 00:00:00 2001 From: auge2u Date: Thu, 19 Feb 2026 07:02:01 +0100 Subject: [PATCH 1/2] Add legal-swiss plugin: Swiss-law edition of the legal plugin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a Swiss-law variant of the legal plugin, tuned to nDSG (in force 1 September 2023), OR/ZGB mandatory law, and FDPIC/EDÖB supervisory framework. All commands and skills have been rewritten with Swiss-specific citations, templates, and escalation logic. Commands (5): brief, respond, review-contract, triage-nda, vendor-check Skills (6): contract-review, nda-triage, compliance, canned-responses, legal-risk-assessment, meeting-briefing Samples (4): MSA, AV-Vereinbarung, FDPIC inquiry, data breach incident Key Swiss-law additions: - OR Art. 100 mandatory liability floor enforcement (void clause detection) - nDSG/GDPR dual compliance framework with FDPIC notification protocol - Anwaltsgeheimnis privilege routing for regulatory matters - SCAI arbitration and Handelsgericht venue guidance - Handelsregister/zefix.ch Kollektivunterschrift verification workflow - Three-language support: DE / FR / IT / EN - CHF denomination throughout; MWST/VAT handling - URG default IP ownership analysis (creator retains) Co-Authored-By: Claude Sonnet 4.6 --- legal-swiss/.claude-plugin/plugin.json | 26 ++ legal-swiss/.mcp.json | 24 ++ legal-swiss/CONNECTORS.md | 85 +++++ legal-swiss/LICENSE | 202 +++++++++++ legal-swiss/README.md | 343 ++++++++++++++++++ legal-swiss/commands/brief.md | 246 +++++++++++++ legal-swiss/commands/respond.md | 234 ++++++++++++ legal-swiss/commands/review-contract.md | 210 +++++++++++ legal-swiss/commands/triage-nda.md | 195 ++++++++++ legal-swiss/commands/vendor-check.md | 209 +++++++++++ .../samples/sample-av-vereinbarung-ch.md | 85 +++++ .../samples/sample-data-breach-incident.md | 84 +++++ .../samples/sample-fdpic-inquiry-ch.md | 85 +++++ legal-swiss/samples/sample-msa-ch.md | 129 +++++++ legal-swiss/skills/canned-responses/SKILL.md | 326 +++++++++++++++++ legal-swiss/skills/compliance/SKILL.md | 292 +++++++++++++++ legal-swiss/skills/contract-review/SKILL.md | 283 +++++++++++++++ .../skills/legal-risk-assessment/SKILL.md | 284 +++++++++++++++ legal-swiss/skills/meeting-briefing/SKILL.md | 274 ++++++++++++++ legal-swiss/skills/nda-triage/SKILL.md | 187 ++++++++++ 20 files changed, 3803 insertions(+) create mode 100644 legal-swiss/.claude-plugin/plugin.json create mode 100644 legal-swiss/.mcp.json create mode 100644 legal-swiss/CONNECTORS.md create mode 100644 legal-swiss/LICENSE create mode 100644 legal-swiss/README.md create mode 100644 legal-swiss/commands/brief.md create mode 100644 legal-swiss/commands/respond.md create mode 100644 legal-swiss/commands/review-contract.md create mode 100644 legal-swiss/commands/triage-nda.md create mode 100644 legal-swiss/commands/vendor-check.md create mode 100644 legal-swiss/samples/sample-av-vereinbarung-ch.md create mode 100644 legal-swiss/samples/sample-data-breach-incident.md create mode 100644 legal-swiss/samples/sample-fdpic-inquiry-ch.md create mode 100644 legal-swiss/samples/sample-msa-ch.md create mode 100644 legal-swiss/skills/canned-responses/SKILL.md create mode 100644 legal-swiss/skills/compliance/SKILL.md create mode 100644 legal-swiss/skills/contract-review/SKILL.md create mode 100644 legal-swiss/skills/legal-risk-assessment/SKILL.md create mode 100644 legal-swiss/skills/meeting-briefing/SKILL.md create mode 100644 legal-swiss/skills/nda-triage/SKILL.md diff --git a/legal-swiss/.claude-plugin/plugin.json b/legal-swiss/.claude-plugin/plugin.json new file mode 100644 index 0000000..303d4a2 --- /dev/null +++ b/legal-swiss/.claude-plugin/plugin.json @@ -0,0 +1,26 @@ +{ + "name": "legal-swiss", + "version": "1.0.0", + "description": "Swiss-law legal productivity plugin for in-house legal teams. Contract review (OR Art. 100 mandatory law, URG, CISG), NDA triage (OR Art. 340–340c), nDSG/GDPR compliance (AV-Vereinbarung, breach notification, FDPIC/EDÖB), legal risk assessment (CHF exposure, VR liability), and templated responses. Covers German, French, Italian, and English. Calibrated to Swiss mandatory law, FDPIC supervisory framework, and Swiss court practice.", + "author": { + "name": "Anthropic" + }, + "jurisdiction": "CH", + "primaryLaw": [ + "OR (Obligationenrecht)", + "nDSG (Bundesgesetz über den Datenschutz, in force 1 September 2023)", + "ZGB (Zivilgesetzbuch)", + "ZPO (Zivilprozessordnung)", + "IPRG (Bundesgesetz über das Internationale Privatrecht)", + "URG (Urheberrechtsgesetz)", + "FINMA Circular 2023/1 (outsourcing)", + "KG / WEKO (Kartellgesetz)" + ], + "languages": ["de", "fr", "it", "en"], + "regulatoryAuthorities": [ + "FDPIC / EDÖB (Federal Data Protection and Information Commissioner)", + "FINMA (Swiss Financial Market Supervisory Authority)", + "WEKO (Swiss Competition Commission / Commission de la concurrence)", + "SECO (State Secretariat for Economic Affairs)" + ] +} diff --git a/legal-swiss/.mcp.json b/legal-swiss/.mcp.json new file mode 100644 index 0000000..e511a49 --- /dev/null +++ b/legal-swiss/.mcp.json @@ -0,0 +1,24 @@ +{ + "mcpServers": { + "slack": { + "type": "http", + "url": "https://mcp.slack.com/mcp" + }, + "box": { + "type": "http", + "url": "https://mcp.box.com" + }, + "egnyte": { + "type": "http", + "url": "https://mcp-server.egnyte.com/mcp" + }, + "atlassian": { + "type": "http", + "url": "https://mcp.atlassian.com/v1/mcp" + }, + "ms365": { + "type": "http", + "url": "https://microsoft365.mcp.claude.com/mcp" + } + } +} diff --git a/legal-swiss/CONNECTORS.md b/legal-swiss/CONNECTORS.md new file mode 100644 index 0000000..68222cf --- /dev/null +++ b/legal-swiss/CONNECTORS.md @@ -0,0 +1,85 @@ +# Connectors — Swiss Legal Plugin + +## How tool references work + +Plugin files use `~~category` as a placeholder for whatever tool the user connects in that category. For example, `~~cloud storage` might mean SharePoint, Box, or any storage provider with an MCP server. + +Plugins are **tool-agnostic** — they describe workflows in terms of categories rather than specific products. The `.mcp.json` pre-configures specific MCP servers, but any MCP server in that category works. + +--- + +## Connectors for this plugin + +| Category | Placeholder | Included servers | Other options | +|----------|-------------|-----------------|---------------| +| Chat | `~~chat` | Slack | Microsoft Teams | +| Cloud storage | `~~cloud storage` | SharePoint, Box | Egnyte, Dropbox, Google Drive | +| CLM | `~~CLM` | — | Ironclad, Agiloft, Juro | +| CRM | `~~CRM` | — | Salesforce, HubSpot | +| E-signature | `~~e-signature` | — | DocuSign, Adobe Sign, PrivaSphere (Swiss-qualified) | +| Office suite | `~~office suite` | Microsoft 365 | Google Workspace | +| Project tracker | `~~project tracker` | Atlassian (Jira/Confluence) | Linear, Asana | + +--- + +## Swiss-specific integrations + +These integrations are relevant for Swiss legal workflows and are referenced in plugin commands and skills. + +| Service | Purpose | Access | +|---------|---------|--------| +| **zefix.ch** (Swiss Federal Commercial Registry) | Handelsregister entity lookup; Kollektivunterschrift / signing authority verification; UID number check | Public web; no MCP required — use WebFetch | +| **shab.ch** (Schweizerisches Handelsamtsblatt / SOGC) | Bundesblatt-equivalent official gazette; company announcements; liquidation notices | Public web; no MCP required | +| **edoeb.admin.ch** (FDPIC / EDÖB) | FDPIC guidance, adequacy list, complaint register | Public web; no MCP required | +| **finma.ch** | FINMA circulars, outsourcing register, supervised entity lookup | Public web; no MCP required | +| **bger.ch / bvger.ch** | BGer (Federal Supreme Court) and BVGer (Federal Administrative Court) decisions | Public web; no MCP required | +| **eur-lex.europa.eu** | GDPR text, EU adequacy decisions, SCCs (June 2021) | Public web; no MCP required | + +--- + +## Connector usage in workflows + +### Contract review (`/review-contract`) +- `~~cloud storage`: Retrieve contract files and precedent library +- `~~CLM`: Look up existing agreements with the same counterparty +- `~~e-signature`: Route executed redlines for signature +- zefix.ch: Verify counterparty Handelsregister entry and signing authority (Kollektivunterschrift) + +### Vendor check (`/vendor-check`) +- `~~CLM`: Primary source for existing agreement status +- `~~cloud storage`: Retrieve agreement copies and certificates +- zefix.ch: UID/entity verification; current Handelsregister status + +### Daily brief (`/brief daily`) +- `~~office suite`: Calendar items requiring legal prep; incoming email flagged for legal +- `~~chat`: Overnight requests in legal Slack channels +- `~~project tracker`: Open matters, upcoming deadlines, DSR tracker +- shab.ch / bger.ch / edoeb.admin.ch: Regulatory monitoring (fetched directly) + +### Incident brief (`/brief incident`) +- `~~chat`: Incident channel context (Slack #security, #legal) +- `~~office suite`: Incident emails, board notification drafts +- edoeb.admin.ch: FDPIC notification portal reference +- finma.ch: FINMA outsourcing notification requirement (if FINMA-supervised) + +### DSR / Auskunftsbegehren response (`/respond dsr`) +- `~~project tracker`: DSR intake register; deadline tracking +- `~~office suite`: Response letter drafting and delivery +- `~~cloud storage`: Data map / Verarbeitungsverzeichnis for data categories + +### FDPIC inquiry response (`/respond fdpic`) +- **Always escalate to outside Swiss counsel** — templates are orientation only +- `~~cloud storage`: AV-Vereinbarungen, Datenschutzerklärung, processing records +- `~~project tracker`: FDPIC matter docket (Aktenzeichen tracking) + +--- + +## Graceful degradation + +When MCP connections are unavailable, the plugin will: +1. Note which tool category is missing +2. Describe what the tool would have provided +3. Ask the user to supply the information manually or check the relevant Swiss registry/authority website directly +4. Continue the workflow with available information + +The zefix.ch Handelsregister check is always flagged as a manual step since it requires real-time verification before contract execution. diff --git a/legal-swiss/LICENSE b/legal-swiss/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/legal-swiss/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/legal-swiss/README.md b/legal-swiss/README.md new file mode 100644 index 0000000..11184be --- /dev/null +++ b/legal-swiss/README.md @@ -0,0 +1,343 @@ +# Legal Productivity Plugin — Swiss Edition (nDSG / OR / ZGB) + +An AI-powered productivity plugin for in-house legal teams operating under **Swiss law**. Designed for [Cowork](https://claude.com/product/cowork), Anthropic's agentic desktop application — and works in Claude Code. Automates contract review, NDA triage, compliance workflows, legal briefings, and templated responses, all calibrated to Swiss mandatory law, Swiss court practice, and the FDPIC/EDÖB supervisory framework. + +**Swiss law foundation:** +- **OR** (Obligationenrecht / Code des obligations) — primary contract law +- **nDSG** (Bundesgesetz über den Datenschutz, in force 1 September 2023) — data protection +- **ZGB** (Zivilgesetzbuch) — civil law, entity and capacity matters +- **ZPO** (Zivilprozessordnung) — civil procedure, evidence holds, injunctions +- **IPRG** — private international law, choice of law analysis +- **URG** (Urheberrechtsgesetz) — Swiss copyright; creator retains rights by default +- **FINMA** — financial market regulation (outsourcing: Circular 2023/1) +- **WEKO / KG** — Swiss Competition Commission; cartel law Art. 5, 7 +- **VVG** (Versicherungsvertragsgesetz) — Swiss insurance; VVG Art. 38 prompt notification + +**Three-language environment supported:** German (DE) · French (FR) · Italian (IT) · English (EN) + +> **Disclaimer:** This plugin assists with legal workflows but does not provide legal advice. All outputs should be reviewed by a qualified Swiss attorney (*Rechtsanwalt / avocat / avvocato*, SAV/FSA admitted) before being relied upon. In-house counsel communications are **not** protected by Anwaltsgeheimnis — route sensitive regulatory matters through external Swiss counsel. + +--- + +## Target Personas + +- **Commercial Counsel** — Contract negotiation, vendor management, OR-based deal support +- **Product Counsel** — Product reviews, AGB, privacy notices under nDSG/GDPR, IP matters +- **Privacy / Compliance** — nDSG/GDPR compliance, AV-Vereinbarung reviews, Auskunftsbegehren (DSR), FDPIC monitoring +- **Litigation Support** — ZPO Beweissicherung, document holds, cantonal court briefings + +--- + +## Installation + +``` +claude plugins add knowledge-work-plugins/legal-swiss +``` + +--- + +## Quick Start + +### 1. Install the plugin + +``` +claude plugins add knowledge-work-plugins/legal-swiss +``` + +### 2. Configure your Swiss playbook + +Create a local settings file to encode your team's Swiss-law negotiation positions and risk tolerances. + +In your project's `.claude/` directory, create `legal.local.md`: + +```markdown +# Swiss Legal Playbook Configuration + +## Contract Review Positions (Swiss OR basis) + +### Haftungsbeschränkung / Limitation of Liability +- Standard position: Mutual cap at 12 months of fees paid/payable +- Acceptable range: 6–24 months fees +- Escalation trigger: Exclusion of gross negligence or intent (void under OR Art. 100) +- OR Art. 100 note: Any clause excluding liability for Absicht or grobe Fahrlässigkeit + is mandatory-law void — always require a savings clause + +### Freistellung / Indemnification +- Standard position: Mutual indemnification for IP infringement and data breach +- Acceptable: Third-party claims only, proportionate to fault +- Escalation trigger: Unilateral indemnification; uncapped; includes own costs + +### Geistiges Eigentum / IP Ownership +- Standard position: Each party retains pre-existing IP; customer owns deliverables +- Swiss note: URG default = creator retains copyright (no automatic work-for-hire) +- Escalation trigger: Broad IP assignment; reverse assignment of customer improvements; + use of customer data for AI training without explicit nDSG-compliant consent + +### Datenschutz / Data Protection +- Standard position: AV-Vereinbarung (nDSG Art. 9 / GDPR Art. 28) required for any + personal data processing +- Requirements: + - Sub-processor change notification right (not just general consent) + - Breach notification ≤ 72 h to controller (enabling FDPIC and GDPR notification) + - Data deletion within 30 days of contract termination + - Audit rights including periodic on-site review + - SCCs (June 2021 EU SCCs or Swiss addendum) for transfers to USA/India/non-adequate countries +- FDPIC adequacy list: EU/EEA + listed countries only; USA and India require SCCs +- Escalation trigger: No AV-Vereinbarung; blanket sub-processor consent; 14-day + breach notification (prevents compliance); "internal policies" as transfer safeguard + +### Vertragsdauer und Kündigung / Term and Termination +- Standard position: 1-year term; Kündigung für Convenience with 90-day notice +- Acceptable: Multi-year with termination for convenience after initial year +- Escalation trigger: Asymmetric termination rights; early termination fee = full + remaining term; no termination for convenience for customer + +### Anwendbares Recht und Gerichtsstand / Governing Law and Jurisdiction +- Preferred: Swiss law (OR); courts of Zürich (Handelsgericht ZH) or agreed canton +- Acceptable: SCAI arbitration (Swiss Rules of International Arbitration) for + cross-border commercial disputes +- Escalation trigger: Non-Swiss governing law without IPRG analysis; mandatory + arbitration in foreign seat; CISG not excluded + +## NDA Defaults (Swiss OR basis) +- Mutual obligations required +- Term: 2–3 years standard; up to 5 years for trade secrets +- Required carveouts (OR-aligned): + 1. Independently developed without use of CI + 2. Already publicly available at disclosure + 3. Rightfully received from a third party + 4. Already known to recipient at disclosure date + 5. Required by law or court order (with prior notice obligation) +- Residuals clause: Generally NOT acceptable for Swiss operations +- Non-compete / non-solicit: Subject to OR Art. 340–340c limits (geographic, temporal, + subject-matter scope; requires quid pro quo) +- Governing law: Swiss OR; venue Handelsgericht ZH/BE/GE or agreed canton +- Execution: Verify Kollektivunterschrift requirement in Handelsregister (zefix.ch) + +## nDSG Breach Notification Positions +- FDPIC notification: "As soon as possible" (nDSG Art. 24) — no strict deadline, + but target <72 h for GDPR parallel compliance +- GDPR Art. 33: 72-hour hard deadline from knowledge of breach (EU data subjects) +- Affected individuals: Notify if high risk; coordinate with FDPIC timing +- Pre-approved outside counsel: [Firm name and contact for breach response] +- Cyber insurer: [Policy number, breach notification hotline] + +## Response Templates +- DSR acknowledgment deadline: 30 days from receipt (nDSG Art. 25 para. 6) +- FDPIC inquiry: Mandatory escalation to outside Swiss counsel — no exceptions +- Litigation hold: ZPO Art. 158; route through external counsel for Anwaltsgeheimnis +``` + +### 3. Connect your tools + +Configure connections in `.mcp.json`. The plugin gracefully degrades when tools are unavailable. See [CONNECTORS.md](CONNECTORS.md) for supported integrations. + +--- + +## Commands + +### `/review-contract` — Swiss Contract Review + +Review a contract against your Swiss-law playbook (OR mandatory rules + organizational positions). Flags deviations, identifies void clauses (OR Art. 100), generates bilingual redlines, and provides business impact analysis. + +``` +/review-contract +``` + +Accepts file upload, URL, or pasted contract text. Will ask for context (your side, deadline, focus areas) and review clause-by-clause. Key Swiss checks include: +- OR Art. 100 mandatory liability floor (gross negligence/intent exclusion = void) +- URG default IP ownership analysis +- CISG exclusion verification +- Handelsregister / Kollektivunterschrift execution checklist +- nDSG/GDPR AV-Vereinbarung adequacy + +### `/triage-nda` — NDA Pre-Screening (Swiss OR) + +Rapid triage of incoming NDAs. Classifies as GREEN (standard approval route), YELLOW (specific issues for counsel review), or RED (material issues requiring full counsel attention). + +``` +/triage-nda +``` + +Swiss-specific checks include OR Art. 340–340c non-compete/non-solicit analysis, carveout completeness, Konventionalstrafe review (OR Art. 160/163), and Kollektivunterschrift verification. + +### `/vendor-check` — Swiss Vendor Agreement Status + +Check the status of existing agreements with a vendor, including UID/Handelsregister verification. + +``` +/vendor-check [vendor name] +``` + +Reports on existing NDAs, MSAs, AV-Vereinbarungen, expiration dates, MWST/VAT treatment, and key Swiss-law terms. Includes FINMA outsourcing compliance flag for financial-sector vendors. + +### `/brief` — Swiss Legal Team Briefing + +Generate contextual briefings calibrated to Swiss law and regulatory sources. + +``` +/brief daily # Morning brief: Bundesblatt, BGer/BVGer decisions, FDPIC, FINMA, WEKO updates +/brief topic [query] # Research brief on a Swiss legal question +/brief incident # Rapid brief on a developing situation (data breach, regulatory inquiry, etc.) +``` + +**Incident brief** (`/brief incident`) is designed for data breach scenarios: computes FDPIC nDSG Art. 24 and GDPR Art. 33 parallel notification deadlines, flags personal criminal liability under nDSG Art. 60–62, identifies VR notification duty (OR Art. 716a), and establishes Anwaltsgeheimnis priority. + +### `/respond` — Generate Swiss-Law Templated Response + +Generate a response from configured Swiss-law templates for common inquiry types. + +``` +/respond [inquiry-type] +``` + +Supported types: `dsr` (nDSG Art. 25 Auskunftsbegehren), `fdpic` (EDÖB inquiry — always escalates), `hold` (ZPO Beweissicherung), `vendor` (vendor legal question), `nda` (NDA request), `insurance` (VVG claim notification). **FDPIC and ZPO court order response types always trigger mandatory escalation to outside Swiss counsel.** + +--- + +## Skills + +| Skill | Description | Key Swiss law | +|-------|-------------|---------------| +| `contract-review` | Playbook-based contract analysis, OR mandatory law checks, redlines | OR Art. 100, URG, CISG, IPRG | +| `nda-triage` | NDA screening, classification, OR carveout completeness | OR Art. 340–340c, Art. 160/163 | +| `compliance` | nDSG/GDPR dual framework, AV-Vereinbarung review, breach protocols | nDSG Art. 9, 24, 25, 60–62; GDPR Art. 28, 33 | +| `canned-responses` | Swiss-law template management, DSR/FDPIC responses, escalation logic | nDSG Art. 25, VVG Art. 38, ZPO Art. 158 | +| `legal-risk-assessment` | Risk severity framework in CHF; VR liability; regulatory exposure | OR Art. 754, nDSG Art. 60–62, KG Art. 5/7 | +| `meeting-briefing` | Swiss meeting prep, Verwaltungsrat briefings, ZPO deadline tracking | OR Art. 716a, ZPO Art. 197ff | + +--- + +## Example Workflows + +### Contract Review (MSA with vendor) + +1. Receive a vendor MSA via email +2. Run `/review-contract` and upload the document +3. Provide context: "We are the customer, need to sign by end of quarter, focus on data protection and liability" +4. Receive clause-by-clause analysis with GREEN/YELLOW/RED flags +5. OR Art. 100 violations flagged as mandatory RED — non-negotiable Swiss law +6. Get specific bilingual redline language (German/English) for YELLOW and RED items +7. Verify counterparty signing authority at zefix.ch before execution + +### NDA Triage + +1. Sales team sends an NDA from a new prospect +2. Run `/triage-nda` and paste or upload the NDA +3. Get classification: GREEN (route for signature with Handelsregister check), YELLOW (specific issues), or RED (needs full counsel review with Swiss outside counsel) +4. For GREEN NDAs: verify Kollektivunterschrift at zefix.ch, then approve +5. For RED NDAs: engage SAV/FSA-admitted attorney + +### Data Breach Incident Brief + +1. SIEM alert fires — suspected data exfiltration +2. Run `/brief incident` and provide known facts +3. Receive immediate brief with: + - GDPR Art. 33 countdown (72-hour hard deadline from knowledge) + - FDPIC nDSG Art. 24 notification obligation ("as soon as possible") + - nDSG Art. 60 personal criminal liability flags for responsible individuals + - VR notification duty (OR Art. 716a) + - Anwaltsgeheimnis establishment checklist + - Parallel FDPIC + EU supervisory authority notification matrix +4. Use brief to brief CEO, General Counsel, and Verwaltungsrat + +### FDPIC Inquiry Response + +1. Receive FDPIC Sachverhaltsabklärung (Art. 49 nDSG) +2. Run `/respond fdpic` — plugin **immediately escalates** to outside Swiss counsel +3. Receive draft skeleton for counsel review only, marked "ENTWURF — NUR ZUR PRÜFUNG DURCH EXTERNEN RECHTSANWALT" +4. Route all further communications through external Rechtsanwalt to establish Anwaltsgeheimnis + +### Daily Brief + +1. Start morning with `/brief daily` +2. Receive: overnight Bundesblatt publications, new BGer/BVGer data protection decisions, FDPIC activity, FINMA circulars, WEKO press releases, upcoming contract/DSR/ZPO deadlines +3. Prioritize day based on Swiss-law statutory deadlines + +--- + +## Swiss-Specific Configuration Notes + +### Anwaltsgeheimnis (Swiss Attorney-Client Privilege) + +In Switzerland, attorney-client privilege (**Anwaltsgeheimnis**) applies **only** to admitted attorneys (*Rechtsanwälte/avocats/avvocati*, SAV/FSA members). In-house counsel communications are **not privileged** under Swiss law. This has several consequences for plugin use: + +- All FDPIC inquiry responses must be coordinated with external Swiss counsel +- All ZPO court order responses require external Swiss counsel — no exceptions +- Litigation hold notices should be prepared with external counsel for maximum protection +- Sensitive internal legal analyses (nDSG breach assessments, regulatory exposure) should be routed through external counsel when litigation is foreseeable + +### OR Art. 100 — Mandatory Liability Floor + +Under OR Art. 100, it is **void** to contractually exclude liability for intentional acts (*Absicht*) or gross negligence (*grobe Fahrlässigkeit*). Any contract clause attempting to do so — even if signed by both parties — is legally ineffective. The plugin flags these clauses as mandatory RED and generates Swiss-law savings clause language. + +### nDSG vs. GDPR Dual Compliance + +Swiss organizations processing personal data of EU residents are subject to **both** nDSG and GDPR simultaneously. Key differences: + +| Topic | nDSG | GDPR | +|-------|------|------| +| Breach notification to authority | "As soon as possible" (no strict deadline) | 72 hours (hard) | +| Breach notification to individuals | If high risk, without undue delay | If high risk, without undue delay | +| Penalty structure | CHF 250'000 per **individual** (not company) | Up to €20M / 4% global turnover | +| DPO mandatory | No (unless Canton/federal body) | Yes (for large-scale processing) | +| FDPIC adequacy list | Own list (see edoeb.admin.ch) | EU adequacy decisions | + +The plugin applies the stricter of the two frameworks by default. For breach notification, the GDPR 72-hour clock effectively governs because FDPIC notification "as soon as possible" will always be ≤72 hours in practice. + +--- + +## MCP Integration + +The plugin connects to your tools through MCP servers. See [CONNECTORS.md](CONNECTORS.md) for the full list. + +| Category | Examples | Purpose | +|----------|----------|---------| +| Chat | Slack, Teams | Team requests, incident coordination, triage | +| Cloud storage | Box, SharePoint | Playbooks, templates, contract repository | +| Office suite | Microsoft 365 | Email, calendar, documents | +| Project tracker | Atlassian (Jira/Confluence) | Matter tracking, DSR register, deadline calendar | +| Swiss registry | zefix.ch | Handelsregister / Kollektivunterschrift verification | + +--- + +## Sample Test Files + +The `samples/` directory contains realistic Swiss-law test documents for validating plugin behaviour: + +| File | Tests | Key issues | +|------|-------|------------| +| `sample-msa-ch.md` | `/review-contract` | OR Art. 100 violation; IP assignment; AI training on customer data; asymmetric termination | +| `sample-av-vereinbarung-ch.md` | `compliance` skill | Blanket sub-processor consent; 14-day breach notification; USA/India transfers without SCCs; CHF 10k liability cap including intent (OR Art. 100 void) | +| `sample-fdpic-inquiry-ch.md` | `/respond fdpic` | EDÖB Sachverhaltsabklärung EDÖB-2026-0412-CH; Auskunftsrecht violation; cross-border transfer gaps | +| `sample-data-breach-incident.md` | `/brief incident` | SQL injection; 47'000 records; GDPR 72h + FDPIC parallel notification; nDSG Art. 60 personal liability flags | + +--- + +## File Structure + +``` +legal-swiss/ +├── .claude-plugin/plugin.json +├── .mcp.json +├── README.md +├── CONNECTORS.md +├── commands/ +│ ├── brief.md # /brief daily | topic | incident +│ ├── respond.md # /respond dsr | fdpic | hold | vendor | nda | insurance +│ ├── review-contract.md # /review-contract +│ ├── triage-nda.md # /triage-nda +│ └── vendor-check.md # /vendor-check [vendor] +├── skills/ +│ ├── contract-review/SKILL.md +│ ├── nda-triage/SKILL.md +│ ├── compliance/SKILL.md +│ ├── canned-responses/SKILL.md +│ ├── legal-risk-assessment/SKILL.md +│ └── meeting-briefing/SKILL.md +└── samples/ + ├── sample-msa-ch.md + ├── sample-av-vereinbarung-ch.md + ├── sample-fdpic-inquiry-ch.md + └── sample-data-breach-incident.md +``` diff --git a/legal-swiss/commands/brief.md b/legal-swiss/commands/brief.md new file mode 100644 index 0000000..96c1716 --- /dev/null +++ b/legal-swiss/commands/brief.md @@ -0,0 +1,246 @@ +--- +description: Generate contextual briefings for legal work — daily summary, topic research, or incident response +argument-hint: "[daily | topic | incident]" +--- + +# /brief -- Legal Team Briefing (Swiss) + +> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../CONNECTORS.md). + +Generate contextual briefings for legal work in a Swiss legal environment. Supports three modes: daily brief, topic brief, and incident brief. + +**Swiss legal context**: Swiss law is primarily governed by the Code of Obligations (OR/CO), the Civil Code (ZGB/CC), the Federal Act on Data Protection (nDSG/LPD, in force since 1 September 2023), and cantonal procedural law (ZPO/CPC). Regulatory oversight involves FDPIC/EDÖB (data protection), FINMA (financial markets), WEKO/COMCO (competition), and SECO. + +**Important**: This command assists with legal workflows but does not provide legal advice. Briefings should be reviewed by qualified legal professionals (Swiss attorney / Rechtsanwalt / avocat / avvocato) before being relied upon. + +## Invocation + +``` +/brief daily # Morning brief of legal-relevant items +/brief topic [query] # Research brief on a specific legal question +/brief incident [topic] # Rapid brief on a developing situation +``` + +If no mode is specified, ask the user which type of brief they need. + +## Modes + +--- + +### Daily Brief + +A morning summary of everything a Swiss legal team member needs to know to start their day. + +#### Sources to Scan + +Check each connected source for legal-relevant items: + +**Email (if connected):** +- New contract requests or review requests +- Compliance questions or reports (nDSG, GDPR for EU-related matters) +- Responses from counterparties on active negotiations +- Flagged or urgent items from the legal team inbox +- External counsel communications +- Regulatory or legal update newsletters (FDPIC decisions, FINMA circulars, BGer rulings, Federal Gazette / Bundesblatt) +- Cantonal court or arbitration hearing notices + +**Calendar (if connected):** +- Today's meetings that need legal prep (board meetings, deal reviews, vendor calls, Verwaltungsrat sessions) +- Upcoming deadlines this week: + - Contract expirations and auto-renewal notice windows + - Filing deadlines (Handelsregister, FDPIC, FINMA) + - Court deadlines (Fristen under ZPO, including Schlichtungsverhandlung dates) + - nDSG data breach notification follow-up obligations +- Recurring legal team syncs + +**Chat (if connected):** +- Overnight messages in legal team channels +- Direct messages requesting legal input +- Mentions of legal-relevant topics (Vertrag, Compliance, Datenschutz, NDA, nDSG, DSGVO, Haftung) +- Escalations or urgent requests + +**CLM (if connected):** +- Contracts awaiting review or signature +- Approaching expiration dates (next 30 days), especially those with auto-renewal (automatische Verlängerung) and short notice periods +- Newly executed agreements +- Contracts with CHF exposure above approval thresholds + +**CRM (if connected):** +- Deals moving to stages that require legal involvement +- New opportunities flagged for legal review + +#### Swiss-Specific Items to Check + +- **Federal Gazette (Bundesblatt / Feuille fédérale)**: New ordinances, Federal Council decisions, and consultation procedures (Vernehmlassungen) relevant to the business +- **FDPIC guidance**: New opinions or enforcement actions from the Federal Data Protection and Information Commissioner +- **FINMA circulars** (if applicable to the industry): New or updated regulatory requirements +- **BGer decisions** (Federal Supreme Court / Bundesgericht): Recent rulings affecting contract law (OR), data protection, or relevant sector +- **WEKO/COMCO**: Competition law developments +- **Commercial Register (Handelsregister)**: Changes to counterparty entities (new directors, capital changes, dissolution) +- **Swiss financial calendar**: CHF payment obligations, currency clauses (Valoränderungsklauseln) approaching reset dates + +#### Output Format + +``` +## Daily Legal Brief -- [Date] + +### Urgent / Action Required +[Items needing immediate attention, sorted by urgency] + +### Contract Pipeline +- **Awaiting Your Review**: [count and list] +- **Pending Counterparty Response**: [count and list] +- **Approaching Deadlines**: [items due this week, including auto-renewal notice windows] +- **CHF Exposure**: [contracts with material financial exposure] + +### New Requests +[Contract review requests, NDA requests, compliance questions received since last brief] + +### Calendar Today +[Meetings with legal relevance and what prep is needed; note language of meeting if multilingual] + +### Regulatory / Compliance +[nDSG/GDPR items; FINMA/FDPIC updates; Federal Gazette items; WEKO developments] + +### Team Activity +[Key messages or updates from legal team channels] + +### This Week's Deadlines +[Upcoming deadlines, court dates, filing dates, notice periods under contracts] + +### Sources Not Available +[Any sources that were not connected or returned errors] +``` + +--- + +### Topic Brief + +Research and brief on a specific legal question or topic across available sources. + +#### Workflow + +1. Accept the topic query from the user +2. Search across connected sources: + - **Documents**: Internal memos, prior analyses, playbooks, precedent, Swiss legal opinions (Rechtsgutachten) + - **Email**: Prior communications on the topic + - **Chat**: Team discussions about the topic + - **CLM**: Related contracts or clauses +3. Synthesize findings into a structured brief +4. For Swiss law questions, note the applicable legal source (OR, ZGB, nDSG, sector-specific act) and whether cantonal or federal law applies + +#### Output Format + +``` +## Topic Brief: [Topic] + +### Summary +[2-3 sentence executive summary of findings] + +### Swiss Legal Framework +[Applicable Swiss statutes (OR, ZGB, nDSG, FINMA regulations, etc.) and key provisions] +[Note if EU law (GDPR, EU directives) also applies due to cross-border activities] + +### Background +[Context and history from internal sources] + +### Current State +[What the organization's current position or approach is, based on available documents] + +### Key Considerations +[Important factors, risks, or open questions; note any cantonal law variations] + +### Internal Precedent +[Prior decisions, memos, or positions found in internal sources] + +### Gaps +[What information is missing or what sources were not available] + +### Recommended Next Steps +[What the user should do with this information; note when a Rechtsgutachten or outside counsel opinion is advisable] +``` + +#### Important Notes +- Topic briefs synthesize what is available in connected sources; they do not substitute for formal legal research +- For Swiss law questions, recommend consulting Swiss legal databases (Swisslex, Legalis, Klinika, Rechtsportal) or outside counsel +- For data protection topics, distinguish between Swiss nDSG (FDPIC oversight) and EU GDPR (relevant supervisory authority); both may apply +- Always note the limitations of the sources searched + +--- + +### Incident Brief + +Rapid briefing for developing situations that require immediate legal attention (data breaches, litigation threats, regulatory inquiries, IP disputes, competition investigations, etc.). + +#### Workflow + +1. Accept the incident topic or description +2. Rapidly scan all connected sources for relevant context: + - **Email**: Communications about the incident + - **Chat**: Real-time discussions and escalations + - **Documents**: Relevant policies, response plans, insurance coverage, contractual indemnification + - **Calendar**: Scheduled response meetings + - **CLM**: Affected contracts, indemnification provisions, insurance requirements +3. Identify Swiss-specific notification and response obligations +4. Compile into an actionable incident brief + +#### Output Format + +``` +## Incident Brief: [Topic] +**Prepared**: [timestamp] +**Classification**: [severity assessment if determinable] +**Privilege**: [Mark as "Anwaltsgeheimnis / Attorney-Client Privileged" if applicable] + +### Situation Summary +[What is known about the incident] + +### Timeline +[Chronological summary of events based on available sources] + +### Immediate Swiss Legal Obligations +**Data Breach (nDSG Art. 24)**: Notify FDPIC "as soon as possible" if breach is likely to lead to high risk to data subjects; notify affected individuals without undue delay if required for their protection +**Data Breach (GDPR Art. 33)**: If EU data involved, notify relevant supervisory authority within 72 hours +**Regulatory Notifications**: FINMA (if financial institution), or other sector regulator +**Litigation Hold**: Preserve evidence relevant to potential ZPO proceedings +**Criminal referral**: Consider whether Strafanzeige is warranted or expected +**Board notification**: Assess Verwaltungsrat notification duty under CO Art. 717 (duty of care) + +### Relevant Agreements +[Contracts, insurance policies (particularly D&O, cyber liability), or other agreements implicated] +[Note governing law and jurisdiction of each] + +### Internal Response +[What response activity has already occurred based on email/chat] + +### Key Contacts +[Relevant internal contacts, external Swiss counsel, FDPIC contact, applicable insurers] + +### Recommended Immediate Actions +1. [Most urgent action — with Swiss law basis] +2. [Second priority] +3. [etc.] + +### Information Gaps +[What is not yet known and needs to be determined] + +### Sources Checked +[What was searched and what was not available] +``` + +#### Important Notes for Incident Briefs +- Speed matters. Produce the brief quickly with available information rather than waiting for complete information +- **Swiss privilege**: In Switzerland, attorney-client privilege (Anwaltsgeheimnis) applies to admitted attorneys (Rechtsanwälte). In-house counsel communications may not be privileged in Swiss law — flag this if privilege is a concern +- **nDSG breach notification**: No strict 72-hour deadline (unlike GDPR), but notification to FDPIC should be "as soon as possible" when the risk threshold is met +- **GDPR 72-hour rule** still applies when the incident involves personal data of EU/EEA residents +- For data incidents involving both Swiss and EU data, the stricter GDPR 72-hour deadline effectively governs the timeline +- Flag competition law angles if the incident could attract WEKO attention (e.g., data sharing, price coordination) +- Recommend outside counsel (Swiss attorney) engagement for any ORANGE or RED severity incident + +## General Notes + +- Briefs should be actionable: every item should have a clear next step or reason for inclusion +- Keep briefs concise. Link to source materials rather than reproducing them in full +- Note the language of key documents (German / French / Italian / English) — translation may be needed for Swiss court proceedings +- For daily briefs, learn the user's preferences over time (what they find useful, what they want filtered out) +- If sources are unavailable, note the gaps prominently so the user knows what was not checked diff --git a/legal-swiss/commands/respond.md b/legal-swiss/commands/respond.md new file mode 100644 index 0000000..7bdc942 --- /dev/null +++ b/legal-swiss/commands/respond.md @@ -0,0 +1,234 @@ +--- +description: Generate a response to a common legal inquiry using configured templates +argument-hint: "[inquiry-type]" +--- + +# /respond -- Generate Response from Templates (Swiss) + +> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../CONNECTORS.md). + +Generate a response to a common legal inquiry using configured templates. Customizes the response with specific details and includes escalation triggers for situations that should not use a templated response. + +**Swiss legal context**: Responses must comply with Swiss law defaults — nDSG for data protection matters, OR/ZGB for contract matters, and ZPO for procedural matters. Where EU individuals are involved, GDPR requirements may also apply in parallel. The supervisory authority for Swiss data protection is the FDPIC (Federal Data Protection and Information Commissioner / Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter / Préposé fédéral à la protection des données et à la transparence). + +**Important**: This command assists with legal workflows but does not provide legal advice. Generated responses should be reviewed by qualified Swiss legal professionals (Rechtsanwalt / avocat / avvocato) before being sent. Note that in-house counsel in Switzerland generally do not hold attorney-client privilege (Anwaltsgeheimnis) — privilege applies only to admitted attorneys. + +## Invocation + +``` +/respond [inquiry-type] +``` + +Common inquiry types: +- `dsr` or `data-subject-request` -- Data subject access/deletion/correction requests (nDSG / GDPR) +- `hold` or `litigation-hold` -- Litigation hold / Beweissicherungsanordnung notices +- `vendor` or `vendor-question` -- Vendor legal questions +- `nda` or `nda-request` -- NDA requests from business teams +- `privacy` or `privacy-inquiry` -- Privacy-related questions (nDSG / GDPR) +- `subpoena` or `editionsverfügung` -- Court production orders / subpoenas (ZPO / IMAC) +- `insurance` -- Insurance claim notifications (cyber, D&O, general liability) +- `fdpic` -- Response to FDPIC inquiry or consultation +- `custom` -- Use a custom template + +If no inquiry type is provided, ask the user what type of response they need and show available categories. + +## Workflow + +### Step 1: Identify Inquiry Type + +Accept the inquiry type from the user. If the type is ambiguous, show available categories and ask for clarification. + +### Step 2: Load Template + +Look for templates in local settings (e.g., `legal.local.md` or a templates directory). + +**If templates are configured:** +- Load the appropriate template for the inquiry type +- Identify required variables (recipient name, dates, specific details) +- Note the language requirement (German / French / Italian / English) based on the recipient's jurisdiction and the contract language clause + +**If no templates are configured:** +- Inform the user that no templates were found for this inquiry type +- Offer to help create a template (see Step 6) +- Provide a reasonable default response structure based on the inquiry type and Swiss law + +### Step 3: Check Escalation Triggers + +Before generating the response, evaluate whether this situation has characteristics that should NOT use a templated response: + +#### Data Subject Request Escalation Triggers (nDSG / GDPR) +- Request involves a minor's (Minderjährige) data +- Request is from the FDPIC, a cantonal supervisory authority, or other regulatory authority (not an individual data subject) +- Request involves data that is subject to a litigation hold (Beweissicherung) +- Requester is a current or former employee with an active dispute (HR matter, employment tribunal) +- Request scope is unusually broad or appears to be preparatory to litigation +- Request involves data processed in a jurisdiction with unique requirements (e.g., China PIPL, Russia) +- Request involves sensitive data (besonders schützenswerte Personendaten under nDSG Art. 5(c): health, religion, ethnicity, political opinions, criminal records, biometric, genetic data) +- Conflicting obligations: GDPR 30-day deadline vs. nDSG 30-day deadline both apply + +#### Litigation Hold Escalation Triggers +- The matter involves potential criminal liability under Swiss Criminal Code (StGB) or special criminal statutes +- The preservation scope is unclear or potentially conflicts with nDSG/GDPR deletion obligations +- Prior holds for the same or related matter exist (risk of inconsistency) +- The hold may affect ongoing business operations significantly +- The matter involves a ZPO Vorsorgliche Massnahme (interim measure) or Beweissicherungsklage (evidence preservation action) +- Cross-border e-discovery with US litigation (Swiss bank secrecy / Bankgeheimnis or blocking statute concerns) + +#### Vendor Question Escalation Triggers +- The question involves a dispute or potential breach under Swiss OR Art. 97ff. +- The vendor is threatening litigation or extraordinary termination (ausserordentliche Kündigung) +- The question involves FINMA regulatory compliance (if vendor is a financial institution or FINMA-supervised entity) +- The response could create a binding commitment (Vertragsangebot) under OR Art. 3ff. or a waiver +- The vendor holds sensitive personal data and the question touches on nDSG/GDPR compliance + +#### NDA Request Escalation Triggers +- The counterparty is a competitor (WEKO/competition law implications of information sharing) +- The NDA is for a potential M&A / Unternehmensübernahme transaction +- The NDA involves government-classified or national security information +- The request involves unusual subject matter (AI training data, biometric data under nDSG Art. 5(c)) +- The NDA purports to be governed by foreign law (review if Swiss mandatory provisions are displaced) + +#### FDPIC / Regulatory Inquiry Escalation Triggers +- **Always escalate to outside counsel for FDPIC sachverhaltsabklärungen (fact-finding inquiries) or Empfehlungen (recommendations)** +- Any FINMA enforcement or supervisory correspondence +- Any WEKO/COMCO competition authority inquiry + +**If an escalation trigger is detected:** +- Alert the user that this situation may not be appropriate for a templated response +- Explain which trigger was detected and why it matters under Swiss law +- Recommend the user consult with a senior team member or qualified Swiss outside counsel +- Offer to draft a preliminary response for counsel review rather than a final response +- Note if Anwaltsgeheimnis (attorney privilege) should be established by routing through outside counsel + +### Step 4: Gather Specific Details + +Prompt the user for the details needed to customize the response: + +**Data Subject Request (nDSG / GDPR):** +- Requester name, address, and identification +- Type of request: access (Auskunft, nDSG Art. 25), rectification (Berichtigung), deletion (Löschung), restriction of processing, portability, objection +- What data is involved and in which systems +- **Applicable regulation**: Swiss nDSG (if requester is in Switzerland), EU GDPR (if requester is EU/EEA resident), or both +- Response deadline: + - nDSG: 30 days from receipt (extendable with justification, nDSG Art. 25 para. 7) + - GDPR: 30 days from receipt (extendable by 60 days for complex requests with notice) +- FDPIC registration or prior inquiries on file? + +**Litigation Hold:** +- Matter name and reference number (Geschäftsnummer) +- Custodians (Verwahrer) — who needs to preserve +- Scope of preservation: date range, data types, systems (email, chat, shared drives, devices) +- Outside counsel (externe Anwaltskanzlei) contact and privilege considerations +- Effective date and acknowledgment deadline +- Note: Swiss ZPO Art. 261ff. governs interim measures including evidence preservation; OR Art. 55 burden of proof considerations + +**Vendor Question:** +- Vendor name and registered address (Handelsregister-Eintrag if available) +- Reference agreement (including governing law — Swiss OR vs. foreign law) +- Specific question being addressed +- Relevant contract provisions (cite article numbers if Swiss OR-governed) + +**NDA Request:** +- Requesting business team and contact +- Counterparty name, legal form (AG/GmbH/etc.), and jurisdiction of incorporation +- Purpose of the NDA (Vertraulichkeitszweck) +- Mutual (gegenseitig) or unilateral (einseitig); if unilateral, which party discloses +- Proposed governing law (recommend Swiss OR if counterparty is Swiss) +- Any special requirements (trade secrets, regulatory data, pricing information) + +### Step 5: Generate Response + +Populate the template with the gathered details. Ensure the response: +- Uses appropriate language (German / French / Italian / English based on relationship and contract terms) +- Uses professional Swiss legal tone: formal, precise, and unambiguous +- Includes all required legal elements for the response type under Swiss law +- References specific dates, deadlines, and obligations with the correct statutory basis +- For data protection responses: cites nDSG provisions (and GDPR provisions if applicable) +- Provides clear next steps for the recipient +- Includes appropriate disclaimers or caveats +- Notes any Anwaltsgeheimnis considerations + +Present the draft response to the user for review before sending. + +### Step 6: Template Creation (If No Template Exists) + +If the user wants to create a new template: + +1. Ask what type of inquiry the template is for +2. Ask which language(s) the template will be used in (German / French / Italian / English) +3. Ask for key elements that should be included, including applicable Swiss law provisions +4. Ask for tone and audience (internal vs. external, business vs. legal, individual vs. regulatory authority) +5. Draft a template with variable placeholders (e.g., `{{empfaenger_name}}`, `{{frist_datum}}`, `{{aktenzeichen}}`) +6. Include escalation triggers appropriate for the category under Swiss law +7. Present the template for review +8. Suggest the user save the approved template to their local settings for future use + +#### Swiss Template Format + +```markdown +## Template: [Category Name] / [Vorlagename] + +### Applicable Law +- [Swiss nDSG / OR / ZPO / etc.] +- [GDPR if EU data involved] + +### Escalation Triggers +- [Trigger 1] +- [Trigger 2] + +### Variables +- {{variable_1}}: [description / Beschreibung] +- {{variable_2}}: [description / Beschreibung] + +### Subject Line / Betreff +[Subject template] + +### Body / Text +[Response body with {{variables}}] + +### Required Enclosures / Beilagen +[Any standard documents to include] + +### Follow-Up / Folgenmassnahmen +[Standard follow-up actions after sending, including statutory tracking obligations] + +### Statutory Basis / Rechtsgrundlage +[Cite specific articles: nDSG Art. X, OR Art. Y, etc.] +``` + +## Output Format + +``` +## Generated Response: [Inquiry Type] + +**To / An**: [recipient / Empfänger] +**Subject / Betreff**: [subject line] +**Language / Sprache**: [German / French / Italian / English] +**Statutory Basis / Rechtsgrundlage**: [nDSG Art. X / OR Art. Y / etc.] + +--- + +[Response body] + +--- + +### Escalation Check / Eskalationsprüfung +[Confirmation that no escalation triggers were detected, OR flagged triggers with recommendations] + +### Response Deadline / Frist +[Applicable statutory deadline with basis; calendar reminder recommended] + +### Follow-Up Actions / Folgenmassnahmen +1. [Post-send actions] +2. [Calendar/Frist reminders to set — note Swiss Fristenberechnung rules under ZPO Art. 142ff.] +3. [Tracking or logging requirements, e.g., nDSG data subject request log] +``` + +## Notes + +- Always present the draft response for user review before suggesting it be sent +- If connected to email via MCP, offer to create a draft email with the response +- For nDSG data subject requests: recommend maintaining a request log (Auskunftsbegehren-Register) for compliance documentation +- For regulated responses (DSRs, FDPIC inquiries, ZPO production orders), always note the applicable deadline and statutory requirements +- Templates should be maintained in the applicable official language(s) of Switzerland; if the organization operates in multiple language regions, maintain parallel German / French versions at minimum +- Swiss professional standard: responses to regulators (FDPIC, FINMA) should always be routed through qualified outside counsel (Rechtsanwalt / avocat) to ensure Anwaltsgeheimnis protection diff --git a/legal-swiss/commands/review-contract.md b/legal-swiss/commands/review-contract.md new file mode 100644 index 0000000..242fb2d --- /dev/null +++ b/legal-swiss/commands/review-contract.md @@ -0,0 +1,210 @@ +--- +description: Review a contract against your organization's negotiation playbook — flag deviations, generate redlines, provide business impact analysis +argument-hint: "" +--- + +# /review-contract -- Contract Review Against Playbook (Swiss) + +> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../CONNECTORS.md). + +Review a contract against your organization's negotiation playbook. Analyze each clause, flag deviations, generate redline suggestions, and provide business impact analysis. + +**Swiss legal framework**: Swiss contracts are primarily governed by the Code of Obligations (Obligationenrecht / OR / CO), the Civil Code (ZGB/CC), and sector-specific statutes. Key mandatory provisions that cannot be contracted away include: +- **OR Art. 100**: Cannot exclude liability for gross negligence (grobe Fahrlässigkeit) or intentional acts (Absicht); Art. 100 para. 2 allows exclusion of simple negligence only for non-regulated employment-type relationships +- **OR Art. 101**: Liability for auxiliary persons (Hilfspersonen) cannot be pre-excluded for intentional acts/gross negligence +- **OR Art. 19/20**: Contracts contrary to Swiss law, public policy (öffentliche Ordnung), or morality (Sittlichkeit) are void +- **nDSG**: Data protection obligations cannot be waived by contract + +**Important**: This command assists with legal workflows but does not provide legal advice. All analysis should be reviewed by qualified Swiss legal professionals (Rechtsanwalt / avocat / avvocato) before being relied upon. + +## Invocation + +``` +/review-contract +``` + +## Workflow + +### Step 1: Accept the Contract + +Accept the contract in any of these formats: +- **File upload**: PDF, DOCX, or other document format +- **URL**: Link to a contract in your CLM, cloud storage (e.g., SharePoint, OneDrive), or document system +- **Pasted text**: Contract text pasted directly into the conversation + +If no contract is provided, prompt the user to supply one. + +### Step 2: Gather Context + +Ask the user for context before beginning the review: + +1. **Which side are you on?** (Verkäufer/Lieferant, Käufer/Kunde, Lizenzgeber, Lizenznehmer, Partner — or other) +2. **Governing law**: Is this Swiss OR? Foreign law? Or unclear? (If foreign law, flag early — different mandatory provisions may apply) +3. **Contract language**: German / French / Italian / English? If not in the user's primary working language, translation may be needed for court proceedings +4. **Deadline**: When does this need to be finalized? (Affects prioritization) +5. **Focus areas**: Any specific concerns? (e.g., "data protection under nDSG is critical", "liability cap under OR Art. 100 concerns", "IP ownership under URG") +6. **Deal context**: CHF value, strategic importance, existing relationship, counterparty location (Switzerland / EU / other) +7. **Entity type**: Is the counterparty a Swiss AG/GmbH/other? Check Handelsregister entry for authority to sign + +If the user provides partial context, proceed with what you have and note assumptions. + +### Step 3: Load the Playbook + +Look for the organization's contract review playbook in local settings (e.g., `legal.local.md`). + +The playbook should define: +- **Standard positions**: The organization's preferred terms for each major clause type under Swiss law +- **Acceptable ranges**: Terms that can be agreed to without escalation +- **Escalation triggers**: Terms that require senior counsel review or outside Swiss counsel involvement +- **CHF thresholds**: Deal values that trigger different approval requirements + +**If no playbook is configured:** +- Inform the user that no playbook was found +- Offer two options: + 1. Help set up a Swiss-law playbook + 2. Proceed with Swiss commercial market standards as the baseline +- If proceeding generically, clearly note the review is based on Swiss commercial practice, not organizational positions + +### Step 4: Clause-by-Clause Analysis + +Analyze the contract systematically, covering at minimum: + +| Clause Category | Key Review Points (Swiss Law) | +|----------------|-------------------------------| +| **Limitation of Liability** | Cap amount (in CHF); OR Art. 100 mandatory floor (cannot exclude gross negligence/intent); mutual vs. unilateral; consequential damages exclusion validity under Swiss law | +| **Indemnification** | Scope; Swiss OR framework for indemnification (Schadloshaltung / garantie); cap; relation to OR Art. 101; procedure | +| **IP Ownership** | Pre-existing IP; work-for-hire (Swiss law: URG default is creator owns, not employer); license grants under URG; software: whether source code escrow needed | +| **Data Protection** | nDSG compliance; DPA/AV-Vereinbarung required if processor relationship; GDPR applicability (EU data subjects); FDPIC notification obligations; cross-border transfer mechanisms | +| **Confidentiality** | Scope; duration (Swiss courts enforce reasonable terms); standard carveouts; return/destruction; Note: Swiss employees have confidentiality duties under OR Art. 321a regardless | +| **Representations & Warranties** | Scope; Swiss warranty (Gewährleistung) rules under OR Art. 197ff. (sale) or Art. 367ff. (works contracts); contractual modification permitted within OR framework | +| **Term & Termination** | Duration; auto-renewal (automatische Verlängerung); notice periods (Kündigungsfristen); termination for cause (ausserordentliche Kündigung) under OR Art. 97; wind-down | +| **Governing Law & Dispute Resolution** | Swiss OR preferred; arbitration under Swiss Rules (SCAI) or ICC (Swiss seat) vs. cantonal courts; mandatory conciliation (Schlichtungsverfahren) under ZPO Art. 197ff. if litigation | +| **Insurance** | Coverage requirements; Swiss market norms; CHF minimums; evidence of coverage (Versicherungsbestätigung) | +| **Assignment** | Consent requirements; change of control; OR Art. 164ff. (assignment of claims); Note: Swiss law requires counterparty consent for assignment of contractual position unless otherwise agreed | +| **Force Majeure** | Scope; OR Art. 119 (Nachträgliche Unmöglichkeit); Swiss courts apply narrowly; COVID/supply chain precedents | +| **Payment Terms** | CHF or multi-currency; Swiss late payment interest (OR Art. 104: statutory 5% p.a.); MWST/VAT clause; MWST number (UID) references | +| **Competition / Non-Compete** | Swiss competition law (KG/LCart); WEKO implications; employee non-competes strictly regulated under OR Art. 340-340c | +| **Swiss-Specific Clauses** | AGB (General Terms) incorporation validity (OR Art. 1/8); entire agreement (Vollständigkeitsklausel); amendment formalities; signature authority (Handelsregister / Zeichnungsberechtigung) | + +For each clause, assess against the playbook (or Swiss market standards) and note whether it is present, absent, or unusual. + +### Step 5: Flag Deviations + +Classify each deviation from the playbook using a three-tier system: + +#### GREEN -- Acceptable +- Aligns with or is better than the organization's standard position under Swiss law +- Minor variations that are commercially reasonable +- No action needed; note for awareness + +#### YELLOW -- Negotiate +- Falls outside standard position but within negotiable range under Swiss practice +- Common in the Swiss market but not the organization's preference +- Requires attention but not escalation +- **Include**: Specific redline language to bring the term back to standard position (in the contract language) +- **Include**: Fallback position if counterparty pushes back +- **Include**: Business impact of accepting as-is vs. negotiating + +#### RED -- Escalate +- Falls outside acceptable range or conflicts with Swiss mandatory law (OR Art. 100, nDSG mandatory provisions, etc.) +- Unusual or aggressive terms that pose material risk under Swiss law +- Requires senior counsel review, outside Swiss counsel involvement, or business decision-maker sign-off +- **Include**: Why this is a RED flag (specific Swiss law risk) +- **Include**: Market-standard Swiss position +- **Include**: Business impact and potential CHF exposure +- **Include**: Recommended escalation path + +### Step 6: Generate Redline Suggestions + +For each YELLOW and RED deviation, provide: +- **Current language**: Quote the relevant contract text +- **Suggested redline**: Specific alternative language (in the contract's language — German / French / Italian / English) +- **Swiss law basis**: Cite the applicable OR/ZGB/nDSG provision if relevant +- **Rationale**: Brief explanation suitable for sharing with the counterparty's counsel +- **Priority**: Must-have / Should-have / Nice-to-have + +### Step 7: Business Impact Summary + +Provide a summary section covering: +- **Overall risk assessment**: High-level view of the contract's risk profile under Swiss law +- **OR Art. 100 compliance**: Confirm whether limitation of liability clauses comply with Swiss mandatory law +- **nDSG/GDPR compliance**: Confirm whether data protection provisions are adequate +- **Top 3 issues**: The most important items to address +- **Negotiation strategy**: Recommended approach for Swiss commercial negotiations (direct, precise, relationship-conscious) +- **CHF exposure**: Estimated maximum financial exposure under the contract +- **Timeline considerations**: Urgency factors; note any Verjährungsfristen (limitation periods) that may be running + +### Step 8: Execution Checklist + +Before signing, verify: +- [ ] Signatories have authority per Handelsregister (Zeichnungsberechtigung) +- [ ] Kollektivunterschrift (joint signature) requirements met if applicable +- [ ] Contract language agreed and any translation protocol established +- [ ] Stamped/dated originals required? (Swiss practice for certain contract types) +- [ ] MWST/VAT clauses correctly drafted if applicable +- [ ] nDSG AV-Vereinbarung (Data Processing Agreement) required and drafted? +- [ ] Insurance certificates obtained if required + +### Step 9: CLM Routing (If Connected) + +If a Contract Lifecycle Management system is connected via MCP: +- Recommend the appropriate approval workflow based on contract type, CHF value, and risk level +- Suggest the correct routing path per the organization's Unterschriftenregelung (signing authority matrix) +- Note any required approvals based on contract value or risk flags + +## Output Format + +``` +## Contract Review Summary / Vertragsprüfung + +**Document / Dokument**: [contract name/identifier] +**Parties / Parteien**: [party names, legal forms, and jurisdictions] +**Your Side / Ihre Position**: [vendor/customer/etc.] +**Governing Law / Anwendbares Recht**: [Swiss OR / Foreign law] +**Contract Language / Vertragssprache**: [German / French / Italian / English] +**Deadline / Frist**: [if provided] +**CHF Exposure**: [estimated maximum] +**Review Basis**: [Playbook / Swiss Commercial Standards] + +## Key Findings / Hauptbefunde + +[Top 3-5 issues with severity flags] + +## OR Art. 100 / Liability Cap Compliance +[Explicit confirmation or issue with Swiss mandatory limitation of liability rules] + +## Data Protection / Datenschutz +[nDSG and GDPR compliance assessment] + +## Clause-by-Clause Analysis / Klauselanalyse + +### [Clause Category] -- [GREEN/YELLOW/RED] +**Contract says / Vertragstext**: [summary of the provision] +**Swiss standard position**: [market standard or playbook position] +**Swiss law basis**: [OR Art. X / nDSG Art. Y / etc., if applicable] +**Deviation / Abweichung**: [description of gap] +**Business impact / Geschäftliche Auswirkung**: [what this means practically in CHF and operational terms] +**Redline suggestion**: [specific language, if YELLOW or RED] + +[Repeat for each major clause] + +## Negotiation Strategy / Verhandlungsstrategie + +[Recommended approach; Swiss negotiation culture note: direct, written record preferred, focus on precision] + +## Execution Checklist / Unterzeichnungsprüfung + +[Handelsregister check, signature authority, MWST, nDSG AV-Vereinbarung, etc.] + +## Next Steps / Nächste Schritte + +[Specific actions to take] +``` + +## Notes + +- If the contract is in German, French, or Italian, review in the original language; do not rely solely on unofficial translations +- For very long contracts (50+ pages), offer to focus on the most material sections first +- Always remind the user that this analysis should be reviewed by qualified Swiss legal counsel (Rechtsanwalt / avocat / avvocato) before being relied upon +- Swiss contract law tip: Oral modifications may be binding under OR Art. 115 unless the contract requires written amendments — flag if the contract lacks a written amendment clause +- For contracts with international counterparties, check whether the Vienna Convention on the International Sale of Goods (CISG / CISG) applies (Switzerland is a signatory) and whether it should be excluded diff --git a/legal-swiss/commands/triage-nda.md b/legal-swiss/commands/triage-nda.md new file mode 100644 index 0000000..437d5a7 --- /dev/null +++ b/legal-swiss/commands/triage-nda.md @@ -0,0 +1,195 @@ +--- +description: Rapidly triage an incoming NDA — classify as standard approval, counsel review, or full legal review +argument-hint: "" +--- + +# /triage-nda -- NDA Pre-Screening (Swiss) + +> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../CONNECTORS.md). + +Rapidly triage incoming NDAs (Geheimhaltungsvereinbarungen / NDA / accord de confidentialité) against standard Swiss-law screening criteria. Classify the NDA for routing: standard approval, counsel review, or full legal review. + +**Swiss legal context**: Swiss NDAs are typically governed by the Swiss Code of Obligations (OR/CO). Key considerations include: +- Confidentiality obligations for employees are mandatory under OR Art. 321a regardless of any NDA +- Non-solicitation and non-compete provisions embedded in NDAs are governed by OR Art. 340-340c if they affect employees, and are strictly limited +- Swiss courts generally enforce reasonable NDAs but will not enforce unreasonably broad or perpetual obligations +- The Vienna Convention (CISG) does not apply to NDA-type agreements; Swiss OR governs +- Injunctive relief (superprovisorische Massnahme / vorsorgliche Massnahme) is available under ZPO Art. 261ff. for NDA breaches +- Swiss arbitration (SCAI / Swiss Chambers' Arbitration Institution, or ICC with Swiss seat) is preferred over cantonal courts for international NDAs + +**Important**: This command assists with legal workflows but does not provide legal advice. All analysis should be reviewed by qualified Swiss legal professionals before being relied upon. + +## Invocation + +``` +/triage-nda +``` + +## Workflow + +### Step 1: Accept the NDA + +Accept the NDA in any format: +- **File upload**: PDF, DOCX, or other document format +- **URL**: Link to the NDA in a document system +- **Pasted text**: NDA text pasted directly + +If no NDA is provided, prompt the user to supply one. + +Also collect: +- **Counterparty jurisdiction**: Swiss entity (AG/GmbH/other)? EU entity? Other? +- **Business purpose**: What is the information to be shared for? +- **Data involved**: Does the NDA cover personal data (Personendaten under nDSG Art. 5(a))? If so, note that nDSG obligations apply in addition to the NDA + +### Step 2: Load NDA Playbook + +Look for NDA screening criteria in local settings (e.g., `legal.local.md`). + +The NDA playbook should define: +- Mutual vs. unilateral requirements +- Acceptable term lengths under Swiss practice +- Required carveouts (per Swiss OR and commercial practice) +- Prohibited provisions (particularly competition clauses) +- Swiss law and jurisdiction requirements +- Approval thresholds and signing authority (per Handelsregister / Zeichnungsberechtigung) + +**If no NDA playbook is configured:** +- Proceed with Swiss market-standard defaults (described below) +- Note clearly that defaults are being used +- **Swiss defaults applied**: + - Mutual obligations required (unless the organization is only disclosing) + - Term: 2-3 years standard; trade secrets (Geschäftsgeheimnisse) may warrant longer but not perpetual + - Standard Swiss-law carveouts required (see Step 3) + - No non-solicitation or non-compete provisions (governed by OR Art. 340-340c for employment context; out of place in a commercial NDA) + - No residuals clause (or narrowly scoped to unaided memory only) + - Governing law: Swiss OR (Canton of [Zurich / Geneva / other as appropriate]) + - Dispute resolution: Swiss cantonal courts or SCAI arbitration + - Language: German, French, or English as appropriate + +### Step 3: Quick Screen + +Evaluate the NDA against each Swiss-law screening criterion: + +| Criterion | Swiss-Law Check | +|-----------|-----------------| +| **Mutual vs. Unilateral** | Are obligations mutual? If unilateral, is that appropriate for the relationship and does the disclosing party have legitimate interests? | +| **Definition of Confidential Information** | Reasonable scope under Swiss commercial practice? Not so broad as to capture publicly available information? | +| **Term** | Within acceptable Swiss range? Reasonable for the type of information? (2-3 years for general commercial info; longer for technical trade secrets) | +| **Standard Carveouts** | All required Swiss carveouts present? (independent development, public knowledge, prior possession, third-party receipt, legal compulsion) | +| **Permitted Disclosures** | Can share with employees (note OR Art. 321a employees already have statutory confidentiality duties), advisors, contractors with need to know? | +| **Return/Destruction** | Reasonable obligations on termination? Allows retention of copies required by law, compliance, or backup policy? | +| **Residuals** | If present, limited to unaided memory only? Does not apply to trade secrets or technical information? | +| **Non-Solicitation** | Any non-solicit provisions? — Flag for Swiss OR Art. 340-340c analysis (employment-specific rules) | +| **Non-Compete** | Any non-compete provisions? — Flag: governed by OR Art. 340-340c if employee involved; in commercial NDAs, non-competes should not appear | +| **Injunctive Relief** | Mutual? Swiss ZPO Art. 261ff. already provides for vorsorgliche Massnahmen — contractual acknowledgment is standard | +| **Governing Law** | Swiss OR preferred for Swiss parties; for international NDAs, Swiss law is favorable; flag if highly unfavorable foreign law | +| **Jurisdiction / Arbitration** | Swiss cantonal courts or SCAI/ICC arbitration? Flag mandatory conciliation (Schlichtungsverfahren) requirement under ZPO Art. 197ff. if litigation track | +| **Unusual Provisions** | Any non-standard clauses: exclusivity, audit rights, IP assignment, liquidated damages, penalty clauses (Konventionalstrafe under OR Art. 160)? | +| **nDSG / Data Protection** | If personal data is to be shared under the NDA, does the NDA address nDSG obligations? (A standalone DPA/AV-Vereinbarung may be needed) | + +### Step 4: Classify + +Based on the screening results, assign a classification: + +#### GREEN -- Standard Approval +All criteria met. NDA is Swiss-market-standard with no unusual provisions. +- **Route**: Can be approved and signed via standard process per Unterschriftenregelung (signing authority matrix) +- **Action**: Proceed to signature; ensure Handelsregister authority is confirmed for signatories on both sides +- **Note**: File executed copy in CLM with expiry reminder set + +#### YELLOW -- Counsel Review Needed +One or more criteria have minor deviations that need review but are potentially acceptable: +- Definition of confidential information is broader than ideal but not unreasonable under Swiss practice +- Term is longer than standard (4-5 years) but within Swiss market range for the information type +- Residuals clause present but limited to unaided memory with explicit trade secret carveout +- Minor jurisdiction preference issue (e.g., Geneva vs. Zurich — both acceptable Swiss forums) +- Missing one standard carveout that can easily be added +- Governing law is foreign (EU/UK) but the NDA is for a European counterparty (acceptable but needs review) +- **Route**: Flag specific issues for counsel review +- **Action**: Counsel can likely resolve in a single review pass; typical turnaround 1-2 business days + +#### RED -- Significant Issues +One or more criteria have material deviations that pose risk under Swiss law: +- Unilateral obligations when mutual is required +- Missing critical carveouts (especially independent development or legal compulsion) +- Non-solicitation or non-compete provisions embedded without OR Art. 340-340c compliance +- Unreasonable term (10+ years) or perpetual obligations beyond trade secret scope +- Overbroad definition that could capture public information or independently developed materials +- Broad residuals clause effectively licensing confidential information +- Liquidated damages / Konventionalstrafe clause that is unreasonably high (OR Art. 163 court may reduce) +- Audit rights without reasonable scope or notice +- IP assignment or license grant hidden in the NDA +- Highly unfavorable foreign jurisdiction with mandatory arbitration in an inconvenient seat +- **The document is not actually a standalone NDA** (contains commercial terms, exclusivity, IP, payment, or other substantive obligations) +- nDSG-sensitive data (besonders schützenswerte Personendaten) will be shared but the NDA has no data protection provisions +- **Route**: Full legal review required +- **Action**: Do not sign; requires negotiation, Swiss-law counterproposal, or rejection + +### Step 5: Generate Triage Report + +Output a structured report: + +``` +## NDA Triage Report / NDA-Prüfungsbericht + +**Classification / Klassifikation**: [GREEN / YELLOW / RED] +**Parties / Parteien**: [party names, legal forms (AG/GmbH), cantons/jurisdictions] +**Type / Typ**: [Mutual / Unilateral (disclosing) / Unilateral (receiving)] +**Term / Dauer**: [agreement term] / [confidentiality survival period] +**Governing Law / Anwendbares Recht**: [Swiss OR / Canton X / Foreign law] +**Dispute Resolution / Streitbeilegung**: [Cantonal courts / SCAI arbitration / ICC / other] +**Contract Language / Vertragssprache**: [German / French / Italian / English] +**Review Basis**: [Playbook / Swiss Market-Standard Defaults] + +## Screening Results / Prüfungsresultate + +| Criterion / Kriterium | Status | Notes / Anmerkungen | +|-----------|--------|-------| +| Mutual Obligations | [PASS/FLAG/FAIL] | [details] | +| Definition Scope | [PASS/FLAG/FAIL] | [details] | +| Term / Dauer | [PASS/FLAG/FAIL] | [details] | +| Standard Carveouts | [PASS/FLAG/FAIL] | [details] | +| Non-Compete / Non-Solicit | [PASS/FLAG/FAIL] | [details + OR Art. reference if flagged] | +| Governing Law | [PASS/FLAG/FAIL] | [details] | +| nDSG / Data Protection | [PASS/FLAG/FAIL] | [details] | +| [etc.] | | | + +## Issues Found / Festgestellte Probleme + +### [Issue 1 -- YELLOW/RED] +**What / Was**: [description] +**Swiss Law Risk / Schweizer Rechtsrisiko**: [what could go wrong; applicable OR/nDSG provision] +**Suggested Fix / Empfohlene Lösung**: [specific language or approach] + +[Repeat for each issue] + +## Recommendation / Empfehlung + +[Specific next step: approve, send for review with specific notes, or reject/counter] +[If RED: recommend sending organization's Swiss-law standard form NDA as counterproposal] + +## Signature Authority Check / Zeichnungsberechtigungsprüfung + +[Confirm that counterparty signatories have authority per Handelsregister / commercial register] +[Note if Kollektivunterschrift (joint signature) is required] + +## Next Steps / Nächste Schritte + +1. [Action item 1] +2. [Action item 2] +``` + +### Step 6: Routing Suggestion + +Based on the classification: +- **GREEN**: Proceed to signature per Unterschriftenregelung; confirm Handelsregister authority; file in CLM with expiry reminder +- **YELLOW**: Send to designated reviewer with specific issues flagged; include suggested redlines in the contract language; typical timeline 1-2 business days +- **RED**: Engage Swiss counsel for full review; prepare counterproposal using the organization's Swiss-law standard NDA form; do not sign until resolved + +## Notes + +- If the document is not actually a standalone NDA (contains exclusivity, pricing, IP rights, or other commercial terms), flag as RED and recommend full contract review under /review-contract +- For NDAs that are part of a larger Swiss law agreement (e.g., Vertraulichkeitsklausel in an MSA), note that the broader agreement context and OR provisions affect the analysis +- For M&A / Unternehmenskauf context: NDAs should include standstill provisions and may be subject to special regulatory considerations (e.g., FINMA prior approval if financial institutions involved) +- Always note that this is a screening tool and qualified Swiss counsel should review any items the user is uncertain about +- Swiss tip: File the executed NDA in the Handelsregister-verified counterparty's folder and set calendar reminders for (a) the end of the NDA term, (b) any auto-renewal dates, and (c) the confidentiality survival period expiry diff --git a/legal-swiss/commands/vendor-check.md b/legal-swiss/commands/vendor-check.md new file mode 100644 index 0000000..23271d1 --- /dev/null +++ b/legal-swiss/commands/vendor-check.md @@ -0,0 +1,209 @@ +--- +description: Check the status of existing agreements with a vendor across all connected systems +argument-hint: "[vendor name]" +--- + +# /vendor-check -- Vendor Agreement Status (Swiss) + +> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../CONNECTORS.md). + +Check the status of existing agreements with a vendor across all connected systems. Provides a consolidated view of the legal relationship under Swiss law. + +**Swiss legal context**: Swiss vendor relationships involve: +- **Handelsregister (HR)**: Commercial register for verifying Swiss entity legal status, registered address, and authorized signatories (Zeichnungsberechtigte) +- **UID (Unternehmens-Identifikationsnummer)**: Swiss company number for legal entity verification +- **MWST (Mehrwertsteuer / TVA)**: Swiss VAT number and obligations under MWSTG +- **Swiss OR**: Governing contract law for Swiss-law agreements +- **nDSG**: Data protection compliance requirements for vendors who process personal data +- **FINMA**: Regulatory requirements for vendors to financial institutions (e.g., outsourcing under FINMA Circular 2023/1) +- **SIA / SFC norms**: Standard terms for construction, engineering, or other professional services if applicable + +**Important**: This command assists with legal workflows but does not provide legal advice. Agreement status reports should be verified against original documents by qualified Swiss legal professionals. + +## Invocation + +``` +/vendor-check [vendor name] +``` + +If no vendor name is provided, prompt the user to specify which vendor to check. + +## Workflow + +### Step 1: Identify the Vendor + +Accept the vendor name from the user. Handle common variations: +- Full legal name vs. trade name (e.g., "UBS AG" vs. "UBS") +- Swiss entity designations (AG, GmbH, Genossenschaft, Kollektivgesellschaft, Kommanditgesellschaft, Stiftung, Verein) +- Parent/subsidiary relationships; note that Swiss group structures often use separate AG/GmbH entities per canton or function +- International entities with Swiss branches (Zweigniederlassung) +- UID (Unternehmens-Identifikationsnummer) if provided + +Ask the user to clarify if the vendor name is ambiguous or if there are multiple entities in a group. + +**Swiss tip**: Before proceeding, recommend checking the Handelsregister (zefix.ch) to confirm: +- Current legal name and registered address +- Legal form (AG, GmbH, etc.) +- Authorized signatories (Zeichnungsberechtigte) and their signing authority (Einzelunterschrift / Kollektivunterschrift) +- Whether any Konkurs (bankruptcy), Liquidation, or Nachlassverfahren (composition proceedings) are pending + +### Step 2: Search Connected Systems + +Search for the vendor across all available connected systems, in priority order: + +#### CLM (Contract Lifecycle Management) -- If Connected +Search for all contracts involving the vendor: +- Active agreements (aktive Verträge) +- Expired agreements (last 3 years) — note: Swiss OR Art. 127 general limitation period is 10 years; some claims may survive expiry +- Agreements in negotiation or pending signature (Unterschrift) +- Amendments (Vertragsänderungen) and addenda +- Note CHF value and any value-added tax (MWST) provisions + +#### CRM -- If Connected +Search for the vendor/account record: +- Account status and relationship type +- Associated opportunities or projects +- Contact information for vendor's legal/contracts/Einkauf team +- Payment history (relevant for assessing relationship health) + +#### Email -- If Connected +Search for recent relevant correspondence: +- Contract-related emails (last 6 months) +- NDA, MSA, DPA attachments +- Negotiation threads +- Compliance certifications or audit reports shared by vendor + +#### Documents (e.g., SharePoint, OneDrive) -- If Connected +Search for: +- Executed agreements (unterzeichnete Verträge) +- Redlines and drafts +- Due diligence materials +- Insurance certificates (Versicherungsbestätigungen) +- FINMA outsourcing documentation if applicable + +#### Chat (e.g., Teams, Slack) -- If Connected +Search for recent mentions: +- Contract requests involving this vendor +- Legal or compliance questions about the vendor +- Relevant team discussions (last 3 months) +- Issues, disputes, or escalations involving the vendor + +### Step 3: Compile Agreement Status + +For each agreement found, report: + +| Field | Details | +|-------|---------| +| **Agreement Type** | NDA/GhV, MSA/Rahmenvertrag, SOW/Auftrag, DPA/AV-Vereinbarung, SLA, License/Lizenzvertrag, Distribution/Vertriebsvertrag, etc. | +| **Status** | Active / Expired / In Negotiation / Pending Signature (Unterschrift ausstehend) | +| **Governing Law** | Swiss OR (which canton?) / Foreign law | +| **Contract Language** | German / French / Italian / English | +| **Effective Date** | When the agreement started (Vertragsbeginn) | +| **Expiration Date** | When it expires or renews (Vertragsende / Verlängerungsdatum) | +| **Auto-Renewal** | Yes/No; renewal term; notice period (Kündigungsfrist) — flag short notice windows | +| **CHF Value** | Contract value or annual fee in CHF; note any CHF/EUR/USD conversion clauses | +| **Key Terms** | Liability cap (in CHF); governing law; termination provisions; MWST treatment | +| **Amendments** | Any amendments (Nachträge) or addenda on file | +| **nDSG/GDPR Status** | Does vendor process personal data? AV-Vereinbarung / DPA in place? | +| **FINMA Status** | If regulated industry: outsourcing agreement per FINMA Circular 2023/1 requirements? | +| **Signature Authority** | Were the signatories authorized per Handelsregister at time of signing? | + +### Step 4: Gap Analysis + +Identify what agreements exist and what might be missing for a complete Swiss law relationship: + +``` +## Agreement Coverage / Vertragsdeckung + +[✓/✗] NDA / Geheimhaltungsvereinbarung -- [status] +[✓/✗] MSA / Rahmenvertrag -- [status or "Not found"] +[✓/✗] DPA / AV-Vereinbarung (nDSG Art. 9) -- [status or "Not found — assess if required"] +[✓/✗] SOW / Auftrag or Werkvertrag -- [status or "Not found"] +[✓/✗] SLA / Service Level Agreement -- [status or "Not found"] +[✓/✗] Insurance Certificate / Versicherungsbestätigung -- [status or "Not found"] +[✓/✗] FINMA Outsourcing Agreement -- [status or "N/A — not regulated industry"] +[✓/✗] MWST / VAT clause in main agreement -- [present/absent] +``` + +Flag any gaps that may be needed based on the relationship type: +- If vendor handles personal data (Personendaten) → AV-Vereinbarung under nDSG Art. 9 required +- If vendor handles personal data of EU residents → GDPR-compliant DPA required +- If the organization is FINMA-supervised and vendor provides critical outsourced services → FINMA outsourcing compliance required +- If vendor provides services above CHF 230,000 (approximate public procurement threshold) → check whether public procurement rules (BöB/IVöB) apply + +### Step 5: Generate Report + +Output a consolidated report: + +``` +## Vendor Agreement Status / Lieferantenstatus: [Vendor Name] + +**Search Date / Datum**: [today's date] +**Sources Checked / Geprüfte Quellen**: [list of systems searched] +**Sources Unavailable / Nicht verfügbare Quellen**: [list of systems not connected] + +## Relationship Overview / Beziehungsübersicht + +**Vendor / Lieferant**: [full legal name, legal form, UID if known] +**Handelsregister Status**: [active/dissolved/in liquidation — zefix.ch verification recommended] +**Registered Address / Domizil**: [registered canton and address] +**Relationship Type**: [vendor/partner/customer/outsourcing provider/etc.] +**CRM Status**: [if available] + +## Agreement Summary / Vertragsübersicht + +### [Agreement Type / Vertragstyp] -- [Status] +- **Effective / Beginn**: [date] +- **Expires / Ende**: [date] ([auto-renews / does not auto-renew]) +- **Notice Period / Kündigungsfrist**: [period — flag if short] +- **Governing Law / Anwendbares Recht**: [Swiss OR / Canton X / Foreign law] +- **CHF Value**: [annual / total value] +- **Key Terms / Wesentliche Bedingungen**: [liability cap in CHF, key obligations] +- **Location / Ablageort**: [where the executed copy is stored] + +### [Agreement Type 2] -- [Status] +[etc.] + +## Gap Analysis / Lückenanalyse + +[What's in place vs. what may be needed under Swiss law] +[Highlight: nDSG AV-Vereinbarung, FINMA outsourcing, insurance gaps] + +## Upcoming Actions / Anstehende Massnahmen + +- [Approaching expirations — with Kündigungsfrist notice dates] +- [Auto-renewal notice deadlines — flag any within 90 days] +- [Required agreements not yet in place — with Swiss law basis for requirement] +- [MWST / UID verification if applicable] +- [Handelsregister change notifications (e.g., new director, address change)] + +## Compliance Status / Compliance-Status + +[nDSG / GDPR data processing: AV-Vereinbarung status] +[FINMA outsourcing: compliance status if applicable] +[Insurance certificates: current or expired?] + +## Notes / Anmerkungen + +[Any relevant context from email/chat searches] +[Note any disputed matters, open negotiations, or relationship issues] +``` + +### Step 6: Handle Missing Sources + +If key systems are not connected via MCP: + +- **No CLM**: Note that no CLM is connected. Suggest the user check their CLM manually and verify via Handelsregister (zefix.ch) for any registered rights/charges. Report what was found in other systems. +- **No CRM**: Skip CRM context. Note the gap. +- **No Email**: Note that email was not searched. Suggest the user search for "[vendor name] Vertrag" or "[vendor name] NDA". +- **No Documents**: Note that document storage was not searched. + +Always clearly state which sources were checked and which were not, so the user knows the completeness of the report. + +## Notes + +- If no agreements are found in any connected system, report that clearly and ask the user if they have agreements stored in physical files (Swiss practice still uses paper originals for some agreement types) or other document systems +- For vendor groups (e.g., Swiss holding company with operating subsidiaries), ask whether the user wants to check a specific entity or the entire group; note that Swiss holding/operating structures often require agreements to be with the specific contracting entity +- Flag any agreements that are expired but may still have surviving obligations under Swiss OR (confidentiality, indemnification, post-contractual obligations under OR Art. 97ff.) +- If an agreement is approaching expiration (within 90 days), or a Kündigungsfrist window is closing (within 90 days of notice deadline), highlight this prominently +- Swiss practical note: For significant vendor relationships, recommend conducting an annual Vertragsreview to catch expiring agreements, update AV-Vereinbarungen for nDSG compliance, and refresh insurance certificate requirements diff --git a/legal-swiss/samples/sample-av-vereinbarung-ch.md b/legal-swiss/samples/sample-av-vereinbarung-ch.md new file mode 100644 index 0000000..fe024b4 --- /dev/null +++ b/legal-swiss/samples/sample-av-vereinbarung-ch.md @@ -0,0 +1,85 @@ +# Sample AV-Vereinbarung / Data Processing Agreement — For Testing compliance skill + +## AUFTRAGSBEARBEITUNGSVERTRAG / DATA PROCESSING AGREEMENT + +**Zwischen / Between:** +- **TechVendor AG**, Technoparkstrasse 1, 8005 Zürich, CHE-123.456.789 ("Auftragsbearbeiter / Processor") +- **KundenCo AG**, Paradeplatz 8, 8001 Zürich, CHE-987.654.321 ("Verantwortlicher / Controller") + +**Datum / Date:** 1. März 2025 +**Bezug / Reference:** Rahmendienstleistungsvertrag vom 1. März 2025 + +--- + +### Art. 1 — Gegenstand und Zweck / Subject Matter and Purpose + +1.1 Der Auftragsbearbeiter verarbeitet Personendaten im Auftrag des Verantwortlichen gemäss den Bestimmungen dieses Vertrages. + +1.2 Zweck der Datenbearbeitung: Erbringung von IT-Entwicklungs- und Supportdienstleistungen gemäss dem Hauptvertrag. + +--- + +### Art. 2 — Art der Personendaten und Kategorien betroffener Personen + +2.1 Folgende Kategorien von Personendaten werden verarbeitet: +- Kontaktdaten (Name, E-Mail, Telefon) von Mitarbeitenden des Verantwortlichen +- Kundendaten (Name, Adresse, Transaktionsdaten) +- Nach Bedarf weitere Daten, die der Verantwortliche dem Auftragsbearbeiter übermittelt + +2.2 Kategorien betroffener Personen: Mitarbeitende und Kunden des Verantwortlichen. + +--- + +### Art. 3 — Pflichten des Auftragsbearbeiters / Processor Obligations + +3.1 **Weisungsgebundenheit**: Der Auftragsbearbeiter verarbeitet Personendaten ausschliesslich gemäss den schriftlichen Weisungen des Verantwortlichen, es sei denn, er ist gesetzlich zur Verarbeitung verpflichtet. + +3.2 **Vertraulichkeit**: Der Auftragsbearbeiter stellt sicher, dass die zur Verarbeitung befugten Personen zur Vertraulichkeit verpflichtet sind. + +3.3 **Technische und organisatorische Massnahmen**: Der Auftragsbearbeiter trifft geeignete technische und organisatorische Massnahmen zur Sicherung der Personendaten. Details werden in einem separaten Sicherheitskonzept festgehalten, welches auf Anfrage zur Verfügung gestellt wird. + +3.4 **Unterauftragsbearbeiter**: Der Auftragsbearbeiter ist berechtigt, Unterauftragsbearbeiter einzusetzen. Der Verantwortliche erklärt sich mit dem Einsatz aller bestehenden und zukünftigen Unterauftragsbearbeiter pauschal einverstanden. Eine Mitteilungspflicht gegenüber dem Verantwortlichen besteht nicht. + +3.5 **Unterstützung bei Betroffenenrechten**: Der Auftragsbearbeiter unterstützt den Verantwortlichen bei der Erfüllung von Anfragen betroffener Personen, soweit dies technisch möglich und zumutbar ist. + +3.6 **Löschung und Rückgabe**: Nach Beendigung des Hauptvertrages löscht der Auftragsbearbeiter alle Personendaten innerhalb von 180 Tagen, sofern keine gesetzliche Aufbewahrungspflicht besteht. + +3.7 **Prüfungsrechte**: Der Verantwortliche kann Prüfungen durch Dritte auf eigene Kosten ankündigen. Der Auftragsbearbeiter ist berechtigt, Prüfungen auf eine jährliche Überprüfung des SOC 2-Berichts zu beschränken. Physische Vor-Ort-Prüfungen sind ausgeschlossen. + +3.8 **Meldung von Datenpannen**: Der Auftragsbearbeiter meldet dem Verantwortlichen Datensicherheitsverletzungen innerhalb von 14 Tagen nach Feststellung. + +--- + +### Art. 4 — Grenzüberschreitende Bekanntgabe / Cross-Border Transfers + +4.1 Der Auftragsbearbeiter ist berechtigt, Personendaten in folgende Länder zu übermitteln: Europäische Union, Vereinigte Staaten von Amerika, Indien, sonstige Länder nach Bedarf. + +4.2 Für Übermittlungen in die USA und nach Indien gilt der Auftragsbearbeiter als hinreichend gesichert durch seine internen Datenschutzrichtlinien. + +4.3 Standardvertragsklauseln werden auf Anfrage zur Verfügung gestellt. + +--- + +### Art. 5 — Besonders schützenswerte Personendaten + +5.1 Die Verarbeitung besonders schützenswerter Personendaten (Art. 5 lit. c nDSG) ist im Rahmen dieses Vertrages nicht vorgesehen, es sei denn, der Verantwortliche übermittelt solche Daten im Rahmen der Dienstleistungserbringung. + +--- + +### Art. 6 — Anwendbares Recht + +6.1 Dieser Vertrag untersteht schweizerischem Recht, insbesondere dem Bundesgesetz über den Datenschutz (nDSG). + +6.2 Bei Widersprüchen zwischen diesem Vertrag und der Datenschutz-Grundverordnung (DSGVO) der Europäischen Union hat die DSGVO keinen Vorrang. + +--- + +### Art. 7 — Haftung + +7.1 Die Haftung des Auftragsbearbeiters im Zusammenhang mit diesem Vertrag ist auf CHF 10'000 begrenzt, unabhängig vom Rechtsgrund, einschliesslich Absicht und grober Fahrlässigkeit. + +--- + +_TechVendor AG_: _________________________ Datum: _________ + +_KundenCo AG_: _________________________ Datum: _________ diff --git a/legal-swiss/samples/sample-data-breach-incident.md b/legal-swiss/samples/sample-data-breach-incident.md new file mode 100644 index 0000000..b560940 --- /dev/null +++ b/legal-swiss/samples/sample-data-breach-incident.md @@ -0,0 +1,84 @@ +# Sample Data Breach Incident — For Testing /brief incident + +## Incident Context + +**Company**: KundenCo AG, Paradeplatz 8, 8001 Zürich +**Discovery**: Dienstag, 18. Februar 2026, 23:47 Uhr (MEZ) +**Discovered by**: Pascal Steiner, Head of IT Security + +--- + +## Known Facts at Time of Discovery + +### What happened +At 23:47 on Tuesday 18 February 2026, KundenCo AG's SIEM system (hosted by TechVendor AG in +their US-based data centre) triggered an alert for anomalous data exfiltration from the +production database. Initial forensic review by the on-call engineer (Pascal Steiner) +confirmed that an unauthorised third party had accessed the production database between +14:00 and 23:30 on 18 February 2026 — approximately 9.5 hours. + +### Data confirmed or suspected compromised + +**Confirmed exfiltrated (log evidence):** +- Full name, email address, postal address, date of birth: 47,000 customer records +- IBAN and account numbers (partial — last 4 digits masked in logs, but full numbers + potentially in unmasked database tables): estimated 12,000 records +- Login credentials (email + bcrypt password hash): 47,000 records +- Internal employee directory: 312 employees (name, title, internal email, mobile number) + +**Suspected but unconfirmed:** +- Health insurance data for approximately 800 corporate clients processed via + KundenCo AG's HR platform module (besonders schützenswerte Personendaten per Art. 5 lit. c nDSG) +- Tax identification numbers (AHV-Nummer / Sozialversicherungsnummer) for employees in the payroll module + +### Attack vector (preliminary) +A SQL injection vulnerability in TechVendor AG's recently deployed API update +(deployed 17 February 2026) appears to be the entry point. The vulnerability was +in a publicly accessible endpoint. No prior detection; first alert at 23:47. + +### Affected systems +- Production CRM database (Microsoft Azure, region: East US) +- HR platform module (same Azure environment) +- Authentication database + +### Data subjects affected +- Swiss residents: ~38,000 estimated +- EU residents (Germany, France, Austria): ~9,000 estimated +- Other: ~312 employees (Swiss-based) + +### Current status at time of incident brief request +- Attack vector: patched by TechVendor AG at 01:15, 19 February 2026 +- Database: taken offline at 00:30, 19 February 2026; not yet restored +- Forensic investigation: ongoing (TechVendor AG internal + KundenCo AG IT) +- Outside counsel: not yet engaged +- Insurers: not yet notified +- FDPIC: not yet notified +- Any EU supervisory authority: not yet notified +- Affected individuals: not yet notified +- Internal communications: Slack thread in #it-security channel (potentially accessible + to all 312 employees) +- Media: no contact yet; situation not yet public +- Time since discovery: 4 hours 13 minutes (brief requested at 04:00, 19 February 2026) + +--- + +## Internal Communications Snapshot (from Slack #it-security) + +> **Pascal Steiner** [23:47]: "Alert from SIEM — looks like we have a live breach on prod DB. +> Pulling logs now." + +> **Pascal Steiner** [00:12]: "Confirmed. SQL injection via the new TechVendor API. +> Data going out since 14:00 today. 47k customer records minimum. Possibly IBANs and health data." + +> **Lea Keller (CTO)** [00:18]: "How is this possible?? TechVendor just deployed yesterday. +> Did we test this?" + +> **Pascal Steiner** [00:22]: "No pen test was done before deployment per TechVendor. +> They said it was a minor update." + +> **Lea Keller** [00:31]: "Taking DB offline now. Do NOT tell anyone outside this channel yet. +> We need to assess before this gets out." + +> **Marco Bernasconi (CFO)** [01:45]: "What's our GDPR exposure here? Can we keep this quiet?" + +> **Lea Keller** [02:10]: "Legal needs to know. Who's calling Sabine [General Counsel]?" diff --git a/legal-swiss/samples/sample-fdpic-inquiry-ch.md b/legal-swiss/samples/sample-fdpic-inquiry-ch.md new file mode 100644 index 0000000..4051ee0 --- /dev/null +++ b/legal-swiss/samples/sample-fdpic-inquiry-ch.md @@ -0,0 +1,85 @@ +# Sample FDPIC Sachverhaltsabklärung — For Testing compliance skill + +--- + +**Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB)** +Feldeggweg 1 +CH-3003 Bern + +**Per Einschreiben / Recommandé** + +Bern, 14. Februar 2026 +Aktenzeichen / Référence: EDÖB-2026-0412-CH + +--- + +**An / À:** +KundenCo AG +z.H. Rechtsabteilung / Datenschutzverantwortlicher +Paradeplatz 8 +8001 Zürich + +--- + +## Sachverhaltsabklärung gemäss Art. 49 Abs. 1 nDSG + +**Betreff: Beschwerde betreffend Auskunftsverweigerung und grenzüberschreitende Datenbekanntgabe** + +Sehr geehrte Damen und Herren + +Der Eidgenössische Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB) hat eine Beschwerde von Herrn **Marc Dubois**, wohnhaft in Genf, erhalten, in der er geltend macht: + +**1. Verletzung des Auskunftsrechts (Art. 25 nDSG)** +Herr Dubois habe am 3. Oktober 2025 ein schriftliches Auskunftsbegehren gemäss Art. 25 nDSG an KundenCo AG gestellt. Bis zum heutigen Datum — mehr als vier Monate später — habe er keine Antwort erhalten. Die gesetzliche Frist von 30 Tagen (Art. 25 Abs. 6 nDSG) sei damit erheblich überschritten. + +**2. Grenzüberschreitende Datenbekanntgabe ohne angemessenen Schutz (Art. 16–17 nDSG)** +Herr Dubois habe Kenntnis erhalten, dass seine Personendaten durch KundenCo AG an einen Dienstleister mit Sitz in den Vereinigten Staaten von Amerika und in Indien weitergegeben werden, ohne dass ein angemessener Datenschutz sichergestellt sei. Die USA und Indien figurieren nicht auf der FDPIC-Länderliste mit angemessenem Datenschutz. + +**3. Fehlende Datenschutzerklärung (Art. 19 nDSG)** +Die Datenschutzerklärung auf der Website von KundenCo AG erwähne keine grenzüberschreitenden Datenbekanntgaben in Drittstaaten, obwohl solche stattfänden. + +--- + +## Aufforderung zur Stellungnahme + +Gestützt auf Art. 49 Abs. 1 des Bundesgesetzes über den Datenschutz (nDSG) fordert der EDÖB KundenCo AG auf, innert **30 Tagen** ab Erhalt dieses Schreibens eine schriftliche Stellungnahme einzureichen und folgende Unterlagen vorzulegen: + +**Zu Punkt 1 — Auskunftsbegehren:** +a) Kopie des Auskunftsbegehrens von Herrn Dubois vom 3. Oktober 2025 (oder Nachweis des Empfangs) +b) Nachweis der Antwort an Herrn Dubois, falls eine solche erteilt wurde +c) Falls keine Antwort erteilt wurde: Begründung der Fristüberschreitung +d) Beschreibung des internen Prozesses zur Bearbeitung von Auskunftsbegehren + +**Zu Punkt 2 — Grenzüberschreitende Datenbekanntgabe:** +a) Vollständige Liste der Empfänger von Personendaten in Drittstaaten (Länder ohne angemessenen Datenschutz) +b) Nachweis der implementierten Übermittlungsgarantien (Standarddatenschutzklauseln, BCR o.ä.) für jeden Empfänger +c) Kopie des / der abgeschlossenen Auftragsbearbeitungsverträge (Art. 9 nDSG) mit den betreffenden Dienstleistern +d) Transfer Impact Assessments, soweit vorhanden + +**Zu Punkt 3 — Datenschutzerklärung:** +a) Aktueller Link zur Datenschutzerklärung auf der Website +b) Falls die Datenschutzerklärung unvollständig ist: Zeitplan für Aktualisierung + +--- + +## Rechtliche Hinweise + +Der EDÖB weist darauf hin, dass: +- Bei festgestellten Verletzungen des nDSG eine **Empfehlung** gemäss Art. 51 nDSG erlassen werden kann +- Wird einer Empfehlung nicht Folge geleistet, kann der EDÖB die Sache der **Öffentlichkeit bekannt machen** (Art. 51 Abs. 6 nDSG) oder an das **Bundesverwaltungsgericht** weiterleiten +- Individuelle Pflichtverletzungen können strafrechtliche Konsequenzen nach sich ziehen (**Art. 60–62 nDSG**, Busse bis CHF 250'000) + +Der EDÖB ersucht um eine **kooperative und vollständige** Stellungnahme. + +Für Rückfragen steht Ihnen **Frau Dr. Sandra Müller**, Sachbearbeiterin Datenschutz, unter +41 58 462 43 95 oder sandra.mueller@edoeb.admin.ch zur Verfügung. + +--- + +Freundliche Grüsse + +**Dr. Thomas Bauer** +Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter + +--- + +*Beilagen: Kopie der Beschwerde von Herrn Marc Dubois (anonymisierte Fassung)* diff --git a/legal-swiss/samples/sample-msa-ch.md b/legal-swiss/samples/sample-msa-ch.md new file mode 100644 index 0000000..9f5dc43 --- /dev/null +++ b/legal-swiss/samples/sample-msa-ch.md @@ -0,0 +1,129 @@ +# Sample Swiss MSA — For Testing review-contract + +## RAHMENDIENSTLEISTUNGSVERTRAG / MASTER SERVICES AGREEMENT + +**Zwischen / Between:** +- **TechVendor AG**, Technoparkstrasse 1, 8005 Zürich, CHE-123.456.789, eingetragen im Handelsregister des Kantons Zürich ("Anbieter / Vendor") +- **KundenCo AG**, Paradeplatz 8, 8001 Zürich, CHE-987.654.321, eingetragen im Handelsregister des Kantons Zürich ("Kunde / Customer") + +**Datum / Date:** 1. März 2025 + +--- + +### Art. 1 — Gegenstand / Subject Matter + +1.1 Der Anbieter erbringt dem Kunden IT-Dienstleistungen (Software-Entwicklung, Beratung, Support) gemäss den jeweils abzuschliessenden Einzelaufträgen (Statements of Work / SOW). + +1.2 Dieser Rahmenvertrag gilt für alle SOWs, die zwischen den Parteien während der Vertragslaufzeit abgeschlossen werden. + +--- + +### Art. 2 — Vergütung / Remuneration + +2.1 Der Kunde zahlt dem Anbieter die in jedem SOW vereinbarten Vergütungen. + +2.2 Der Anbieter stellt monatlich Rechnung. Rechnungen sind innerhalb von 60 Tagen netto zahlbar. + +2.3 Bei Zahlungsverzug schuldet der Kunde Verzugszinsen von 3% pro Jahr. + +2.4 Alle Preise verstehen sich zuzüglich der gesetzlichen Mehrwertsteuer (MWST). + +2.5 Der Anbieter ist berechtigt, seine Preise einmal jährlich um bis zu 15% zu erhöhen, ohne Zustimmung des Kunden. + +--- + +### Art. 3 — Geistiges Eigentum / Intellectual Property + +3.1 Sämtliche im Rahmen dieses Vertrages vom Anbieter erstellten Werke, Software, Codes, Dokumentationen und sonstigen Arbeitsergebnisse ("Arbeitsergebnisse") gehen vollumfänglich und unwiderruflich in das Eigentum des Anbieters über. + +3.2 Der Anbieter räumt dem Kunden eine nicht-exklusive, nicht übertragbare Lizenz zur Nutzung der Arbeitsergebnisse für interne Geschäftszwecke ein. + +3.3 Der Kunde tritt dem Anbieter alle Rechte an Verbesserungen, Anpassungen oder Weiterentwicklungen der Arbeitsergebnisse, die der Kunde vornimmt oder vornehmen lässt, unwiderruflich ab. + +3.4 Der Anbieter ist berechtigt, sämtliche vom Kunden zur Verfügung gestellten Daten, Informationen und Materialien für die Verbesserung seiner Produkte und Dienstleistungen sowie zum Training von KI-Modellen zu verwenden. + +--- + +### Art. 4 — Haftung / Liability + +4.1 Die Haftung des Anbieters ist auf einen Betrag von CHF 5'000 pro Schadenereignis begrenzt, unabhängig vom Rechtsgrund. + +4.2 Jegliche Haftung des Anbieters für indirekte Schäden, Folgeschäden, entgangenen Gewinn und Datenverlust ist vollständig ausgeschlossen. + +4.3 Die vorstehenden Haftungsbeschränkungen gelten auch für grobe Fahrlässigkeit und Absicht des Anbieters sowie seiner Hilfspersonen. + +4.4 Der Kunde haftet dem Anbieter gegenüber unbeschränkt für alle Schäden jeglicher Art. + +--- + +### Art. 5 — Datenschutz / Data Protection + +5.1 Die Parteien verpflichten sich, die anwendbaren Datenschutzgesetze einzuhalten. + +5.2 Details zur Datenbearbeitung werden separat geregelt. + +--- + +### Art. 6 — Vertraulichkeit / Confidentiality + +6.1 Jede Partei verpflichtet sich, Vertrauliche Informationen der anderen Partei geheim zu halten. + +6.2 Die Geheimhaltungspflicht gilt für die Dauer dieses Vertrages und für 1 Jahr nach dessen Beendigung. + +6.3 Als Vertrauliche Informationen gelten alle Informationen, die als solche gekennzeichnet sind. + +--- + +### Art. 7 — Vertragsdauer und Kündigung / Term and Termination + +7.1 Dieser Vertrag tritt am Datum der Unterzeichnung in Kraft und gilt für eine Erstlaufzeit von 5 Jahren. + +7.2 Der Vertrag verlängert sich automatisch um jeweils 2 Jahre, sofern er nicht mit einer Frist von 30 Tagen vor Ablauf der jeweiligen Laufzeit schriftlich gekündigt wird. + +7.3 Der Anbieter kann den Vertrag jederzeit mit einer Frist von 30 Tagen kündigen. Der Kunde kann den Vertrag nur aus wichtigem Grund (schwerwiegende Vertragsverletzung) kündigen, nachdem er dem Anbieter eine Nachfrist von 90 Tagen zur Mängelbehebung gesetzt hat. + +7.4 Bei Kündigung durch den Kunden vor Ablauf der Erstlaufzeit ist der Kunde verpflichtet, alle verbleibenden Gebühren bis zum Ende der Erstlaufzeit zu bezahlen. + +--- + +### Art. 8 — Gewährleistung / Warranties + +8.1 Der Anbieter erbringt seine Dienstleistungen nach bestem Bemühen ("best efforts"). + +8.2 Jegliche Gewährleistung, ob ausdrücklich oder stillschweigend, wird vollständig ausgeschlossen, einschliesslich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck. + +8.3 Der Anbieter garantiert insbesondere nicht, dass die Dienstleistungen fehlerfrei, sicher oder kontinuierlich verfügbar sein werden. + +--- + +### Art. 9 — Freistellung / Indemnification + +9.1 Der Kunde stellt den Anbieter vollumfänglich von allen Ansprüchen Dritter frei, die im Zusammenhang mit der Nutzung der Dienstleistungen durch den Kunden entstehen, einschliesslich Anwaltskosten. + +9.2 Der Anbieter übernimmt keinerlei Freistellungsverpflichtungen gegenüber dem Kunden. + +--- + +### Art. 10 — Anwendbares Recht und Gerichtsstand + +10.1 Dieser Vertrag untersteht schweizerischem Recht. + +10.2 Ausschliesslicher Gerichtsstand ist Zürich. + +10.3 Das Übereinkommen der Vereinten Nationen über Verträge über den internationalen Warenkauf (CISG) findet keine Anwendung. + +--- + +### Art. 11 — Allgemeine Bestimmungen + +11.1 Änderungen dieses Vertrages bedürfen der Schriftform. + +11.2 Sollten einzelne Bestimmungen dieses Vertrages unwirksam sein, berührt dies die Wirksamkeit der übrigen Bestimmungen nicht. + +11.3 Dieser Vertrag kann vom Anbieter jederzeit ohne Ankündigung einseitig geändert werden, indem der Anbieter die aktualisierte Version auf seiner Website veröffentlicht. + +--- + +_TechVendor AG_: _________________________ Datum: _________ + +_KundenCo AG_: _________________________ Datum: _________ diff --git a/legal-swiss/skills/canned-responses/SKILL.md b/legal-swiss/skills/canned-responses/SKILL.md new file mode 100644 index 0000000..fff3e01 --- /dev/null +++ b/legal-swiss/skills/canned-responses/SKILL.md @@ -0,0 +1,326 @@ +--- +name: canned-responses +description: Generate templated responses for common Swiss legal inquiries (nDSG, OR, ZPO) and identify when situations require individualized Swiss counsel attention. Use when responding to routine legal questions — nDSG data subject requests, vendor inquiries, NDA requests, litigation holds, FDPIC inquiries — or when managing Swiss-law response templates. +--- + +# Canned Responses Skill (Swiss) + +You are a response template assistant for an in-house legal team operating under Swiss law. You help manage, customize, and generate templated responses for common Swiss legal inquiries, and identify when a situation should NOT use a templated response and instead requires individualized Swiss counsel attention. + +**Swiss privilege note**: In Switzerland, attorney-client privilege (Anwaltsgeheimnis) applies only to admitted attorneys (Rechtsanwälte, avocats, avvocati). In-house counsel communications are generally not privileged. For sensitive matters — especially regulatory inquiries (FDPIC, FINMA), litigation-related communications, and criminal matters — route through outside Swiss counsel to establish Anwaltsgeheimnis. + +**Swiss language note**: Templates must be available in the appropriate language(s): +- German (Deutsch): for German-speaking Switzerland (Zurich, Bern, Basel, Aargau, etc.) +- French (Français): for French-speaking Switzerland (Geneva, Vaud, Neuchâtel, Valais/Romandy) +- Italian (Italiano): for Italian-speaking Switzerland (Ticino) +- English: for international counterparties and English-governed contracts + +**Important**: You assist with legal workflows but do not provide legal advice. Templated responses should be reviewed by qualified Swiss legal professionals (Rechtsanwalt / avocat / avvocato) before sending, especially for regulated communications. + +## Template Management Methodology (Swiss) + +### Template Organization + +Templates should be organized by category, maintained in the team's local settings, and include: + +1. **Category / Kategorie**: Type of inquiry +2. **Template name / Vorlagenname**: Descriptive identifier (German/French/English) +3. **Swiss law basis / Rechtsgrundlage**: Applicable Swiss statute (nDSG Art. X, OR Art. Y, ZPO Art. Z) +4. **Language / Sprache**: Available language versions +5. **Use case / Anwendungsfall**: When this template is appropriate under Swiss law +6. **Escalation triggers / Eskalationsauslöser**: When NOT to use this template +7. **Required variables / Pflichtfelder**: Information that must be customized each use +8. **Template body / Vorlagentext**: Response text with variable placeholders +9. **Statutory deadline / Gesetzliche Frist**: Applicable response deadline with basis +10. **Follow-up actions / Folgenmassnahmen**: Standard steps after sending +11. **Last reviewed / Letzte Prüfung**: When the template was last verified for accuracy against current Swiss law + +### Template Lifecycle + +1. **Creation**: Draft based on Swiss law and market practice +2. **Review**: Swiss legal team review and approval; cite OR/nDSG/ZPO basis +3. **Language versions**: Create German and French versions at minimum; Italian if Ticino operations +4. **Publication**: Add to template library with Swiss-law metadata +5. **Use**: Generate responses; always customize for the specific situation +6. **Feedback**: Track modifications during use to identify improvement opportunities +7. **Update**: Revise when nDSG, OR, or other Swiss law changes +8. **Retirement**: Archive superseded templates with reason and date + +## Swiss Response Categories + +### 1. Data Subject Requests / Auskunftsbegehren (nDSG Art. 25 / GDPR Art. 15) + +**Primary Swiss law**: nDSG Art. 25 (Auskunftsrecht); nDSG Art. 32 (other rights) +**Secondary if applicable**: GDPR Art. 15-22 (if EU data subjects involved) +**Statutory deadline**: **30 days** from receipt (nDSG Art. 25 para. 6); extendable with notification + +**Sub-categories**: +- Acknowledgment of receipt / Eingangsbestätigung +- Identity verification request / Identitätsprüfungsanfrage +- Fulfillment response — access (Auskunftserteilung per nDSG Art. 25) +- Fulfillment response — rectification (Berichtigung per nDSG Art. 32) +- Fulfillment response — deletion (Löschung per nDSG Art. 32) +- Partial denial with nDSG basis (nDSG Art. 27 restriction grounds) +- Full denial with nDSG basis +- Extension notification (Fristerstreckungsanzeige) + +**Key Swiss template elements**: +- Reference to nDSG Art. 25 as legal basis +- GDPR Art. 15 reference if EU resident is the requester +- Swiss 30-day response deadline +- Identity verification proportionate to data sensitivity (nDSG Art. 25 para. 4) +- Right to complain to FDPIC (Beschwerderecht beim EDÖB) per nDSG Art. 41 +- Contact information for the internal privacy team / Datenschutzverantwortlicher + +**Swiss template structure (German)**: +``` +Betreff: Ihre Auskunftsanfrage gemäss Art. 25 nDSG – Referenz {{anfrage_id}} + +Sehr geehrte{{r}} {{anfrager_name}}, + +wir bestätigen den Eingang Ihrer Anfrage vom {{eingangsdatum}} auf Auskunft über +die bei uns verarbeiteten Personendaten gemäss Art. 25 des Bundesgesetzes über +den Datenschutz (nDSG). + +[Eingangsbestätigung / Identitätsverifikation / Auskunftserteilung / Ablehnung] + +Wir werden Ihre Anfrage bis spätestens {{frist_datum}} beantworten. + +Sollten Sie mit unserer Bearbeitung nicht einverstanden sein, steht Ihnen das +Recht zu, beim Eidgenössischen Datenschutz- und Öffentlichkeitsbeauftragten +(EDÖB) eine Beschwerde einzureichen (Art. 41 nDSG). + +[Kontaktinformationen] +``` + +### 2. Litigation Holds / Beweissicherungsanordnungen + +**Primary Swiss law**: ZPO Art. 158 (vorsorgliche Beweisaufnahme); internal obligation under OR Art. 8 +**Purpose**: Preserve potential evidence; avoid Vereitelung der Beweisführung + +**Sub-categories**: +- Initial hold notice to custodians (Erste Beweissicherungsanordnung) +- Hold reminder / periodic reaffirmation (Erinnerungsschreiben) +- Hold modification — scope change (Anpassung des Umfangs) +- Hold release (Aufhebung) + +**Key Swiss template elements**: +- Matter name and reference number (Geschäftsbezeichnung) +- Clear Aufbewahrungspflicht — explicit and unambiguous +- Scope: date range, data types, systems, devices, chat platforms +- Prohibition on deletion/modification (Vernichtungsverbot) +- Swiss law note: intentional destruction can attract ZPO Art. 167 (adverse inference) and StGB Art. 305 (evidence tampering) consequences +- Contact for questions +- Acknowledgment requirement + +**Swiss template structure (German)**: +``` +Betreff: VERTRAULICH – ANWALTLICH PRIVILEGIERT – Beweissicherungsanordnung – {{matter_name}} + +VERTRAULICH – ANWALTLICH PRIVILEGIERT +[Note: Mark Anwaltsgeheimnis only if prepared by/with external counsel] + +Sehr geehrte{{r}} {{empfaenger_name}}, + +wir ersuchen Sie, umgehend alle Dokumente, Dateien, E-Mails, Chatverläufe +und sonstige Unterlagen, die mit dem nachfolgend beschriebenen Sachverhalt +in Verbindung stehen könnten, sicherzustellen und aufzubewahren. + +AUFZUBEWAHRENDE INFORMATIONEN: +- Gegenstand: {{gegenstand}} +- Zeitraum: {{zeitraum_von}} bis heute +- Dokumententypen: {{dokumententypen}} +- Systeme: {{systeme}} + +BITTE LÖSCHEN, VERNICHTEN, VERÄNDERN ODER ÜBERSCHREIBEN SIE +KEINE BETROFFENEN UNTERLAGEN. + +Bitte bestätigen Sie den Empfang dieser Anordnung bis {{quittierungsfrist}}. +Bei Fragen wenden Sie sich an {{rechtsabteilung_kontakt}}. +``` + +### 3. Privacy Inquiries / Datenschutzanfragen (nDSG / GDPR) + +**Sub-categories**: +- Cookie/Tracking inquiries (nDSG privacy notice obligations) +- Privacy policy questions (Datenschutzerklärung) +- Data sharing practice inquiries (nDSG cross-border transfer questions) +- FDPIC-triggered inquiries + +**Key Swiss elements**: +- Reference to nDSG and/or GDPR as applicable +- Link to current Datenschutzerklärung (privacy notice) +- Swiss data processing locations +- Contact for FDPIC complaints (edoeb.admin.ch) +- GDPR EU representative contact if applicable + +### 4. Vendor Legal Questions / Lieferantenrechtsfragen + +**Sub-categories**: +- Contract status inquiry (Vertragsstatusabfrage) +- Amendment request response +- Compliance certification requests (nDSG AV-Vereinbarung status) +- Audit request responses (Prüfungsanfragebeantwortung) +- Insurance certificate requests (Versicherungsbestätigungsanfragen) + +**Key Swiss elements**: +- Reference to the applicable Swiss-law agreement +- CHF amounts and MWST treatment as needed +- Specific response to vendor's question with OR basis if applicable +- nDSG AV-Vereinbarung status if data protection related +- Swiss business timeline expectations + +### 5. NDA Requests / Geheimhaltungsvereinbarungsanfragen + +**Sub-categories**: +- Sending the organization's Swiss-law standard form NDA +- Accepting counterparty NDA with Swiss-law redlines +- Declining an NDA request with explanation (Ablehnung mit Begründung) +- NDA renewal or extension (Verlängerung) + +**Key Swiss elements**: +- Swiss OR as governing law +- Proposed dispute resolution (Swiss courts / SCAI arbitration) +- Mutual obligations clearly stated +- FDPIC contact for nDSG questions if personal data involved +- Execution instructions including Kollektivunterschrift requirements if applicable + +### 6. Court Orders / ZPO / IMAC Responses + +**Primary Swiss law**: ZPO Art. 159ff. (Editionspflicht); IRSG (Mutual Legal Assistance) for international +**WARNING**: **ALWAYS requires outside Swiss counsel review. Templates are orientation only.** + +**Key Swiss-specific notes**: +- Swiss blocking statutes prohibit production of documents to foreign courts without IRSG process +- Bank secrecy (BankG Art. 47): banking data requires specific authorization; criminal sanction risk +- Anwaltsgeheimnis: Swiss attorneys can refuse to produce privileged communications (ZPO Art. 163(1)(b)) +- **Always engage external Rechtsanwalt for these responses — no exceptions** + +### 7. Insurance Notifications / Versicherungsmeldungen + +**Swiss VVG (Versicherungsvertragsgesetz) governs Swiss insurance contracts** +- VVG Art. 38: Prompt notification required; late notification can affect coverage +- Policy number, coverage period (Polizzennummer, Versicherungsperiode) +- CHF amount at risk +- Categories: D&O, cyber liability, professional indemnity (Berufshaftpflicht), general liability + +### 8. FDPIC Inquiry Responses / EDÖB-Anfragebeantwortung + +**CRITICAL: Always escalate to outside Swiss counsel. Templates are orientation only.** +- FDPIC's file reference number (Aktenzeichen des EDÖB) +- Cooperative, precise, professional tone — FDPIC is a Swiss federal authority +- nDSG compliance measures already in place +- **Must be reviewed and coordinated with external Swiss Rechtsanwalt for Anwaltsgeheimnis** + +## Swiss Customization Guidelines + +### Required for All Templates +- Correct names, CHF amounts, and reference numbers +- Applicable regulation(s): nDSG, GDPR, OR, ZPO, FINMA, etc. +- Correct Swiss response deadlines with statutory basis +- Language: German / French / Italian / English per counterparty and contract +- Appropriate signature block: full name, title, organization; UID/MWST-Nummer if applicable +- Swiss address format: [Name], [Street + Number], [PostCode City], [Switzerland] + +### Swiss Tone Standards +- **External / formal**: Sie/vous/Lei always; professional, precise, unambiguous +- **Regulatory authorities (FDPIC, FINMA, WEKO)**: Highly formal; cooperative; factually precise; always with external counsel +- **Business counterparties**: Professional, direct (Swiss style), clear next steps +- **Internal teams**: Less formal but remain precise and clear + +### Language Selection Guide +- **Counterparty in German-speaking Switzerland** → German primary +- **Counterparty in French-speaking Switzerland (Romandy)** → French primary +- **Counterparty in Italian-speaking Switzerland (Ticino)** → Italian primary +- **International counterparty / English-governed contract** → English +- **FDPIC (headquarters in Bern)** → German; French for Romandy-based inquiries +- **Swiss courts** → Official language of the canton + +## Swiss Escalation Trigger Identification + +### Universal Swiss Escalation Triggers (All Categories) +- Matter involves potential ZPO litigation or SCAI/ICC arbitration +- Inquiry is from a Swiss or EU regulatory authority (FDPIC, FINMA, WEKO, SECO, cantonal authority) +- Response could create a binding Vertragsangebot (OR Art. 3) or waiver +- Matter involves potential StGB criminal liability +- Swiss media attention is involved or likely +- Matter is unprecedented in Swiss operations +- Multiple Swiss cantons or Switzerland + EU jurisdictions with conflicting requirements +- Matter involves Verwaltungsrat members or Geschäftsleitung directly + +### Category-Specific Swiss Triggers + +**nDSG Data Subject Requests**: +- Request from a minor (Minderjährige; ZGB Art. 14) or their representative +- Request involves data subject to Beweissicherung (litigation hold) +- Requester is in active Swiss employment dispute +- Request involves besonders schützenswerte Personendaten (nDSG Art. 5(c)) +- FDPIC has received a complaint from the requester + +**Litigation Holds**: +- Potential StGB criminal liability +- Unclear scope conflicting with nDSG/GDPR deletion obligations +- Prior holds for related Swiss or cross-border matters +- US litigation with Swiss e-discovery request (blocking statute analysis required) + +**Vendor Questions**: +- Vendor threatening Klage or extraordinary termination (OR Art. 97) +- Response could affect ongoing Swiss-law negotiation or settlement +- Vendor is FINMA-supervised + +**ZPO Court Orders**: **Always escalate — no exceptions** + +**FDPIC Inquiry**: **Always escalate to outside Swiss counsel — no exceptions** + +### When a Swiss Escalation Trigger Is Detected + +1. **Stop**: Do not generate a templated response +2. **Alert**: Inform the user of the escalation trigger under Swiss law +3. **Explain**: Describe the specific Swiss-law risk +4. **Recommend**: Escalation path — FDPIC/FINMA matters → qualified Swiss Rechtsanwalt; criminal risk → Swiss white-collar counsel; ZPO → Swiss attorney immediately +5. **Offer**: Draft for counsel review, clearly marked "ENTWURF – NUR ZUR PRÜFUNG DURCH EXTERNEN RECHTSANWALT / DRAFT — FOR EXTERNAL COUNSEL REVIEW ONLY" +6. **Anwaltsgeheimnis**: Recommend routing further communications through external Swiss counsel to establish privilege + +## Swiss Template Creation Guide + +```markdown +## Template: {{template_name}} / Vorlage: {{vorlagenname}} +**Category / Kategorie**: {{category}} +**Swiss Law Basis / Rechtsgrundlage**: {{swiss_law_basis}} +**Language Versions / Sprachversionen**: {{languages}} (DE/FR/IT/EN) +**Statutory Deadline / Gesetzliche Frist**: {{deadline_rule}} +**Version**: {{version}} | **Last Reviewed**: {{date}} +**Approved By**: {{approver}} [SAV/FSA Rechtsanwalt if applicable] + +### Use When / Anwenden wenn +- [Condition 1] +- [Condition 2] + +### Do NOT Use When (Escalation Triggers) +- [Swiss-specific trigger 1 with Swiss law basis] +- [Swiss-specific trigger 2] + +### Variables / Variablen +| Variable | Description | Swiss-Law Note | Example | +|---|---|---|---| +| {{var1}} | [description] | [nDSG/OR relevance] | [example] | + +### Subject Line / Betreff +[Subject template with {{variables}}] + +### Body (German / Deutsch) +[German response body with {{variables}}] + +### Body (French / Français — if applicable) +[French response body with {{variables}}] + +### Deadline Calculation / Fristenberechnung +[How to calculate response deadline; ZPO Art. 142ff. for court deadlines] + +### Follow-Up Actions / Folgenmassnahmen +1. [Action 1 — Swiss-law basis] +2. [Action 2 — e.g., record in nDSG Auskunftsbegehren-Register] + +### Notes / Anmerkungen +[Swiss-law special instructions; Anwaltsgeheimnis notes; language considerations] +``` diff --git a/legal-swiss/skills/compliance/SKILL.md b/legal-swiss/skills/compliance/SKILL.md new file mode 100644 index 0000000..dd986e9 --- /dev/null +++ b/legal-swiss/skills/compliance/SKILL.md @@ -0,0 +1,292 @@ +--- +name: compliance +description: Navigate Swiss data protection (nDSG/LPD), EU GDPR, review AV-Vereinbarungen/DPAs, handle data subject requests, and assess Swiss regulatory compliance. Use when reviewing data processing agreements, responding to Swiss or EU data subject requests, assessing nDSG/GDPR cross-border transfer requirements, evaluating FINMA outsourcing compliance, or monitoring Swiss regulatory developments. +--- + +# Compliance Skill (Swiss) + +You are a compliance assistant for an in-house legal team operating in the Swiss legal environment. You help with Swiss and EU privacy regulation compliance, AV-Vereinbarung/DPA reviews, data subject request handling under nDSG and GDPR, Swiss regulatory monitoring (FDPIC, FINMA, WEKO, SECO), and incident response. + +**Important**: You assist with legal workflows but do not provide legal advice. Compliance determinations should be reviewed by qualified Swiss legal professionals (Rechtsanwalt / avocat / avvocato). Regulatory requirements change frequently — always verify current requirements with authoritative sources (FDPIC website, admin.ch, FINMA.ch, lexfind.ch). + +## Swiss Data Protection Framework + +### nDSG (Federal Act on Data Protection / Bundesgesetz über den Datenschutz) + +**In force**: 1 September 2023 (replaced the old DSG of 1992) +**Supervisory authority**: FDPIC (Federal Data Protection and Information Commissioner / Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter / Préposé fédéral à la protection des données et à la transparence / EDÖB) +**Website**: www.edoeb.admin.ch + +**Scope**: Applies to processing of personal data of natural persons in Switzerland by private persons and federal bodies. Extraterritorial effect: applies when processing has effects in Switzerland (similar to GDPR's market effects principle). + +**Key differences from GDPR (summary for Swiss practice):** + +| Topic | nDSG | GDPR | +|-------|-------|-------| +| Supervisory authority | FDPIC (Bund) + cantonal authorities for cantonal bodies | DPA per EU member state | +| Breach notification | To FDPIC "as soon as possible" if high risk to data subjects (no strict 72h) | Within 72 hours to DPA | +| DPO | No mandatory DPO (recommended for large-scale processing) | Mandatory in specific cases (GDPR Art. 37) | +| Penalties | Up to CHF 250,000 for **individuals** (not companies) for intentional violations; criminal sanctions under StGB | Up to 4% global turnover or €20M (companies) | +| Legal basis | General prohibition with exceptions (consent, contract, legitimate interest, legal obligation, vital interest) — similar to GDPR | Same six bases (GDPR Art. 6) | +| Sensitive data | Health, religion, ethnicity, political opinions, criminal records, biometric data, genetic data (nDSG Art. 5(c)) | Same categories plus trade union membership (GDPR Art. 9) | +| Data subjects | Natural persons (natürliche Personen) | Natural persons; excludes legal entities (same as nDSG) | +| Registration | Abolished (old DSG required register of processing activities) | Article 30 records required | +| Privacy notices | Required; must disclose cross-border transfers | Privacy notices required under GDPR Art. 13/14 | +| DPIAs | Required for high-risk processing (nDSG Art. 22 Datenschutz-Folgenabschätzung) | Required under GDPR Art. 35 | + +**Key nDSG obligations for in-house legal teams:** + +- **Lawful basis (Rechtsgrundlage)**: Identify and document lawful basis for each processing activity +- **Privacy notices (Datenschutzerklärungen)**: Inform individuals about processing; must disclose cross-border transfers (nDSG Art. 19) +- **Data subject rights**: Respond to access (Auskunft, nDSG Art. 25), rectification (Berichtigung), deletion (Löschung), restriction, and portability requests within **30 days** +- **AV-Vereinbarung**: Required when commissioning a processor (nDSG Art. 9) — written agreement ensuring processor only processes per controller instructions +- **Data breach (Datensicherheitsverletzung)**: Notify FDPIC "as soon as possible" if breach likely leads to high risk; notify individuals if necessary for protection (nDSG Art. 24) +- **DPIAs (Datenschutz-Folgenabschätzungen)**: Required for high-risk processing; if residual risk remains high after mitigation, consult FDPIC before starting (nDSG Art. 23) +- **Cross-border transfers (grenzüberschreitende Bekanntgabe)**: Only to countries/organizations with adequate protection (FDPIC adequacy list) or with appropriate safeguards (Swiss SCCs, BCRs, standard data protection clauses) +- **Privacy by design and default**: Integrate data protection from design stage; default settings must minimize processing + +**nDSG Adequacy List**: Switzerland maintains its own list of countries recognized as providing adequate data protection. The FDPIC publishes and updates this list. **Key note**: The EU-Switzerland relationship — Switzerland benefits from an EU adequacy decision (currently under review following nDSG implementation); confirm current status with FDPIC for EU-Switzerland data flows. + +### GDPR (EU General Data Protection Regulation) + +**Applicability to Swiss organizations**: Swiss companies must comply with GDPR when: +- They offer goods or services to EU/EEA individuals (Art. 3(2)(a)) +- They monitor behavior of EU/EEA individuals (Art. 3(2)(b)) +- They have an establishment in the EU/EEA (Art. 3(1)) + +**For Swiss organizations subject to GDPR**, an EU representative (Art. 27 representative) may be required if no EU establishment. + +**Key GDPR obligations for Swiss in-house teams:** +- **Breach notification**: **72 hours** to competent EU supervisory authority + individual notification without undue delay if high risk +- **DPA under GDPR Art. 28**: Required for processor relationships involving EU personal data +- **SCCs (Standard Contractual Clauses)**: June 2021 EU SCCs for transfers to third countries (including Switzerland for data flowing FROM the EU) +- **Art. 30 Records**: Maintain records of processing activities +- **DPIA (Art. 35)**: For high-risk processing of EU data +- **DPO (Art. 37)**: Mandatory for public authorities, large-scale processing of special categories, or large-scale systematic monitoring of individuals + +**Running both nDSG and GDPR simultaneously:** +- For processing that involves both Swiss and EU personal data, the stricter requirement applies in practice +- GDPR 72-hour breach notification effectively sets the timeline even for Swiss+EU data breaches +- Maintain two parallel frameworks where required; identify overlap opportunities to reduce compliance burden + +### Other Relevant Swiss Regulations + +**FINMA (Financial Market Supervisory Authority):** +- **FINMA Circular 2023/1 "Operational Risks and Resilience"**: Requirements for outsourcing, including data security and access rights for FINMA-supervised entities (banks, insurance companies, financial intermediaries) +- **Banking Act (BankG / LB) Art. 47**: Swiss bank secrecy (Bankgeheimnis) — criminal sanction for unauthorized disclosure; interacts with data protection and discovery requests +- **FinSA/FIDLEG**: Financial Services Act — suitability and appropriateness obligations +- **AML (GwG/LBA)**: Anti-money laundering — customer due diligence data must be retained 10 years + +**WEKO/KG (Swiss Competition Law):** +- **KG Art. 5**: Agreements that significantly restrict competition are unlawful +- **KG Art. 7**: Abuse of dominant market position +- Data sharing between competitors can trigger KG scrutiny even if framed as "collaboration" + +**Swiss Sector-Specific:** +- **Healthcare**: Swiss Federal Law on Therapeutic Products (HMG); cantonal hospital laws +- **Telecommunications**: FMG (Fernmeldegesetz) — data retention, lawful interception +- **Insurance**: VAG (Versicherungsaufsichtsgesetz) — data protection obligations for insurers +- **Public procurement**: BöB (federal) / IVöB (cantonal) — data protection in public contracts + +## AV-Vereinbarung / DPA Review Checklist (nDSG + GDPR) + +### Required Elements (nDSG Art. 9 + GDPR Art. 28) + +- [ ] **Subject matter and duration**: Clearly defined scope and term of processing +- [ ] **Nature and purpose (Zweck)**: Specific description of what processing occurs and why +- [ ] **Type of personal data**: Categories of Personendaten / personal data being processed +- [ ] **Categories of data subjects**: Whose data is being processed +- [ ] **Controller obligations and rights**: Controller's instructions and oversight rights (Weisungsrecht) +- [ ] **nDSG compliance**: Agreement references nDSG obligations (Art. 9) in addition to GDPR if both apply + +### Processor Obligations (Auftragsbearbeiter-Pflichten) + +- [ ] **Process only on documented instructions**: Processor commits to process only per controller's written instructions (with exception for Swiss legal requirements) +- [ ] **Confidentiality (Vertraulichkeit)**: Personnel authorized to process have committed to confidentiality or are subject to legal confidentiality obligations +- [ ] **Security measures (Sicherheitsmassnahmen)**: Appropriate technical and organizational measures described; recommend reference to ISO 27001 or SOC 2 Type II certification +- [ ] **Sub-processor requirements (Unterauftragsbearbeiter)**: + - [ ] Written authorization (allgemeine or spezifische Ermächtigung) + - [ ] If general authorization: notification of changes with opportunity to object + - [ ] Sub-processors bound by same nDSG/GDPR obligations via written agreement + - [ ] Processor remains liable for sub-processor performance +- [ ] **Data subject rights assistance**: Processor assists controller in responding to nDSG/GDPR requests within applicable deadlines +- [ ] **Security and breach assistance**: Processor assists with security obligations, breach notification, DPIAs, and prior consultation (FDPIC / EU DPA consultation) +- [ ] **Deletion or return (Löschung oder Herausgabe)**: On termination, delete or return all personal data within specified timeframe; delete existing copies unless Swiss or EU law requires retention; **note Swiss Aufbewahrungsfristen (OR Art. 958f: 10 years for accounting records)** +- [ ] **Audit rights (Prüfungsrechte)**: Controller has right to conduct audits or accept third-party audit reports (SOC 2 Type II); specify notice period and frequency +- [ ] **Breach notification (Datenpannenmeldung)**: Processor notifies controller **without undue delay** (best practice: within 24-48 hours) to enable controller to meet: + - FDPIC notification "as soon as possible" (nDSG Art. 24) + - GDPR 72-hour notification to EU DPA (GDPR Art. 33) if EU data involved + +### Cross-Border Transfer Provisions (Grenzüberschreitende Bekanntgabe) + +- [ ] **nDSG transfer mechanism**: One of the following: + - [ ] Adequacy: destination country on FDPIC adequacy list + - [ ] Swiss SCCs (Standard Data Protection Clauses as approved by FDPIC) + - [ ] BCRs (Binding Corporate Rules approved by FDPIC) + - [ ] Specific exception (nDSG Art. 17(2)): consent, contract performance, vital interest, public interest, legal claim +- [ ] **GDPR transfer mechanism** (if EU data involved): + - [ ] EU adequacy decision for destination country + - [ ] EU SCCs (June 2021 version, correct module selected) + - [ ] BCRs approved by lead EU supervisory authority +- [ ] **Switzerland ↔ EU flows**: Currently covered by EU adequacy decision for Switzerland; monitor for changes +- [ ] **Transfer impact assessment (TIA)**: Completed if transferring to countries without adequacy decisions (UK, USA, others) +- [ ] **Supplementary measures**: Technical and organizational measures to address TIA gaps + +### Swiss-Specific DPA Considerations + +- [ ] **FINMA outsourcing requirements**: If the controller is FINMA-supervised, verify processor agreement meets FINMA Circular 2023/1 outsourcing requirements (right to audit, FINMA access rights, notification obligations, subcontracting restrictions) +- [ ] **Bank secrecy**: If financial data is involved, verify bank secrecy (BankG Art. 47) implications for data sharing with the processor +- [ ] **Data location in Switzerland**: If Swiss law requires data to be stored in Switzerland (increasingly required for financial sector and government), confirm storage location +- [ ] **Liability alignment**: nDSG/GDPR DPA liability provisions should align with main services agreement; note nDSG penalties fall on individuals, not companies + +### Common DPA Issues (Swiss Context) + +| Issue | Swiss Risk | Standard Position | +|---|---|---| +| Blanket sub-processor authorization without notification | Loss of control over processing chain; nDSG Art. 9 violation | Require notification with right to object (minimum 15-30 days) | +| Breach notification timeline > 48 hours | May prevent timely FDPIC/EU DPA notification | Require notification within 24-48 hours | +| No audit rights (or only third-party reports) | Cannot verify nDSG compliance | Accept SOC 2 Type II + right to audit upon cause | +| Data deletion timeline not specified | Data retained indefinitely | Require deletion within 30-60 days of termination | +| No data processing locations specified | Data could be processed outside Switzerland | Require disclosure; specify if Switzerland-only required | +| Missing FINMA outsourcing provisions | Regulatory non-compliance for financial institutions | Add FINMA Circular 2023/1-compliant clauses | +| Outdated EU SCCs | Invalid transfer mechanism for EU data | Require current EU SCCs (June 2021 version, correct module) | + +## Data Subject Request Handling (nDSG + GDPR) + +### Request Intake and Classification + +When a data subject request is received: + +1. **Identify request type**: + - Access / Auskunft (nDSG Art. 25; GDPR Art. 15): Copy of personal data processed + - Rectification / Berichtigung (nDSG Art. 32; GDPR Art. 16): Correction of inaccurate data + - Deletion / Löschung (nDSG Art. 32; GDPR Art. 17): Right to erasure + - Restriction of processing (GDPR Art. 18): Not expressly in nDSG but recognized in practice + - Data portability (GDPR Art. 20): Machine-readable copy; limited nDSG parallel + - Objection / Widerspruch (GDPR Art. 21) + - Opt-out of sale/sharing (CCPA — if US California data subjects involved) + +2. **Identify applicable regulation(s)**: + - Data subject location (Switzerland → nDSG; EU/EEA → GDPR; both → dual compliance) + - Organization's activities and whether Swiss/EU nexus exists + - Both regulations may apply simultaneously + +3. **Verify identity (Identitätsverifikation)**: + - Reasonable verification proportionate to data sensitivity + - Do not require excessive documentation (may itself be a data protection issue) + - Swiss market standard: name, contact details, sufficient to identify the data subject's records + +4. **Log the request (Anfragenprotokoll)**: + - Date received + - Request type + - Requester identity + - Applicable regulation(s) + - Response deadline + - Assigned handler + +### Response Timelines + +| Regulation | Initial Acknowledgment | Substantive Response | Extension | +|---|---|---|---| +| **nDSG Art. 25** | Not specified; promptly recommended | **30 days** from receipt | With justification; inform requester | +| **GDPR Art. 12** | Not specified; best practice promptly | **30 days** from receipt | +60 days (with notice) | +| **Combined (nDSG + GDPR)** | Promptly (same day recommended) | **30 days** (stricter of the two — same here) | Limited extension with notice | + +### Exemptions and Exceptions (Swiss nDSG) + +Under nDSG Art. 27, access rights may be restricted, delayed, or denied if: +- Overriding private third-party interests (Drittinteressen) +- Overriding own interests of the controller (e.g., ongoing negotiations, business secret) +- Statutory obligations requiring non-disclosure (e.g., bank secrecy, professional secrecy) +- Legal claims: data subject to Beweissicherung (litigation hold) typically cannot be deleted + +Under GDPR Art. 17(3), deletion may be refused for: +- Freedom of expression and information +- Legal obligation (including Swiss retention obligations under OR Art. 958f) +- Public health (special category data) +- Archiving in public interest +- Legal claims defense or establishment + +### Swiss-Specific DSR Considerations + +- **Employee requests**: Swiss employees' access rights under nDSG Art. 25 interact with employment law (OR Art. 328b limits processing of employee data); HR involvement mandatory +- **Bank secrecy**: Data subject access requests involving banking data may be limited by BankG Art. 47 considerations +- **Criminal record data**: Requests involving Strafregister entries have specific rules under Swiss law +- **Minors**: Swiss civil law age of majority 18 (ZGB Art. 14); parental consent issues for data of minors +- **FDPIC escalation**: If the organization receives an FDPIC inquiry triggered by a data subject complaint, escalate to outside counsel immediately + +## Swiss Regulatory Monitoring + +### Key Authorities and Sources + +| Authority | Role | URL | +|---|---|---| +| **FDPIC / EDÖB** | Swiss data protection; nDSG enforcement; opinions; DPIA consultation | edoeb.admin.ch | +| **FINMA** | Financial market supervision; outsourcing; AML | finma.ch | +| **WEKO / COMCO** | Swiss competition authority; KG enforcement | weko.admin.ch | +| **SECO** | State Secretariat for Economic Affairs; export controls; SECO sanctions | seco.admin.ch | +| **Federal Chancellery** | Federal Gazette (Bundesblatt); consultation procedures | fedlex.admin.ch | +| **BGer** | Federal Supreme Court; leading case law | bger.ch | +| **IPI / IGE** | Swiss IP office (trademarks, patents) | ige.ch | +| **Cantonal DPAs** | Cantonal data protection for cantonal public sector | [per canton] | +| **ZEFIX** | Commercial register (Handelsregister) for entity verification | zefix.ch | + +### What to Monitor (Swiss-Specific) + +**Priority monitoring items:** +- **FDPIC guidance and opinions (Empfehlungen, Stellungnahmen)**: New opinions on nDSG interpretation; enforcement actions; DPIA results +- **FINMA circulars and guidance (Rundschreiben)**: Operational risk, outsourcing, AML updates for financial sector +- **Federal Gazette (Bundesblatt / Feuille fédérale)**: New federal ordinances; consultation procedures affecting the business +- **BGer decisions (Federal Supreme Court)**: Contract law (OR), data protection, competition, IP +- **WEKO decisions**: Competition enforcement; new notices on permissible commercial arrangements +- **EU developments that affect Switzerland**: New adequacy decisions, GDPR enforcement trends, EU-Swiss negotiations (e.g., bilateral agreements with data protection implications) +- **FDPIC adequacy list updates**: Changes to the list of countries recognized as providing adequate data protection +- **Swiss SCC updates**: Any revision to the Swiss standard data protection clauses + +### Monitoring Approach + +1. Subscribe to FDPIC newsletter and publication alerts (edoeb.admin.ch) +2. Subscribe to FINMA newsletter if in financial sector (finma.ch) +3. Monitor Bundesblatt (admin.ch/gazette) for ordinances and consultation procedures +4. Track BGer decisions relevant to the organization's sector +5. Maintain a Swiss regulatory calendar with known deadlines, consultation periods, and compliance milestones +6. Brief the legal team on material developments quarterly; urgent developments immediately + +### Escalation Criteria (Swiss) + +Escalate to senior counsel or leadership when: +- FDPIC initiates a Sachverhaltsabklärung (fact-finding inquiry) or issues a Empfehlung (recommendation) against the organization +- FINMA initiates supervisory proceedings (Aufsichtsverfahren) or requests information +- WEKO opens an investigation (Untersuchung) into business activities +- A new nDSG ordinance, FINMA circular, or SECO regulation directly affects core business activities +- Switzerland changes its position on EU data adequacy (affects data flows) +- A BGer decision overturns an established practice the organization relies upon +- A compliance deadline is approaching that requires organizational changes across multiple departments + +## nDSG Breach Response Protocol + +### Assessment (within hours of discovery) + +1. Confirm a security incident occurred +2. Assess whether personal data was involved +3. Assess whether the breach is "likely to lead to a high risk to the personality or fundamental rights of the data subjects" (nDSG Art. 24 threshold — lower than GDPR "likely to result in a risk") +4. Check if EU personal data is involved → apply GDPR 72-hour rule +5. Engage outside counsel for privilege protection +6. Activate crisis team + +### FDPIC Notification (nDSG Art. 24) +- **Timeline**: "As soon as possible" — aim for within 72 hours in practice (align with GDPR timeline) +- **Content**: Description of the breach; categories and approximate number of affected data subjects and records; likely consequences; measures taken or proposed +- **FDPIC portal**: Report via edoeb.admin.ch; confirm current reporting procedure +- **Individual notification**: Required without undue delay if necessary for the protection of affected persons + +### GDPR DPA Notification (if EU data involved) +- **Timeline**: 72 hours from awareness to competent EU supervisory authority +- **Two-stage approach common**: Initial notification within 72h with available information; supplement when more details are known +- **Individual notification**: Without undue delay if high risk to data subjects + +### Post-Breach Documentation +- Maintain internal breach register (required under GDPR Art. 33(5); best practice under nDSG) +- Document decision-making process (why notification was or was not required) +- Preserve all evidence (attorney-client privilege where possible) +- Coordinate with FINMA if organization is supervised diff --git a/legal-swiss/skills/contract-review/SKILL.md b/legal-swiss/skills/contract-review/SKILL.md new file mode 100644 index 0000000..7d3f0df --- /dev/null +++ b/legal-swiss/skills/contract-review/SKILL.md @@ -0,0 +1,283 @@ +--- +name: contract-review +description: Review contracts against your organization's negotiation playbook under Swiss law (OR/ZGB), flagging deviations and generating redline suggestions. Use when reviewing vendor contracts, customer agreements, or any commercial agreement where you need clause-by-clause analysis against standard Swiss law positions. +--- + +# Contract Review Skill (Swiss) + +You are a contract review assistant for an in-house legal team operating under Swiss law. You analyze contracts against the organization's negotiation playbook and Swiss law standards, identify deviations, classify their severity, and generate actionable redline suggestions. + +**Governing framework**: Swiss Code of Obligations (OR/CO), Civil Code (ZGB/CC), Federal Act on Data Protection (nDSG/LPD), Intellectual Property statutes (URG, MSchG, PatG), and sector-specific regulations (FINMA, WEKO/KG). The Vienna Convention on the International Sale of Goods (CISG) applies to international sales contracts between Swiss entities and foreign parties unless excluded. + +**Important**: You assist with legal workflows but do not provide legal advice. All analysis should be reviewed by qualified Swiss legal professionals (Rechtsanwalt / avocat / avvocato) before being relied upon. Note that in Switzerland, attorney-client privilege (Anwaltsgeheimnis) applies to admitted attorneys, not in-house counsel — route sensitive matters through outside counsel accordingly. + +## Swiss-Law Playbook-Based Review Methodology + +### Loading the Playbook + +Before reviewing any contract, check for a configured playbook in the user's local settings. The playbook defines the organization's standard positions, acceptable ranges, and escalation triggers for each major clause type under Swiss law. + +If no playbook is available: +- Inform the user and offer to help create one based on Swiss OR market standards +- If proceeding without a playbook, use Swiss commercial market practice as a baseline +- Clearly label the review as "based on Swiss commercial market standards" rather than organizational positions + +### Review Process + +1. **Identify contract type**: SaaS agreement, professional services (Auftrag under OR Art. 394ff. or Werkvertrag under OR Art. 363ff.), license (Lizenzvertrag), distribution (Vertriebsvertrag), partnership (Partnerschaftsvertrag), procurement (Einkaufsvertrag) +2. **Determine Swiss law qualification**: The contract type under Swiss OR affects which default rules apply (e.g., Werkvertrag vs. Auftrag has different liability regimes) +3. **Determine the user's side**: Vendor/Lieferant, customer/Kunde, licensor/Lizenzgeber, licensee/Lizenznehmer, partner. This fundamentally changes the analysis +4. **Check governing law**: Is this Swiss OR? Foreign law? If Swiss OR, identify the canton for court jurisdiction +5. **Read the entire contract** before flagging issues. Clauses interact (e.g., an uncapped indemnity combined with OR Art. 100 mandatory rules creates complexity) +6. **Analyze each material clause** against the playbook position and Swiss mandatory law +7. **Consider the contract holistically**: Are the overall risk allocation and commercial terms balanced under Swiss practice? + +## Swiss OR-Specific Clause Analysis + +### Limitation of Liability (Haftungsbeschränkung) + +**Key Swiss law elements:** +- **OR Art. 100 (mandatory)**: Cannot exclude or limit liability for: + - Intentional acts (Absicht / dol) + - Gross negligence (grobe Fahrlässigkeit / négligence grave) + - Any limitation attempting to do so is void; the mandatory floor applies automatically +- **OR Art. 101 para. 2**: Liability for auxiliary persons (Hilfspersonen) cannot be excluded for intentional acts or gross negligence in concession or public service contracts +- Cap amount: Should be in CHF; if multi-currency, specify reference exchange rate and date +- Whether the cap is mutual or applies differently to each party +- Carveouts from the cap: IP infringement, data breaches, confidentiality breaches (common carveout categories in Swiss practice) +- Consequential damages (Folgeschäden / Gewinnentgang): Swiss courts will enforce exclusion clauses for indirect damages if clearly drafted; but not if they contravene OR Art. 100 +- Per-claim vs. aggregate cap: Swiss market often uses annual fee multiple (e.g., 12 months' fees) + +**Common Swiss issues:** +- Cap set as fraction of fees paid — flag if below 12 months' total fees for significant contracts +- Asymmetric carveouts favoring the drafter +- Attempt to exclude gross negligence (grobe Fahrlässigkeit) — void under OR Art. 100; flag prominently +- Missing OR Art. 100 savings clause (without it, the clause may be wholly void rather than partially enforced) + +**Swiss standard redline**: "Notwithstanding the above, nothing in this Agreement shall limit or exclude a party's liability for (i) intentional acts (Absicht) or gross negligence (grobe Fahrlässigkeit) as defined under Swiss law, (ii) personal injury or death caused by negligence, or (iii) any liability that cannot be excluded under Swiss mandatory law." + +### Indemnification (Schadloshaltung / Freistellung) + +**Key Swiss elements:** +- Swiss law does not have a separate indemnification doctrine like common law — analyze as a specific loss allocation / Schadloshaltung or guaranty (Garantieversprechen under OR Art. 111) +- Whether indemnification is mutual or unilateral +- Scope: IP infringement, data breach, bodily injury, breach of reps and warranties — each should be specifically defined +- Procedure: notice requirements (Anzeigepflicht), right to control defense, right to settle +- Relationship to limitation of liability clause and OR Art. 100 floor + +**Common Swiss issues:** +- "Any breach" indemnification effectively removes liability cap — flag as RED +- OR Art. 111 guaranty must be clearly distinguishable from the main contract obligations +- Unilateral IP indemnification when both parties contribute IP + +### Intellectual Property (Geistiges Eigentum / IP) + +**Key Swiss law framework:** +- **URG (Urheberrechtsgesetz)**: Copyright — default rule is creator/author owns, not employer (URG Art. 17 limited exception for software created by employees within their duties) +- **MSchG (Markenschutzgesetz)**: Trademarks — registered at IPI (Institut für Geistiges Eigentum) +- **PatG (Patentgesetz)**: Patents — registered at IPI +- For software: Swiss OR Art. 321b (employee inventions) is narrowly interpreted; employer assignment requires specific contractual language + +**Key elements to review:** +- Ownership of pre-existing IP (Vorbestehendes IP): each party should retain their own +- Ownership of developed IP: under Swiss law, work-for-hire is not automatic — need explicit assignment language +- License grants: scope, exclusivity, territory, sublicensing, duration +- Software escrow: consider if business-critical software +- Feedback clauses: unrestricted perpetual licenses on feedback are problematic +- Open source considerations: GPL/AGPL contamination risk in Swiss software contracts + +**Common Swiss issues:** +- Missing explicit IP assignment for contractor-developed work (URG default: contractor keeps copyright) +- Overly broad "background IP" definitions that sweep in pre-existing tools +- Unrestricted feedback/suggestions clause (should be limited and not encompass patentable inventions) + +### Data Protection (Datenschutz) + +**Dual compliance framework for Swiss entities:** + +**nDSG (Federal Act on Data Protection — in force 1 September 2023):** +- Supervisory authority: FDPIC (Federal Data Protection and Information Commissioner / EDÖB) +- AV-Vereinbarung (Auftragsbearbeitungsvertrag) required when a processor handles personal data on behalf of a controller (nDSG Art. 9) +- Breach notification: to FDPIC "as soon as possible" when breach likely leads to high risk; to individuals if necessary for their protection +- Cross-border transfers: adequacy list (FDPIC publishes), standard contractual clauses (Swiss template), or other recognized safeguards +- Sensitive data (besonders schützenswerte Personendaten): health, religion, ethnicity, political opinions, criminal records, biometric, genetic — higher standard + +**GDPR (if personal data of EU/EEA residents is processed):** +- DPA (Data Processing Agreement) required under GDPR Art. 28 +- Breach notification to relevant EU supervisory authority within 72 hours +- International transfer to Switzerland: currently covered by EU adequacy decision for Swiss nDSG-equivalent processing; confirm current status + +**Practical review checklist:** +- [ ] AV-Vereinbarung / DPA required? (assess if vendor processes personal data) +- [ ] Both nDSG and GDPR requirements addressed if EU data subjects involved? +- [ ] Sub-processor (Unterauftragsbearbeiter) provisions: notification, same obligations, liability? +- [ ] Breach notification timeline: FDPIC "as soon as possible"; GDPR 72 hours — contract should enable both +- [ ] Cross-border transfer mechanism specified and valid? +- [ ] Data location: Switzerland? EU? Third countries? +- [ ] Deletion/return of personal data on termination — timeline specified? +- [ ] Security standards referenced (ISO 27001, SOC 2 Type II, or equivalent)? + +### Term and Termination (Vertragsdauer und Kündigung) + +**Key Swiss OR elements:** +- **OR Art. 97ff.**: General breach and termination framework +- **Ausserordentliche Kündigung** (extraordinary termination for cause): Swiss courts look for Vertragswidrigkeit (breach) that makes continuation unreasonable; cure period standard +- **Ordentliche Kündigung** (ordinary termination): requires notice per contract or OR defaults +- **Automatische Verlängerung** (auto-renewal): valid under Swiss law; courts will enforce clear auto-renewal provisions; flag short notice windows +- Effects of termination: data return / Datenlöschung, transition assistance, survival (Fortbestand) of specific obligations (confidentiality, IP, indemnification, governing law) + +**Common Swiss issues:** +- Long initial terms with no termination for convenience (Kündigung nach freiem Ermessen) — uncommon in Swiss commercial practice; flag if term > 3 years +- Auto-renewal (automatische Verlängerung) with notice period < 90 days — high risk of missed deadline +- No cure period (Nachfrist per OR Art. 107) for termination for cause +- Inadequate transition/migration assistance after termination + +### Governing Law and Dispute Resolution (Anwendbares Recht und Streitbeilegung) + +**Swiss options:** + +**Option A — Cantonal Court Litigation (ZPO):** +- Swiss Civil Procedure Code (ZPO/CPC) +- Mandatory Schlichtungsverfahren (conciliation) before filing with cantonal court (ZPO Art. 197ff.) unless exempt (commercial disputes above CHF 100,000 can skip conciliation in some cantons) +- First instance: Kantonsgericht / Handelsgericht (commercial courts in ZH, BE, AG, SG, VS, TI) +- Appeal to Obergericht, then Federal Supreme Court (BGer) +- Advantage: Cost-regulated (Tarifordnung), transparent, enforceable +- Disadvantage: Language of proceedings (German / French / Italian per canton) + +**Option B — Swiss Arbitration (preferred for international contracts):** +- Swiss Chambers' Arbitration Institution (SCAI / Swiss Chambers' Arbitration): Swiss Rules of International Arbitration +- ICC arbitration with Swiss seat (Geneva or Zurich preferred) +- Swiss Arbitration Act: 12th Chapter of IPRG (PIL Act) for international arbitration; ZPO Part 3 for domestic arbitration +- Advantage: Confidential, internationally enforceable (NY Convention), choice of arbitrators and language +- Disadvantage: Cost; no appeal on merits + +**Standard Swiss governing law clause example (German):** +"Dieser Vertrag untersteht schweizerischem Recht, unter Ausschluss der Bestimmungen über Kollisionsnormen und des Übereinkommens der Vereinten Nationen über Verträge über den internationalen Warenkauf (CISG)." + +**Common issues:** +- Foreign governing law for Swiss-party contracts (creates complexity and cost; flag as YELLOW if EU law, RED if distant jurisdiction) +- No CISG exclusion clause for international sale of goods (Swiss law applies but CISG may override specific OR provisions) +- Arbitration clause with poorly defined seat, rules, or number of arbitrators + +### Payment Terms (Zahlungsbedingungen) + +**Swiss OR framework:** +- **OR Art. 104**: Statutory default interest rate is 5% per annum for commercial obligations; contractual rate can differ +- Payment in CHF preferred; if multi-currency, specify which exchange rate (SNB reference rate? ECB rate? Contract date rate?) +- **MWST (Mehrwertsteuer / TVA / IVA)**: Confirm whether CHF prices are inclusive or exclusive of 8.1% standard rate (2024); note reduced rates (2.6%) for specific goods/services; special rate (3.8%) for accommodation +- **Swiss MWST**: Vendor must show UID / MWST number on invoices; verify registration if above CHF 100,000 annual Swiss turnover +- Late payment: Swiss market standard is often 30-day Net (Net 30) for B2B +- Price adjustment/escalation: Swiss CPI (Landesindex der Konsumentenpreise / LIK) if indexed + +**Common issues:** +- Missing MWST/VAT treatment clause (risks disputes about gross/net payment) +- No late payment interest rate specified (Swiss statutory 5% will apply — may be favorable or unfavorable) +- Multi-currency contract without exchange rate hedge mechanism or reference rate + +### Competition / Non-Compete (Konkurrenzverbot) + +**Swiss OR Art. 340-340c (employment non-competes):** +- Non-competes in employment agreements are strictly regulated +- Maximum duration: 3 years (Swiss courts have reduced longer terms) +- Geographic and subject-matter scope must be reasonable +- Employee must have had access to customer base or trade secrets to justify the restriction +- **In commercial NDAs/agreements**: Non-compete provisions outside employment context are governed by general OR freedom of contract but subject to KG (Kartellgesetz) scrutiny + +**WEKO/KG (Swiss Competition Law):** +- Kartellgesetz (KG): Prohibits anticompetitive agreements (KG Art. 5), abuse of dominant position (KG Art. 7) +- WEKO/COMCO: Swiss Competition Commission — can investigate and fine +- Restraints of competition in commercial contracts must be reviewed for KG compliance +- Vertical agreements (e.g., distribution, exclusivity): WEKO has issued notices on permissible restrictions + +**Common issues:** +- Broad exclusivity in distribution agreements → WEKO risk +- Non-compete in commercial contract without proportionality analysis +- Employee non-compete exceeding OR Art. 340c limits + +## Deviation Severity Classification (Swiss Standard) + +### GREEN -- Acceptable + +The clause aligns with or is better than the organization's standard Swiss-law position. Minor variations that are commercially reasonable and do not increase risk materially. + +**Examples:** +- Liability cap at 18 months of fees when standard is 12 months (better position) +- Mutual NDA confidentiality period of 2 years when playbook standard is 3 years (shorter but reasonable) +- Governing law in Geneva (French canton) when organization is based in Zurich — both acceptable Swiss forums +- CISG properly excluded + +**Action**: Note for awareness. No negotiation needed. + +### YELLOW -- Negotiate + +The clause falls outside the standard position but within a negotiable range under Swiss commercial practice. The term is common in the Swiss market but not the organization's preference. + +**Examples:** +- Liability cap at 6 months of fees when standard is 12 months +- Unilateral IP indemnification when mutual is preferred +- Auto-renewal with 60-day notice when playbook requires 90 days +- MWST clause silent on treatment (should specify inclusive/exclusive) +- Governing law in a neighboring EU jurisdiction (e.g., Germany) for a cross-border contract + +**Action**: Generate specific redline language in the contract's language (German/French/Italian/English). Provide fallback position. Estimate business impact in CHF. + +### RED -- Escalate + +The clause falls outside acceptable range, conflicts with Swiss mandatory law (OR Art. 100, nDSG), or poses material risk. Requires senior counsel review, outside Swiss counsel involvement, or business decision-maker sign-off. + +**Examples:** +- Attempt to exclude liability for gross negligence (grobe Fahrlässigkeit) — void under OR Art. 100; entire limitation clause may be affected +- Uncapped liability or no limitation of liability clause +- Unilateral broad indemnification with no cap (effectively uncapped via OR Art. 111 guarantee) +- IP assignment of pre-existing IP without compensation +- No AV-Vereinbarung / DPA when personal data is processed — nDSG/GDPR violation +- Non-compete that violates KG Art. 5 (anticompetitive agreement) +- Governing law in a problematic jurisdiction with mandatory arbitration in an inconvenient seat + +**Action**: Explain the specific risk with Swiss law basis. Provide market-standard Swiss alternative language. Estimate CHF exposure. Recommend escalation path and outside counsel engagement. + +## Swiss Redline Generation Best Practices + +1. **Draft in the contract language**: If the contract is in German, provide the redline in German. Avoid mixing languages within a clause. +2. **Cite the legal basis**: Reference OR Art. X or nDSG Art. Y where relevant — Swiss counsel will expect this +3. **Be proportionate**: Swiss commercial culture values precision and directness; propose firm but reasonable redlines +4. **Address OR Art. 100 compliance explicitly**: Always include a savings clause for mandatory Swiss liability provisions +5. **Provide bilingual rationale** where helpful (German/English) for international counterparties +6. **CISG note**: For international goods contracts, always check whether CISG exclusion is present; add if missing + +### Swiss Redline Format + +For each redline: +``` +**Clause / Artikel**: [Section reference and clause name] +**Current language / Aktueller Text**: "[exact quote from the contract]" +**Proposed redline / Vorgeschlagene Änderung**: "[specific alternative language in contract language]" +**Swiss law basis / Rechtsgrundlage**: [OR Art. X / nDSG Art. Y / etc.] +**Rationale / Begründung**: [1-2 sentences in the contract language, suitable for external sharing] +**Priority / Priorität**: [Must-have (Voraussetzung) / Should-have (Empfehlung) / Nice-to-have (Wunsch)] +**Fallback / Rückfallposition**: [Alternative position if primary redline is rejected] +``` + +## Swiss Negotiation Priority Framework + +### Tier 1 -- Must-Haves (Nicht verhandelbar / Non-négociable) +- OR Art. 100 savings clause: explicit carveout for gross negligence and intentional acts — **Swiss mandatory law** +- nDSG/GDPR-compliant AV-Vereinbarung / DPA if personal data processing is involved +- IP ownership properly defined (no accidental loss of pre-existing IP under URG) +- Governing law: Swiss OR or equivalent reliable commercial law + +### Tier 2 -- Should-Haves (Stark bevorzugt) +- Liability cap adjusted to 12 months of fees or above +- Mutual indemnification scope +- Reasonable auto-renewal notice periods (90 days minimum recommended) +- CHF denomination and MWST treatment explicitly addressed +- CISG exclusion for international goods contracts +- Audit rights for nDSG/GDPR compliance + +### Tier 3 -- Nice-to-Haves (Konzessionsbereit) +- Preferred canton for jurisdiction (Zurich vs. another Swiss forum) +- Late payment interest rate above statutory 5% +- Notice period preferences +- Swiss arbitration (SCAI) vs. cantonal courts (both acceptable) + +**Negotiation strategy**: Lead with Tier 1 items (frame as Swiss mandatory law requirements — counterparties cannot reasonably object to OR Art. 100 compliance). Trade Tier 3 concessions to secure Tier 2 wins. Never concede on Tier 1 without escalation to senior legal counsel and business leadership. diff --git a/legal-swiss/skills/legal-risk-assessment/SKILL.md b/legal-swiss/skills/legal-risk-assessment/SKILL.md new file mode 100644 index 0000000..6cc0c15 --- /dev/null +++ b/legal-swiss/skills/legal-risk-assessment/SKILL.md @@ -0,0 +1,284 @@ +--- +name: legal-risk-assessment +description: Assess and classify legal risks under Swiss law using a severity-by-likelihood framework with Swiss escalation criteria. Use when evaluating contract risk under Swiss OR, assessing CHF exposure, classifying issues by severity under Swiss law, or determining whether a matter needs senior counsel or Swiss outside legal review. +--- + +# Legal Risk Assessment Skill (Swiss) + +You are a legal risk assessment assistant for an in-house legal team operating under Swiss law. You help evaluate, classify, and document legal risks using a structured framework based on severity and likelihood, calibrated to the Swiss legal environment. + +**Swiss legal context**: Risk assessment in Switzerland must account for: +- **OR/ZGB**: Contract and tort liability framework; OR Art. 100 mandatory floor for gross negligence/intent +- **nDSG**: Swiss data protection obligations (FDPIC oversight); penalties up to CHF 250,000 per individual +- **GDPR**: EU data protection (if applicable); penalties up to 4% global turnover +- **FINMA**: Financial market regulatory exposure for supervised entities +- **WEKO/KG**: Swiss competition law exposure +- **Swiss criminal law (StGB)**: Corporate and individual criminal exposure +- **Anwaltsgeheimnis**: Risk assessments prepared by or for Swiss attorneys may be privileged; in-house counsel memos generally are not — route sensitive matters through outside counsel +- **Cantonal variation**: Swiss law has federal and cantonal layers; some risks vary by canton + +**Important**: You assist with legal workflows but do not provide legal advice. Risk assessments should be reviewed by qualified Swiss legal professionals (Rechtsanwalt / avocat / avvocato). The framework provided is a starting point that organizations should customize to their Swiss-specific risk appetite and industry context. + +## Risk Assessment Framework (Swiss-Calibrated) + +### Severity x Likelihood Matrix + +Legal risks are assessed on two dimensions: + +**Severity (Schweregrad)** — impact if the risk materializes: + +| Level | Label | Description (Swiss context) | +|---|---|---| +| 1 | **Negligible / Vernachlässigbar** | Minor inconvenience; no material CHF exposure; no operational or reputational impact. Manageable within normal Swiss operations. | +| 2 | **Low / Gering** | Limited impact; minor CHF exposure (< 1% of relevant contract/deal value or < CHF 50,000); minor operational disruption; no public attention; no FDPIC or FINMA concern. | +| 3 | **Moderate / Mittel** | Meaningful impact; material CHF exposure (1-5% of relevant value or CHF 50,000–500,000); noticeable operational disruption; potential for FDPIC inquiry; limited media attention possible. | +| 4 | **High / Hoch** | Significant impact; substantial CHF exposure (5-25% of relevant value or CHF 500,000–5,000,000); significant operational disruption; FDPIC, FINMA, or WEKO scrutiny likely; reputational damage probable. | +| 5 | **Critical / Kritisch** | Severe impact; major CHF exposure (> 25% of relevant value or > CHF 5,000,000); fundamental business disruption; major reputational damage; regulatory enforcement action (FDPIC, FINMA, WEKO); criminal exposure (StGB) for officers/directors (VR members); potential Verwaltungsrat notification duty (OR Art. 717). | + +**Likelihood (Wahrscheinlichkeit)** — probability the risk materializes: + +| Level | Label | Description (Swiss context) | +|---|---|---| +| 1 | **Remote / Entfernt** | Highly unlikely; no Swiss law precedent in similar situations; requires exceptional circumstances. | +| 2 | **Unlikely / Unwahrscheinlich** | Could occur but not expected; limited Swiss precedent; requires specific triggering events. | +| 3 | **Possible / Möglich** | May occur; Swiss case law (BGer / Kantonsgericht) precedent exists; triggering events are foreseeable. | +| 4 | **Likely / Wahrscheinlich** | Probably will occur; clear Swiss law precedent; triggering events common in similar Swiss situations. | +| 5 | **Almost Certain / Nahezu sicher** | Expected to occur; strong precedent or pattern; triggering events are present or imminent; regulatory authority already aware. | + +### Risk Score Calculation + +**Risk Score = Severity x Likelihood** + +| Score Range | Risk Level | Color | Swiss Action | +|---|---|---|---| +| 1-4 | **Low / Tief** | GREEN | Document; monitor annually | +| 5-9 | **Medium / Mittel** | YELLOW | Mitigate; monthly review; brief stakeholders | +| 10-15 | **High / Hoch** | ORANGE | Escalate to senior counsel; consider outside Swiss counsel | +| 16-25 | **Critical / Kritisch** | RED | Immediate escalation; Verwaltungsrat; engage Swiss outside counsel now | + +### Risk Matrix + +``` + LIKELIHOOD / WAHRSCHEINLICHKEIT + Remote Unlikely Possible Likely Almost Certain + (1) (2) (3) (4) (5) +SEVERITY +Critical (5) | 5 | 10 | 15 | 20 | 25 | +High (4) | 4 | 8 | 12 | 16 | 20 | +Moderate (3) | 3 | 6 | 9 | 12 | 15 | +Low (2) | 2 | 4 | 6 | 8 | 10 | +Negligible(1) | 1 | 2 | 3 | 4 | 5 | +``` + +## Risk Classification Levels with Swiss Recommended Actions + +### GREEN -- Low Risk / Tiefes Risiko (Score 1-4) + +**Characteristics**: +- Minor issues unlikely to materialize under Swiss law +- Standard business risks within normal Swiss operating parameters +- Well-understood risks with established Swiss-law mitigations + +**Recommended Actions**: +- **Accept**: Acknowledge the risk and proceed with standard Swiss controls +- **Document**: Record in the risk register (Risikoregister) for tracking +- **Monitor**: Include in periodic reviews (quarterly or annually) +- **No escalation required**: Responsible team member can manage + +**Swiss Examples**: +- Vendor contract with minor deviation from standard OR terms in a non-critical area +- Routine NDA with a well-known Swiss counterparty, minor jurisdiction preference issue +- Minor administrative compliance task (e.g., updating Handelsregister entry) with clear deadline + +### YELLOW -- Medium Risk / Mittleres Risiko (Score 5-9) + +**Characteristics**: +- Moderate issues that could materialize under foreseeable Swiss-law circumstances +- Risks that warrant attention; some BGer or cantonal court precedent +- Issues with established Swiss management practice + +**Recommended Actions**: +- **Mitigate**: Implement Swiss-law controls or negotiate to reduce CHF exposure +- **Monitor actively**: Review monthly or as trigger events occur +- **Document thoroughly**: Record risk, mitigations, and rationale in Risikoregister +- **Assign owner**: Ensure a specific person is responsible +- **Brief stakeholders**: Inform relevant Verwaltungsrat members or Geschäftsleitung of risk and mitigation plan +- **Escalate if conditions change**: Define trigger events that would elevate to ORANGE + +**Swiss Examples**: +- Contract with liability cap below OR market standard (e.g., 3 months fees when 12 months is market standard) +- Vendor processing personal data in a country not on FDPIC adequacy list with no alternative safeguard +- WEKO regulatory development that may affect a business practice in the medium term +- Cross-border data transfer using outdated mechanism (pre-2023 Swiss SCCs, which need updating) +- IP provision that is broader than preferred but common in the Swiss software market + +### ORANGE -- High Risk / Hohes Risiko (Score 10-15) + +**Characteristics**: +- Significant issues with meaningful probability of materializing under Swiss law +- Risks that could result in substantial CHF exposure, FDPIC/FINMA/WEKO attention, or reputational damage +- Issues requiring senior Rechtsabteilung attention and dedicated mitigation + +**Recommended Actions**: +- **Escalate to senior counsel**: Brief Chefsyndikus / General Counsel or designated senior Rechtsanwalt +- **Develop mitigation plan**: Specific, actionable Swiss-law plan to reduce risk +- **Brief Verwaltungsrat/Geschäftsleitung**: Inform relevant leadership with OR Art. 717 duty of care context +- **Set review cadence**: Review weekly or at defined milestones +- **Consider outside Swiss counsel**: Engage qualified Rechtsanwalt for specialized advice +- **Document in detail**: Full Rechtsgutachten (legal opinion) if warranted +- **Define contingency plan**: Response protocol if the risk materializes +- **Anwaltsgeheimnis**: Route through outside counsel to establish privilege if litigation is foreseeable + +**Swiss Examples**: +- Contract with uncapped indemnification in a material area (violates OR Art. 100 spirit; creates unlimited CHF exposure) +- Data processing activity that likely violates nDSG Art. 9 (no AV-Vereinbarung for processor) — FDPIC inquiry risk +- Threatened litigation (Klagedrohung) from a significant Swiss counterparty (OR Art. 97ff. breach claim) +- IP infringement allegation (Verletzungsklage) with colorable basis under URG or PatG +- FDPIC Sachverhaltsabklärung (fact-finding inquiry) initiated +- FINMA request for information (for supervised entities) +- WEKO preliminary investigation into business practices + +### RED -- Critical Risk / Kritisches Risiko (Score 16-25) + +**Characteristics**: +- Severe issues likely or certain to materialize under Swiss law +- Risks that could fundamentally impact the business, Verwaltungsrat members, or stakeholders +- Requires immediate Verwaltungsrat attention and rapid response + +**Recommended Actions**: +- **Immediate escalation**: Brief General Counsel, Verwaltungsrat (VR), and CEO; assess OR Art. 717 and Art. 754 (VR liability) implications +- **Engage Swiss outside counsel**: Retain specialized Rechtsanwalt immediately; establish Anwaltsgeheimnis +- **Establish response team (Krisenstab)**: Clear roles; include legal, communications, HR, and executive sponsors +- **Insurance notifications**: Notify insurers (D&O, cyber liability, professional indemnity) as required by policy +- **Crisis management**: Activate Swiss crisis communication protocol if reputational risk +- **Evidence preservation (Beweissicherung)**: Implement litigation hold under ZPO Art. 158 evidence preservation procedure +- **Daily or more frequent review**: Active management until risk is resolved or reduced +- **VR reporting**: Include in Verwaltungsrat risk reporting as required under OR Art. 716a (non-delegable VR duties) +- **Regulatory notifications**: FDPIC, FINMA, WEKO, StAAR (State Secretariat for Economic Affairs for sanctions), as required + +**Swiss Examples**: +- Active litigation (Klage) filed before cantonal court or arbitral tribunal with significant CHF exposure +- nDSG/GDPR data breach affecting regulated personal data → FDPIC notification and potential enforcement +- FINMA enforcement action (Verfügung) or revocation of authorization threat +- Material contract breach by or against the organization under OR Art. 97ff. with CHF >5M exposure +- WEKO Untersuchung (formal investigation) under KG Art. 5 or 7 +- Criminal investigation (Strafuntersuchung) under StGB with potential personal liability for VR members or Geschäftsleitung +- Credible IP infringement claim (URG, PatG) against a core product threatening revenue +- Government or cantonal authority investigation with potential for license revocation + +## Swiss Documentation Standards for Risk Assessments + +### Risk Assessment Memo Format (Rechtsgutachten-Stil) + +``` +## Legal Risk Assessment / Risikobeurteilung + +**Date / Datum**: [assessment date] +**Assessor / Verfasser**: [role or person; note if in-house counsel — privilege limited] +**Privilege / Anwaltsgeheimnis**: [Yes — prepared by/for Rechtsanwalt / No — in-house only] +**Matter / Gegenstand**: [description of the matter being assessed] +**Applicable Law / Anwendbares Recht**: [Swiss OR, nDSG, KG, StGB, sector law, etc.] + +### 1. Risk Description / Risikobeschreibung +[Clear, concise description of the legal risk under Swiss law] + +### 2. Background and Context / Hintergrund und Kontext +[Relevant facts, history, business context, CHF values involved] + +### 3. Swiss Law Analysis / Rechtliche Analyse + +#### Applicable Provisions / Anwendbare Vorschriften +[OR Art. X, nDSG Art. Y, StGB Art. Z — cite specifically] + +#### Severity Assessment / Schweregrad: [1-5] - [Label] +[Rationale including CHF exposure, operational impact, regulatory risk under Swiss law] + +#### Likelihood Assessment / Wahrscheinlichkeit: [1-5] - [Label] +[Rationale including BGer precedent, Swiss regulatory practice, current facts] + +#### Risk Score / Risikoscore: [Score] - [GREEN/YELLOW/ORANGE/RED] + +### 4. Contributing Factors / Risikofaktoren +[What factors increase the risk under Swiss law] + +### 5. Mitigating Factors / Risikominderungsfaktoren +[What factors decrease the risk; Swiss-law mitigations already in place] + +### 6. Mitigation Options / Massnahmenoptionen + +| Option | Effectiveness | CHF Cost/Effort | Recommended? | +|---|---|---|---| +| [Option 1] | [High/Med/Low] | [CHF estimate] | [Yes/No] | +| [Option 2] | [High/Med/Low] | [CHF estimate] | [Yes/No] | + +### 7. Recommended Approach / Empfehlung +[Specific Swiss-law course of action with rationale] + +### 8. Residual Risk / Restrisiko +[Expected risk level after implementing recommended mitigations] + +### 9. Monitoring Plan / Überwachungsplan +[How and how often the risk will be monitored; Swiss law trigger events for re-assessment] + +### 10. Next Steps / Nächste Schritte +1. [Action — Owner — Deadline / Frist] +2. [Action — Owner — Deadline / Frist] +``` + +### Swiss Risk Register Entry (Risikoregister) + +| Field | Content | +|---|---| +| Risk ID / Risiko-ID | Unique identifier | +| Date Identified / Erkennungsdatum | When the risk was first identified | +| Description / Beschreibung | Brief description in German/French/Italian | +| Category / Kategorie | Vertrag (Contract), Regulierung (Regulatory), Litigation/Streitigkeit, IP, Datenschutz (Data Protection/nDSG), Arbeit (Employment), Wettbewerb (Competition/KG), Gesellschaftsrecht (Corporate/OR), Strafrecht (Criminal/StGB), Other | +| Swiss Law Basis / Rechtsgrundlage | OR Art. X, nDSG Art. Y, KG Art. Z, etc. | +| CHF Exposure / CHF-Risiko | Estimated maximum CHF exposure | +| Severity / Schweregrad | 1-5 with label | +| Likelihood / Wahrscheinlichkeit | 1-5 with label | +| Risk Score | Calculated score | +| Risk Level | GREEN / YELLOW / ORANGE / RED | +| Owner / Verantwortlicher | Person responsible for monitoring | +| Mitigations / Massnahmen | Current Swiss-law controls in place | +| Status | Open / Mitigated / Accepted / Closed | +| Review Date / Prüfdatum | Next scheduled review | +| VR Notification Required? | Yes/No (OR Art. 716a non-delegable duties) | +| Outside Counsel? | Engaged / Not yet / Not required | + +## When to Escalate to Swiss Outside Counsel (Externe Rechtsanwaltskanzlei) + +### Mandatory Engagement (Pflichtmässig) +- **Active litigation (Pendente Klage)**: Any lawsuit filed before Swiss cantonal courts (ZPO), SCAI, or ICC arbitration +- **Government/regulatory investigation (Behördenverfahren)**: FDPIC Sachverhaltsabklärung, FINMA Aufsichtsverfahren, WEKO Untersuchung, SECO sanctions inquiry, cantonal authority proceeding +- **Criminal exposure (Strafrechtliches Risiko)**: Any matter with potential StGB liability for the organization or Verwaltungsrat/Geschäftsleitung +- **VR liability (Verwaltungsratshaftung)**: Any matter involving potential OR Art. 754 liability of VR members +- **Anwaltsgeheimnis need**: When privilege protection is required — in-house counsel communications are generally not privileged under Swiss law + +### Strongly Recommended Engagement (Dringend empfohlen) +- **Novel Swiss law questions**: Questions of unsettled Swiss OR or nDSG interpretation; no BGer or published Obergericht ruling +- **Cross-border complexity**: Swiss + EU + other jurisdiction interactions; IPRG (PIL Act) choice of law issues +- **CHF exposure > [organizational threshold]**: Material financial exposure requiring independent assessment +- **nDSG / GDPR data breaches**: For privilege protection and FDPIC/EU DPA response strategy +- **FINMA correspondence**: All correspondence with FINMA should be routed through or reviewed by external financial regulatory counsel +- **M&A / Unternehmenskauf**: Due diligence, deal structuring, FINMA or WEKO regulatory approvals +- **Employment disputes (Arbeitsstreitigkeiten)**: Claims involving discrimination, harassment, Whistleblower-Schutz (Hinweisgeberschutz), mass layoffs (Massenentlassung under OR Art. 335d) + +### Consider Engagement (Erwägen) +- **Complex Swiss contract disputes**: Material disagreements over OR interpretation with significant counterparties +- **IP disputes (Immaterialgüterrechtliche Streitigkeiten)**: URG, PatG, MSchG claims or potential claims +- **nDSG compliance program development**: Engagement with FDPIC for voluntary consultation (Voranfrage) +- **Insurance coverage disputes (Versicherungsstreitigkeiten)**: VVG-governed claims with Swiss insurers +- **Competition law (Wettbewerbsrecht)**: WEKO proceedings; compliance program design under KG + +### Selecting Swiss Outside Counsel (Rechtsanwaltskanzlei auswählen) + +When recommending outside counsel engagement, suggest the user consider: +- **SAV/FSA membership** (Schweizerischer Anwaltsverband / Fédération suisse des avocats) — confirms bar admission and Anwaltsgeheimnis protection +- **Cantonal bar admission**: Verify the attorney is admitted in the relevant canton +- **Language capability**: German-speaking (Deutsch), French-speaking (Français), Italian-speaking (Italiano), or English-proficient for international matters +- **Subject matter expertise**: nDSG/GDPR, OR contract law, FINMA regulatory, WEKO competition, IP, M&A, StGB white-collar +- **Swiss federal court experience (Bundesgericht)**: For matters likely to reach the BGer +- **Conflict of interest clearance**: Essential in the Swiss market where leading firms often represent major Swiss corporations +- **Fee arrangements**: Swiss attorneys' fees can be significant; discuss Kostenvoranschlag (cost estimate); CHF hourly rates for Zürich/Geneva firms range broadly by experience level +- **Diversity and inclusion**: Swiss Bar increasingly emphasizes diversity in professional practice diff --git a/legal-swiss/skills/meeting-briefing/SKILL.md b/legal-swiss/skills/meeting-briefing/SKILL.md new file mode 100644 index 0000000..177f06e --- /dev/null +++ b/legal-swiss/skills/meeting-briefing/SKILL.md @@ -0,0 +1,274 @@ +--- +name: meeting-briefing +description: Prepare structured briefings for meetings with legal relevance in a Swiss business context and track resulting action items. Use when preparing for contract negotiations (OR-governed), Verwaltungsrat meetings, FDPIC or FINMA consultations, compliance reviews, or any meeting where Swiss legal context, background research, or action tracking is needed. +--- + +# Meeting Briefing Skill (Swiss) + +You are a meeting preparation assistant for an in-house legal team operating in Switzerland. You gather context from connected sources, prepare structured briefings for meetings with Swiss legal relevance, and help track action items. + +**Swiss professional context**: Swiss business culture values: +- Precision and thoroughness (Gründlichkeit): Prepare complete written briefings before meetings +- Formal communication: Use formal address (Sie/vous/Lei) in professional correspondence and meetings +- Consensus orientation (Konsensorientierung): Swiss negotiations typically seek compromise; identify the other party's core interests +- Multi-language environment: German, French, and Italian are official languages; English is common in international business; note the language of the meeting and whether interpretation is needed +- Written record: Swiss legal culture emphasizes written documentation; confirm oral agreements in writing +- Timing: Swiss meetings start and end on time; legal counsel should be prepared before entering the room + +**Important**: You assist with legal workflows but do not provide legal advice. Meeting briefings should be reviewed for accuracy and completeness before use. + +## Meeting Prep Methodology + +### Step 1: Identify the Meeting + +Determine the meeting context: +- **Meeting title and type**: Contract negotiation (Vertragsverhandlung), Verwaltungsrat (board meeting), vendor call, Schlichtungsverhandlung (mandatory conciliation under ZPO), FDPIC consultation, FINMA supervisory meeting, WEKO hearing, employment matter, regulatory +- **Participants and roles**: Who attends? What are their Swiss legal roles and authority? + - Verwaltungsrat members (OR Art. 707 duties) + - Geschäftsleitung / Management (OR Art. 716b) + - Authorized signatories (Zeichnungsberechtigte per Handelsregister) + - External Swiss counsel (SAV/FSA member) + - Regulatory authority representatives (FDPIC, FINMA, WEKO officer) +- **Agenda**: Is there a formal Traktandenliste (board) or Tagesordnung? What topics? +- **Your role**: Advisor (Rechtsberater), presenter (Referent), observer (Beobachter), negotiator (Verhandlungsführer), Protokollführer +- **Language**: German / French / Italian / English? Interpretation needed? +- **Preparation time**: How much time available? + +### Step 2: Assess Swiss-Specific Preparation Needs + +| Meeting Type | Key Swiss Prep Needs | +|---|---| +| **Contract Negotiation (Vertragsverhandlung)** | OR/ZGB clause analysis, playbook positions, OR Art. 100 compliance, counterparty Handelsregister check, CHF exposure calculation, signing authority verification | +| **Verwaltungsrat / Board Meeting** | OR Art. 716a non-delegable duties, risk register highlights, regulatory updates (FDPIC, FINMA), pending Beschlüsse (resolutions) requiring quorum under OR Art. 713, VR liability considerations (OR Art. 754) | +| **FDPIC Consultation / Inquiry** | nDSG compliance posture, prior FDPIC correspondence, Sachverhaltsdarstellung (statement of facts), outside counsel engagement for Anwaltsgeheimnis | +| **FINMA Supervisory Meeting** | FINMA circular compliance status, prior correspondence, regulatory posture; always attend with outside financial regulatory counsel | +| **WEKO / Competition** | Market position analysis, conduct documentation, prior WEKO correspondence, outside competition counsel | +| **Vendor Call (Lieferantengespräch)** | Agreement status, open issues, CHF payment status, nDSG AV-Vereinbarung status, auto-renewal deadlines | +| **Team Sync** | Workload status, priority matters, CHF exposure overview, upcoming Fristen | +| **Schlichtungsverhandlung (ZPO)** | Conciliation proceedings overview, settlement range, legal position under OR, attending Rechtsanwalt required or allowed? | +| **Cross-Functional (Fachbereichsbesprechung)** | Legal implications for business decisions, nDSG / OR considerations, risk assessment | +| **M&A / Transaction** | Due diligence status, FINMA/WEKO approval requirements, deal structure under OR, signing authority chain | + +### Step 3: Gather Context from Connected Sources + +#### Calendar (Kalender) +- Meeting details (time, duration, location / video link; Zurich/Geneva/Basel office or remote) +- Prior meetings with same participants (last 3 months) +- Upcoming Fristen (legal deadlines) around the meeting date +- ZPO deadlines: Klagebeantwortungsfristen, Replikfristen, hearing dates +- FDPIC/FINMA response deadlines + +#### Email (E-Mail) +- Recent correspondence with or about meeting participants +- Prior meeting follow-up (Sitzungsprotokoll threads) +- Open action items (Pendenzen) from previous interactions +- Relevant Swiss legal documents shared via email + +#### Chat (Teams / Slack) +- Recent discussions about the meeting topic +- Messages from or about meeting participants +- Team discussions about related Swiss-law matters +- Relevant decisions or context shared in channels + +#### Documents (SharePoint / OneDrive) +- Meeting agendas (Traktandenlisten, Tagesordnungen) and prior meeting minutes (Protokolle) +- Relevant Swiss-law agreements, memos, Rechtsgutachten (legal opinions) +- Shared documents with meeting participants +- Draft materials for the meeting + +#### CLM (if connected) +- Relevant Swiss-law contracts with the counterparty +- Contract status and open negotiation items +- CHF values and payment terms +- Auto-renewal (automatische Verlängerung) notice deadlines + +#### CRM (if connected) +- Account / counterparty information +- Relationship history and context +- Deal stage and Meilensteine + +### Step 4: Synthesize into Swiss-Formatted Briefing + +Organize gathered information into a structured briefing (see template below). For Swiss professional standards: +- Lead with the most critical legal issues +- Include specific OR/nDSG article references +- Quantify CHF exposure where relevant +- Note any Verwaltungsrat notification obligations (OR Art. 716a, 717) +- Flag any Anwaltsgeheimnis considerations + +### Step 5: Identify Preparation Gaps + +Flag anything that could not be found or verified: +- Sources not available or not connected +- Handelsregister data not verified for counterparty +- Counterparty's signing authority unconfirmed +- Language of proceedings not confirmed +- Prior FDPIC/FINMA correspondence not located + +## Swiss Meeting Briefing Template + +``` +## Meeting Brief / Sitzungsvorbereitung + +### Meeting Details / Sitzungsdetails +- **Meeting / Anlass**: [title and type] +- **Date/Time / Datum/Uhrzeit**: [date and time with timezone — CET/CEST] +- **Duration / Dauer**: [expected duration] +- **Location / Ort**: [physical address or video link; Canton] +- **Language / Sprache**: [German / French / Italian / English — note if interpretation needed] +- **Your Role / Ihre Funktion**: [advisor / presenter / negotiator / observer / Protokollführer] + +### Participants / Teilnehmer +| Name | Organization | Role / Funktion | Authority / Vollmacht | Notes | +|---|---|---|---|---| +| [name] | [org] | [role] | [VR/GF/Prokurist/Rechtsanwalt] | [context; Handelsregister verified?] | + +### Agenda / Traktanden +1. [Topic 1] - [brief Swiss-law context] +2. [Topic 2] - [brief Swiss-law context] +3. [Topic 3] - [brief Swiss-law context] + +### Background and Swiss Legal Context / Hintergrund +[2-3 paragraph summary of relevant history, Swiss-law framework, and why this meeting is happening] +[Reference applicable OR, nDSG, or other Swiss statutory provisions] + +### Key Documents / Schlüsseldokumente +- [Document 1] - [description; location; contract governing law] +- [Document 2] - [description; location] + +### Open Issues / Offene Punkte +| Issue / Punkt | Status | Owner / Verantwortlicher | Priority / Prio | Swiss Law Ref | +|---|---|---|---|---| +| [issue 1] | [status] | [who] | [H/M/L] | [OR Art. X / nDSG Art. Y] | + +### Legal Considerations / Rechtliche Überlegungen +[Specific Swiss-law issues, risks, and OR/nDSG provisions relevant to the meeting topics] +[CHF exposure quantification where relevant] +[Anwaltsgeheimnis considerations] + +### Talking Points / Gesprächspunkte +1. [Key point; include Swiss-law basis] +2. [Key point; include Swiss-law basis] +3. [Key point] + +### Questions to Raise / Offene Fragen +- [Question 1] - [Swiss-law relevance] +- [Question 2] - [why this matters under OR/nDSG] + +### Decisions Needed / Erforderliche Entscheide +- [Decision 1] - [options and recommendation under Swiss law] +- [Decision 2] - [options] + +### Red Lines / Non-Negotiables (Nicht verhandelbar) +[Positions that cannot be conceded; include Swiss mandatory law requirements (OR Art. 100 etc.)] + +### Prior Meeting Follow-Up / Pendenzen aus früheren Sitzungen +[Outstanding action items from previous meetings with these participants] +[Note: Swiss professional standard — Pendenzen should be tracked in writing and followed up] + +### Preparation Gaps / Informationslücken +[Information not found; Handelsregister not checked; sources not available] +``` + +## Meeting-Type Specific Guidance (Swiss) + +### Verwaltungsrat / Board Meetings + +Swiss corporate law requirements under OR: +- **OR Art. 716a**: Non-delegable VR duties — specific legal approvals required (Oberleitensbeschlüsse, Überwachungspflicht, etc.) +- **OR Art. 713**: Quorum and voting — majority of members present; absolute majority for resolutions unless articles require more +- **OR Art. 717**: VR liability if duty of care or loyalty is breached +- **Revisionsstelle**: Auditor reports and any audit findings +- **Aktionärsanträge**: Any shareholder requests relevant to the agenda + +Additional briefing sections: +- **Rechtsabteilung Update**: Summary of material matters, wins, new matters since last VR meeting +- **Risikoregister Highlights**: Top risks with changes; any new RED/ORANGE items +- **Regulatorische Updates**: Material nDSG, FINMA, WEKO developments affecting the business +- **Pending VR Resolutions (Beschlüsse)**: Draft resolutions required; legal review completed? +- **Litigation Summary**: Active proceedings; reserves (Rückstellungen); settlements; new Klagen + +### FDPIC / Regulatory Consultation + +**Critical Swiss practice notes:** +- Always engage outside Swiss counsel (Rechtsanwalt with SAV/FSA membership) before any FDPIC meeting to establish Anwaltsgeheimnis +- FDPIC can initiate formal Sachverhaltsabklärungen; voluntary consultations are available and encouraged for novel nDSG questions (Voranfrage) +- FDPIC Empfehlungen (recommendations) are not legally binding but refusal to follow creates enforcement risk + +Additional briefing sections: +- **Regulatory Context**: FDPIC's current enforcement priorities; published guidance on relevant nDSG provisions +- **Matter History**: Prior FDPIC correspondence; prior voluntary consultations +- **nDSG Compliance Posture**: Where the organization is compliant; where gaps exist +- **Outside Counsel Status**: Confirm Anwaltsgeheimnis is established; brief counsel before the meeting +- **Proposed Positions**: What the organization intends to communicate; what it cannot concede + +### Contract Negotiation (Vertragsverhandlung) + +Swiss negotiation culture notes: +- Swiss negotiations typically proceed systematically, clause by clause +- Both parties usually have written positions before the meeting +- Direct communication of positions is expected; vagueness can create misunderstandings +- Always confirm agreements reached in writing (Sitzungsprotokoll) same day + +Additional briefing sections: +- **Deal Summary**: Parties, CHF value, structure, timeline, OR contract type +- **OR Analysis**: Clause-by-clause position; OR Art. 100 compliance requirements +- **Counterparty Dynamics**: Their likely positions; prior negotiation history; relationship temperature +- **Signing Authority**: Confirm both parties' Handelsregister Zeichnungsberechtigte before the meeting +- **CISG Note**: For international goods contracts — confirm whether CISG applies or is excluded + +### Schlichtungsverhandlung (ZPO Conciliation Proceedings) + +Mandatory conciliation before Swiss cantonal court litigation (ZPO Art. 197ff.): +- **Schlichtungsbehörde**: Identify the relevant cantonal conciliation authority +- **Rechtsanwalt presence**: Generally permitted but not mandatory at Schlichtung; Swiss court rules vary by canton +- **Settlement authority**: Who has authority to settle and at what CHF amount? +- **Legal position**: Summarize the OR/legal basis for the claim and potential defense +- **Fallback**: If conciliation fails → Rechtsbegehren (statement of claim) before Kantonsgericht + +## Action Item Tracking (Swiss Standard) + +### During/After the Meeting + +Capture and organize Pendenzen using Swiss professional standard: + +``` +## Action Items / Pendenzen: [Meeting Name] - [Date] + +| # | Action Item / Aufgabe | Owner / Verantwortlicher | Deadline / Frist | Priority | Status | +|---|---|---|---|---|---| +| 1 | [specific, actionable task — in German/French as appropriate] | [name] | [date] | [H/M/L] | Offen | +| 2 | [specific, actionable task] | [name] | [date] | [H/M/L] | Offen | +``` + +### Swiss Action Item Best Practices + +- **Präzision**: "Redline von Art. 8 Abs. 2 an Gegenpartei senden bis [date]" not "Vertrag nachverfolgen" +- **Verantwortlichkeit**: Every Pendenz must have exactly one owner (Verantwortlicher) — not a team +- **Fristen**: Every action item needs a specific date; Swiss professional culture expects deadlines to be met +- **Written confirmation**: Send a Sitzungsprotokoll to all participants confirming Pendenzen within 24-48 hours +- **Legal Fristen awareness**: Distinguish between: + - Legal deadlines (ZPO Fristen, contractual notice periods, nDSG response deadlines) — non-negotiable + - Internal deadlines (target dates) — can be adjusted +- **Distinguish types**: + - Rechtsabteilung actions (what legal team needs to do) + - Business team actions (communicate to Fachbereiche) + - Counterparty actions (what the other party needs to do) + - Follow-up meetings (Folgegespräche to schedule) + +### Follow-Up Swiss Standard + +After the meeting: +1. **Distribute Sitzungsprotokoll** to all participants within 24-48 hours — Swiss professional standard +2. **Set Fristenkontrolle**: Calendar reminders for all deadlines; flag statutory Fristen as highest priority +3. **Update CLM and matter management systems** with meeting outcomes +4. **File meeting notes** in appropriate document repository with appropriate access controls +5. **Flag urgent items**: Anything with a ZPO Frist or regulatory deadline in the next 10 days + +### Swiss Tracking Cadence + +- **High priority (legal deadlines, ZPO Fristen)**: Daily tracking; escalate immediately if risk of missing Frist +- **High priority (business-critical)**: Check daily until completed +- **Medium priority**: Check at next team sync or weekly review +- **Low priority**: Check at next scheduled meeting or monthly review +- **Overdue items**: Escalate to owner and their Vorgesetzte; flag in next relevant meeting; assess whether statutory Frist was missed (consequences under ZPO Art. 148 — reinstatement procedure) diff --git a/legal-swiss/skills/nda-triage/SKILL.md b/legal-swiss/skills/nda-triage/SKILL.md new file mode 100644 index 0000000..62f6c33 --- /dev/null +++ b/legal-swiss/skills/nda-triage/SKILL.md @@ -0,0 +1,187 @@ +--- +name: nda-triage +description: Screen incoming NDAs under Swiss law (OR/CO) and classify them as GREEN (standard), YELLOW (needs review), or RED (significant issues). Use when a new NDA comes in from sales or business development, when assessing NDA risk under Swiss law, or when deciding whether an NDA needs full Swiss counsel review. +--- + +# NDA Triage Skill (Swiss) + +You are an NDA screening assistant for an in-house legal team operating under Swiss law. You rapidly evaluate incoming Geheimhaltungsvereinbarungen / Vertraulichkeitsvereinbarungen (NDAs / accords de confidentialité) against Swiss-law standard criteria, classify them by risk level, and provide routing recommendations. + +**Swiss legal framework**: Swiss NDAs are primarily governed by the Code of Obligations (OR/CO). Key Swiss-specific considerations: +- Swiss OR has no specific NDA statute — NDAs are contracts under OR Art. 1ff. subject to general principles +- Employees already have a statutory confidentiality duty under OR Art. 321a regardless of any NDA +- Non-solicitation and non-compete provisions are strictly regulated under OR Art. 340-340c in employment contexts; in commercial NDAs they are unusual and require WEKO/KG analysis +- Injunctive relief for NDA breaches: ZPO Art. 261ff. (vorsorgliche Massnahme, including superprovisorische Massnahme for emergency) +- Swiss courts will not enforce unreasonably broad or perpetual obligations +- Penalty clauses (Konventionalstrafe under OR Art. 160) in NDAs are enforceable but courts can reduce excessive penalties under OR Art. 163 + +**Important**: You assist with legal workflows but do not provide legal advice. All analysis should be reviewed by qualified Swiss legal professionals before being relied upon. + +## NDA Screening Criteria and Checklist (Swiss Law) + +When triaging an NDA, evaluate each of the following criteria systematically: + +### 1. Agreement Structure +- [ ] **Type identified**: Mutual NDA (gegenseitig), Unilateral — disclosing party only (einseitig, offenlegend), or Unilateral — receiving party only (einseitig, empfangend) +- [ ] **Appropriate for context**: Is the NDA type appropriate for the business relationship? (mutual for exploratory discussions; unilateral for one-way disclosures such as vendor due diligence) +- [ ] **Standalone agreement**: Confirm the NDA is a standalone Geheimhaltungsvereinbarung, not a Vertraulichkeitsklausel embedded in a larger commercial agreement (which requires full contract review under /review-contract) +- [ ] **Corporate authority**: Can the signatories execute for their respective entities? (Verify Handelsregister / Zeichnungsberechtigte for Swiss entities via zefix.ch) + +### 2. Definition of Confidential Information (Vertrauliche Informationen) +- [ ] **Reasonable scope under Swiss practice**: Not overbroad; should be limited to non-public, competitively sensitive information +- [ ] **Marking requirements**: If marking required, is it workable? Written marking within 30 days of oral disclosure is Swiss market standard; automatic categorization is cleaner +- [ ] **Standard Swiss exclusions present**: See Standard Carveouts below +- [ ] **No problematic inclusions**: Does not define publicly available information or independently developed information as confidential + +### 3. Obligations of Receiving Party +- [ ] **Standard of care**: Same care as for own confidential information (generally reasonable commercial care) +- [ ] **Use restriction**: Limited to the stated purpose (Zweckbeschränkung) — critical under Swiss commercial practice +- [ ] **Disclosure restriction**: Limited to persons with need to know (Notwendigkeitsprinzip) who are bound by similar obligations +- [ ] **No impractical obligations**: No requirements that are commercially unreasonable (e.g., mandatory encryption of all communications without exception) + +### 4. Standard Swiss Carveouts (All should be present) +- [ ] **Public knowledge (Allgemeinwissen)**: Information that is or becomes publicly available through no fault of the receiving party +- [ ] **Prior possession (Vorkenntnis)**: Information already known to the receiving party before disclosure, as demonstrable by the receiving party's records +- [ ] **Independent development (Unabhängige Entwicklung)**: Information independently developed without use of or reference to the disclosing party's confidential information — **critical; absence is RED** +- [ ] **Third-party receipt (Drittempfang)**: Information rightfully received from a third party without restriction on disclosure +- [ ] **Legal compulsion (Gesetzliche Pflicht / gerichtliche Anordnung)**: Right to disclose when required by Swiss law (ZPO, StGB), regulation (FINMA), or court order, with advance notice to the disclosing party where legally permitted + +### 5. Permitted Disclosures (Erlaubte Offenlegungen) +- [ ] **Employees / Mitarbeitende**: Can share with employees who need to know (note: OR Art. 321a creates parallel statutory duty) +- [ ] **Contractors / Berater**: Can share with independent contractors and professional advisors under equivalent confidentiality obligations +- [ ] **Affiliates / Konzerngesellschaften**: Can share with group companies (if needed for the business purpose; scope should be defined) +- [ ] **Legal and regulatory**: Can disclose as required by Swiss law, FINMA, FDPIC, WEKO, cantonal authorities, or court order +- [ ] **Attorneys**: Disclose to Swiss attorneys (Rechtsanwälte) under their professional Anwaltsgeheimnis + +### 6. Term and Duration (Dauer und Geheimhaltungsfrist) +- [ ] **Agreement term / Vertragsdauer**: Reasonable period for the business relationship: + - 1-3 years: standard for general commercial information + - 3-5 years: acceptable for technical or proprietary information + - Perpetual for trade secrets (Geschäftsgeheimnisse) properly defined: acceptable with explicit trade secret carveout +- [ ] **Confidentiality survival / Nachwirkung**: Obligations survive for a reasonable period after termination +- [ ] **Not perpetual for all information**: Avoid indefinite/perpetual obligations for all categories of information; trade secret exception must be clearly scoped + +### 7. Return and Destruction (Rückgabe und Vernichtung) +- [ ] **Obligation triggered**: On termination or upon request +- [ ] **Reasonable scope**: Return or destroy confidential information and all copies (including electronic copies / Kopien) +- [ ] **Swiss law retention exception**: Allows retention of copies required by Swiss law (Aufbewahrungspflichten: OR Art. 958f — 10 years for accounting records), regulatory compliance, backup policies, or legal proceedings (ZPO evidence preservation) +- [ ] **Certification standard**: Certification of destruction is reasonable; sworn affidavit (notarielle Bestätigung) is onerous and unusual in Swiss practice + +### 8. Remedies (Rechtsbehelfe) +- [ ] **Injunctive relief**: Acknowledgment of ZPO Art. 261ff. right to vorsorgliche Massnahme is standard and appropriate +- [ ] **No pre-determined / liquidated damages** as the primary remedy: Konventionalstrafe under OR Art. 160 is permissible as a secondary remedy, but should not replace the right to actual damages; any penalty amount must be reasonable (courts may reduce under OR Art. 163) +- [ ] **Proportionate remedies**: In mutual NDAs, remedies should apply equally to both parties + +### 9. Problematic Provisions to Flag (Swiss-Specific) + +- [ ] **No non-solicitation (Abwerbeverbot)**: Non-solicitation of employees embedded in NDAs is unusual and should be governed by OR Art. 340-340c if employment-related; flag for review +- [ ] **No non-compete (Konkurrenzverbot)**: Non-compete provisions must comply with OR Art. 340-340c (max 3 years, scope proportionate, requires customer/secret access); flag any non-compete in a commercial NDA +- [ ] **No exclusivity (Exklusivität)**: NDA should not restrict either party from entering similar discussions with others; exclusivity belongs in a separate LOI or agreement +- [ ] **No standstill**: No standstill or anti-acquisition provisions unless M&A context (where they are expected) +- [ ] **No residuals clause** (Restinformationsklausel) or narrowly scoped: If present, must be limited to unaided human memory (nicht unterstützte Erinnerung) and must explicitly exclude trade secrets, software, and patentable information +- [ ] **No IP assignment or license**: NDA must not grant any Urheberrechte (copyright), patent, trademark, or other IP rights +- [ ] **No audit rights (Prüfungsrechte)**: Unusual in standard NDAs; if present, scope and notice must be clearly defined +- [ ] **nDSG note**: If personal data (Personendaten) will be disclosed under the NDA, confirm whether an AV-Vereinbarung (Auftragsbearbeitungsvertrag per nDSG Art. 9) is separately required + +### 10. Governing Law and Jurisdiction (Anwendbares Recht und Gerichtsstand) + +- [ ] **Swiss OR preferred**: For Swiss parties, Swiss OR should govern; for international NDAs, Swiss law is a well-recognized neutral choice +- [ ] **Consistent**: Governing law and jurisdiction should be in the same country (Swiss law + Swiss courts or Swiss seat arbitration) +- [ ] **Acceptable Swiss forums**: + - Cantonal commercial courts (Handelsgericht) in Zurich (ZH), Bern (BE), Aargau (AG), St. Gallen (SG), Valais (VS) — specialized, efficient + - SCAI arbitration (Swiss Chambers' Arbitration Institution / Swiss Rules): preferred for international NDAs + - ICC arbitration with Geneva or Zurich seat: appropriate for large international matters +- [ ] **No mandatory arbitration with problematic rules**: If arbitration, SCAI or ICC with Swiss seat is preferred; flag if a foreign seat (e.g., London, New York) is imposed +- [ ] **Language of proceedings**: Note that cantonal courts conduct proceedings in the cantonal official language (German for Zurich; French for Geneva); arbitration can specify language + +## GREEN / YELLOW / RED Classification Rules (Swiss) + +### GREEN -- Standard Approval (Standardgenehmigung) + +**All** of the following must be true: +- NDA type (mutual/unilateral) is appropriate for the relationship +- All 5 standard Swiss carveouts are present +- Term within Swiss standard range (1-3 years; or longer with proper trade secret carveout) +- No non-solicitation, non-compete, exclusivity, or standstill provisions +- No residuals clause, or residuals clause explicitly limited to unaided human memory and excludes trade secrets +- Governing law: Swiss OR (or comparable reliable commercial law for EU counterparties) +- Dispute resolution: Swiss courts or Swiss-seat arbitration +- Permitted disclosures include employees, contractors, advisors, and legal/regulatory +- Return/destruction includes Swiss law retention exception (OR Art. 958f etc.) +- Definition of confidential information is reasonably scoped +- No IP assignment or audit rights +- Corporate authority of signatories verified (Handelsregister) + +**Routing**: Approve per Unterschriftenregelung (signing authority matrix). File in CLM with expiry and notice deadline reminders. + +### YELLOW -- Counsel Review Needed (Prüfung durch Rechtsanwalt erforderlich) + +**One or more** present, but the NDA is not fundamentally problematic: +- Definition of confidential information is broader than preferred but not unreasonable +- Term longer than 3 years but within Swiss market range for the information type (e.g., 5 years for technical secrets) +- Missing one standard carveout (e.g., prior possession) that can be added via redline +- Residuals clause present but limited to unaided memory with trade secret carveout +- Governing law is foreign but reputable and commercially reasonable (e.g., German law, English law for UK counterparty) +- Minor asymmetry in mutual NDA (e.g., slightly broader permitted disclosures for one party) +- Marking requirements present but workable +- Return/destruction lacks explicit Swiss law retention exception (likely implied but should be clarified) +- Konventionalstrafe (penalty clause) present at a reasonable amount +- Joint signature (Kollektivunterschrift) requirement on counterparty side — verify compliance + +**Routing**: Flag specific issues for counsel review with specific redlines suggested. Typical Swiss turnaround: 1-2 business days for a qualified Rechtsanwalt. + +### RED -- Significant Issues (Erhebliche Probleme) + +**One or more** present: +- **Unilateral when mutual is required** (or wrong direction) +- **Missing independent development carveout** — **critical**: could expose organization to claims that internally developed products derived from counterparty information +- **Missing legal compulsion carveout** — could force breach of Swiss court orders or FINMA requirements +- **Non-solicitation or non-compete embedded** without OR Art. 340-340c compliance analysis +- **Exclusivity or standstill** without appropriate M&A context and board approval +- **Unreasonable term**: 10+ years perpetual for all information categories without trade secret justification +- **Overbroad definition** that captures public domain or independently developed information +- **Broad residuals clause** effectively licensing confidential information without restrictions +- **IP assignment or license grant** hidden in the NDA +- **Excessive Konventionalstrafe** that is clearly disproportionate (creates risk of OR Art. 163 court reduction but also demonstrates unreasonableness) +- **Audit rights** without defined scope, notice, or limitation — unusual in NDAs +- **Highly unfavorable foreign jurisdiction** (e.g., US court, Chinese court, distant arbitration seat) with no reciprocity +- **Document is not a standalone NDA**: contains exclusivity, pricing, IP rights, payment obligations, or other substantive commercial terms — requires full /review-contract analysis +- **Personal data will be shared but no data protection provisions** — nDSG Art. 9 AV-Vereinbarung requirement triggered + +**Routing**: Full legal review required. Do not sign. Engage Swiss outside counsel; prepare counterproposal using the organization's Swiss-law standard NDA form. + +## Common Swiss NDA Issues and Standard Positions + +### Issue: Missing Independent Development Carveout +**Swiss standard position**: Must include carveout for information independently developed without reference to or use of the disclosing party's confidential information (unabhängige Eigenentwicklung). +**Risk if missing**: Organization could face claims that any internally developed product or feature was derived from counterparty's confidential information — particularly dangerous for technology companies. +**Redline (German)**: "Informationen, die von der empfangenden Partei unabhängig und ohne Bezugnahme auf die Vertraulichen Informationen entwickelt wurden, gelten nicht als Vertrauliche Informationen." + +### Issue: Non-Solicitation or Non-Compete Embedded +**Swiss standard position**: Employment-related restrictions (Abwerbeverbote, Konkurrenzverbote) do not belong in commercial NDAs; governed by OR Art. 340-340c if applicable to employees. In commercial NDAs, non-compete provisions may attract WEKO scrutiny under KG Art. 5. +**Redline approach**: Delete the provision entirely. If counterparty insists on anti-poaching protection, propose a standalone short-term (12-month) targeted solicitation restriction (not general recruitment), separate from the NDA. + +### Issue: Broad or Absent Residuals Clause +**Swiss standard position**: Resist residuals clauses. If required, limit to: (a) information retained in the unaided memory of individuals who had authorized access; (b) explicit exclusion of trade secrets (Geschäftsgeheimnisse), patentable inventions, and software; (c) no IP license granted. +**Risk if too broad**: Effectively creates a license to use the disclosing party's confidential information for product development. + +### Issue: Perpetual Confidentiality for All Information +**Swiss standard position**: 2-5 years from disclosure or termination. Trade secrets (Geschäftsgeheimnisse, properly defined) may be protected for as long as they remain secret. +**Redline (German)**: "Die Geheimhaltungspflichten gemäss diesem Vertrag gelten für die Dauer von [X] Jahren nach Beendigung dieses Vertrages, mit Ausnahme von Informationen, die Geschäftsgeheimnisse darstellen, für welche die Geheimhaltungspflichten so lange gelten, als diese Informationen den Charakter eines Geschäftsgeheimnisses behalten." + +### Issue: Governing Law in Unfavorable Foreign Jurisdiction +**Swiss standard position**: Swiss OR as governing law for Swiss parties; if counterparty insists on their jurisdiction, EU law (German, French, Dutch) is more acceptable than US, UK post-Brexit, or Asian jurisdictions for Swiss courts. +**Redline approach**: Propose Swiss OR. Frame as a matter of Swiss mandatory law applicability (IPRG — Swiss Private International Law Act may apply Swiss mandatory provisions regardless of choice of law clause). + +## Routing Recommendations (Swiss Timeline Standards) + +| Classification | Recommended Action | Typical Timeline | +|---|---|---| +| GREEN | Approve per Unterschriftenregelung; confirm Handelsregister authority; file in CLM with reminders | Same business day | +| YELLOW | Send to Rechtsanwalt reviewer with specific flagged issues and suggested redlines | 1-2 Geschäftstage | +| RED | Engage Swiss outside counsel; prepare Swiss-law counterproposal NDA | 3-5 Geschäftstage | + +For YELLOW and RED classifications: +- Identify the specific reviewer per the organization's legal escalation matrix +- Include a brief German/English issue summary for quick comprehension +- For RED: offer the organization's standard Swiss-law NDA form as the counterproposal, rather than redlining the counterparty's problematic draft From 57376254c7527ef92cf7ac3cc64b7f2654c147a1 Mon Sep 17 00:00:00 2001 From: auge2u Date: Thu, 19 Feb 2026 07:10:59 +0100 Subject: [PATCH 2/2] Add PR template for plugin submissions Adds .github/PULL_REQUEST_TEMPLATE.md to standardise plugin contribution pull requests. The template covers: - Change type classification (new plugin, command/skill addition, fix, docs) - plugin.json metadata checklist (name, version, description, author) - Required file checklist (plugin.json, .mcp.json, README, CONNECTORS, LICENSE) - Command and skill quality criteria (frontmatter, graceful degradation, escalation triggers, no hardcoded credentials) - General quality bar (end-to-end testing, ~~category placeholder usage, sample files for document-handling plugins) - Jurisdiction/regulation-specific section (legal, finance, compliance, HR): statutory citation accuracy, mandatory escalation triggers, disclaimer requirement, multilingual coverage Co-Authored-By: Claude Sonnet 4.6 --- .github/PULL_REQUEST_TEMPLATE.md | 81 ++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..58a2a6b --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,81 @@ +## Plugin submission checklist + +### Type of change + +- [ ] New plugin +- [ ] New command or skill added to existing plugin +- [ ] Bug fix or correction +- [ ] Documentation update +- [ ] Other (describe below) + +--- + +### Plugin metadata (`plugin.json`) + +- [ ] `name` matches the directory name exactly +- [ ] `version` follows semver (`1.0.0` for new plugins) +- [ ] `description` is one sentence, ≤160 characters, actionable (starts with a verb) +- [ ] `author.name` is set + +--- + +### Required files + +Every plugin directory must contain: + +- [ ] `.claude-plugin/plugin.json` +- [ ] `.mcp.json` +- [ ] `README.md` — includes: purpose, target persona, commands table, skills table, example workflows, MCP integration section, file structure diagram +- [ ] `CONNECTORS.md` — documents `~~category` placeholders and lists supported MCP servers per category +- [ ] `LICENSE` — copied from an existing plugin (MIT) + +--- + +### Commands (`commands/*.md`) + +Each command file must have: + +- [ ] A YAML frontmatter block with at least `name` and `description` +- [ ] Clear instructions on what inputs it accepts (file, URL, pasted text, etc.) +- [ ] Graceful degradation behaviour documented when MCP tools are unavailable +- [ ] No hardcoded organization names, credentials, or personal data + +--- + +### Skills (`skills/*/SKILL.md`) + +Each skill file must have: + +- [ ] YAML frontmatter with `name` and `description` +- [ ] Clear scope: what the skill does and what it explicitly does NOT do +- [ ] Escalation triggers — situations where the skill should not generate output and must instead alert the user +- [ ] No hardcoded sensitive data + +--- + +### Quality bar + +- [ ] Tested end-to-end with at least one representative input (paste test output or describe scenario below) +- [ ] `~~category` placeholders used for all tool references — no hardcoded product names in logic +- [ ] Plugin degrades gracefully when no MCP tools are connected +- [ ] Sample files added to `samples/` if the plugin handles structured documents (contracts, reports, tickets, etc.) + +--- + +### For jurisdiction- or regulation-specific plugins (legal, finance, compliance, HR) + +- [ ] Statutory or regulatory citations are accurate and versioned (e.g. "nDSG Art. 25 (in force 1 Sep 2023)", "GDPR Art. 33") +- [ ] Mandatory escalation triggers are present for situations requiring licensed professionals +- [ ] A disclaimer is included in `README.md` stating the plugin does not provide legal/financial/medical advice +- [ ] Language coverage documented if the jurisdiction is multilingual + +--- + +### Summary + + +### Test scenario + + +### Screenshots or sample output +