# Sprint 9 Feature Analysis — Reporting & Documentation Module (Berichtszentrale) **Date:** 2026-06-15 **Author:** Patrick Plate / Lumen (Architect) **Status:** Draft v1 **Sprint Goal:** Transform CannaManage into a compliance-first reporting powerhouse — every document a German Anbauvereinigung legally needs, generated automatically, authority-ready. --- ## Executive Summary Sprint 9 delivers the **Berichtszentrale** (Report Center) — a comprehensive reporting and documentation module that addresses every legal obligation a German cannabis Anbauvereinigung has under the KCanG, BGB, Abgabenordnung, and DSGVO. While competitors tell clubs to "use Excel", CannaManage will generate authority-ready PDF reports with a single click. This sprint also introduces **sidebar categorization** (the nav is getting too long with 15+ items) and a **compliance dashboard** that shows green/yellow/red status per regulatory area. **Why this is a killer differentiator:** - No competitor offers KCanG-specific reporting (§26 documentation, §27 authority inspection readiness) - easyVerein offers EÜR and SEPA but knows nothing about cannabis compliance - Vereinsflieger is aviation-only; generic tools don't understand Anbauvereinigung requirements - The Behörde can demand electronic records at ANY time (§27 KCanG) — clubs need instant export capability **Key numbers:** - 12+ legally mandated reports identified - 5 retention periods to enforce (5 years KCanG, 6 years AO commercial letters, 8 years AO vouchers, 10 years AO books, indefinite BGB MV minutes) - 3 annual deadlines (31.01 authority report, annual EÜR, annual MV/Jahresabschluss) - 4 export formats needed (PDF for authorities, CSV for accountants, JSON for API, XML for DATEV) --- ## 1. Legal Requirements Analysis ### 1.1 KCanG — Konsumcannabisgesetz (Cannabis-specific) #### §26 KCanG — Dokumentations- und Berichtspflichten (PRIMARY OBLIGATION) **§26 Abs. 1** — Continuous documentation requirements: | # | Requirement | What to document | CannaManage Status | |---|------------|-----------------|-------------------| | 1 | §26(1) Nr. 1 | Source of propagation material: Name, Vorname, Anschrift of person/club providing seeds/clones | ❌ Not tracked | | 2 | §26(1) Nr. 2 | Current stock: Grams of cannabis + count of propagation material on premises | ✅ Stock module exists | | 3 | §26(1) Nr. 3 | Cultivation quantity: Grams of cannabis grown | ✅ Grow module exists | | 4 | §26(1) Nr. 4 | Destruction quantity: Grams cannabis destroyed + count propagation material destroyed | ⚠️ Partial (recall exists, no formal destruction protocol) | | 5 | §26(1) Nr. 5 | Distribution records per member: Name, Vorname, Geburtsjahr, Menge in Gramm, durchschnittlicher THC-Gehalt, Datum | ✅ Distributions module (needs THC% and birth year verification) | | 6 | §26(1) Nr. 6 | Propagation material distribution: Name, Vorname, Geburtsjahr, Stückzahl, Datum | ❌ Not tracked | | 7 | §26(1) Nr. 7 | Transport records: Grams, Sorten, transporting member name, date, start/end address | ❌ Not tracked | **§26 Abs. 2** — Retention & Authority Access: - Records must be kept for **5 years** (after member leaves? — unclear, likely from creation date) - Must be transmittable **electronically** to authorities on demand - Annual anonymized report due **by January 31** to the Behörde for evaluation per §43 **§26 Abs. 3** — Annual Quantity Report (due January 31): - Total grams **cultivated** in previous calendar year - Total grams **distributed** in previous calendar year - Total grams **destroyed** in previous calendar year - **End-of-year stock** (grams in inventory on Dec 31) - Broken down by: **Sorten (strains)** and **average THC/CBD content** **§26 Abs. 4** — Health risk notification: - If cannabis poses health risk → immediate notification to authorities - Recall, return, and destruction must be documented **§26 Abs. 5** — Theft/unauthorized distribution reporting: - Immediate notification to authorities if cannabis goes missing #### §19 KCanG — Distribution Rules (affects report format) - Max 25g/day per member (21+), max 50g/month - Max 25g/day per Heranwachsende (18-21), max 30g/month, max 10% THC - Every distribution requires: ID check + membership card verification - **Report implication:** Monthly distribution report must flag any limit violations #### §22 KCanG — Transport Documentation - Transport between premises: must notify authority 1 business day before - Transportbescheinigung required with: Club name/address, date, start/end, grams, strains, authority contact - **Report implication:** Need a transport document generator #### §23 KCanG — Youth Protection & Prevention - Präventionsbeauftragter (Prevention Officer) must be appointed by Vorstand - Gesundheits- und Jugendschutzkonzept (Health & Youth Protection Concept) required - Prevention officer must demonstrate training credentials - **Report implication:** Prevention activity log, training certificate tracking #### §21 KCanG — Health Protection at Distribution - Neutral packaging required - Information sheet mandatory at every distribution with: weight, harvest date, best-before date, strain, THC%, CBD%, health warnings - **Report implication:** Distribution slip generator (Informationszettel) #### §27 KCanG — Authority Oversight - Authorities conduct **regular on-site inspections** (Stichproben) - They review §26 documentation on-site - They can demand electronic transmission of all records - **Report implication:** "Authority Export" button — one click to generate full compliant dataset --- ### 1.2 BGB — Vereinsrecht (Association Law) #### §27 Abs. 3 BGB — Vorstand Accountability > "Auf die Geschäftsführung des Vorstands finden die für den Auftrag geltenden Vorschriften der §§664 bis 670 entsprechende Anwendung." This means: - **§666 BGB (Auskunftspflicht):** The board must inform members about the state of affairs and render account after completion of duties - **§259 BGB (Rechnungslegung):** Duty to present ordered accounts (Einnahmen/Ausgaben) - **§670 BGB (Aufwendungsersatz):** Expense reimbursements must be documented **Report implications:** - **Jahresbericht des Vorstands** (Annual Board Report) — legal obligation to members - **Rechenschaftsbericht** (Accountability Report) — financial summary to members at MV - **Aufwendungsersatz-Dokumentation** — expense claim records with receipts #### §36 BGB — Notice Periods for Mitgliederversammlung - Satzung defines notice period (typically 2-4 weeks) - **Report implication:** MV invitation must be documented with proof of timely delivery (we have this from Sprint 8) #### §37 BGB — Extraordinary Assembly - 10% of members can demand extraordinary MV - **Report implication:** Petition tracking (signatures vs. threshold) --- ### 1.3 Abgabenordnung (AO) — Tax/Financial Obligations #### §141 AO — Buchführungspflicht Threshold Cannabis clubs are likely NOT exempt as "gemeinnützig" (§5 Abs. 1 Nr. 9 KStG probably doesn't apply since KCanG explicitly allows only Selbstkostendeckung — cost recovery, not charity). Threshold for full bookkeeping (doppelte Buchführung): - **>€800,000 revenue** OR **>€80,000 profit** → full Handelsbücher required - Below threshold → **EÜR (Einnahmen-Überschuss-Rechnung)** per §4 Abs. 3 EStG suffices Most cannabis clubs will be BELOW threshold (500 members × €30/month = €180K/year), so **EÜR is the correct format**. #### §63 Abs. 3 AO — Ordnungsmäßige Aufzeichnungen > "Die Körperschaft hat den Nachweis [...] durch ordnungsmäßige Aufzeichnungen über ihre Einnahmen und Ausgaben zu führen." Even if NOT gemeinnützig, every Verein must keep orderly financial records. #### §147 AO — Aufbewahrungsfristen (Retention Periods) | Category | Period | Examples | |----------|--------|----------| | Bücher, Inventare, Jahresabschlüsse, Arbeitsanweisungen | **10 years** | Kassenbuch, EÜR, Eröffnungsbilanz | | Buchungsbelege | **8 years** | Receipts, invoices, bank statements | | Handels-/Geschäftsbriefe | **6 years** | Contracts, correspondence with authorities | | Sonstige steuerrelevante Unterlagen | **6 years** | Tax returns, member fee confirmations | **§147 Abs. 2** — Electronic storage is permitted if: - Readable at any time during retention period - Machine-evaluatable (searchable, exportable) **§147 Abs. 6** — Authorities can: - Inspect stored data during audit - Demand machine-evaluatable export - Demand data transfer in machine-readable format **Report implication:** GoBD-compliant export (immutable, timestamped, searchable) #### §4 Abs. 3 EStG — EÜR Format For Vereine below §141 AO threshold: - Simple Überschuss = Betriebseinnahmen − Betriebsausgaben - Must track: date, amount, category, description for each transaction - Our Sprint 8 Kassenbuch already captures this — needs EÜR formatting --- ### 1.4 DSGVO — Data Protection #### Art. 30 DSGVO — Verzeichnis der Verarbeitungstätigkeiten (VVT) Every Verein processing personal data must maintain a VVT with: - Purpose of processing - Categories of data subjects (members, staff, suppliers) - Categories of personal data (name, address, health data — cannabis IS health data!) - Recipients (authorities, insurance, software providers) - Transfers to third countries (cloud hosting location!) - Retention periods per category - Technical/organizational measures (TOMs) **Critical:** Cannabis distribution data is **health-related data** (Art. 9 DSGVO — special categories). This requires: - Explicit consent (we have ConsentService from Sprint 6) - Data Protection Impact Assessment (DSFA) — Art. 35 DSGVO - Higher security measures #### Art. 33/34 DSGVO — Breach Notification - Notify Datenschutzbehörde within **72 hours** of awareness - Notify affected members if high risk - **Report implication:** Breach notification template + incident log #### Art. 35 DSGVO — Datenschutz-Folgenabschätzung (DSFA) Required when processing involves "high risk" — cannabis data + health data qualifies. - Must describe processing operations - Assess necessity and proportionality - Assess risks to rights/freedoms - Identify mitigation measures **Report implication:** Pre-filled DSFA template for Anbauvereinigungen --- ### 1.5 GoBD — Grundsätze ordnungsgemäßer Buchführung Even if a cannabis club is below the §141 AO threshold, if they use software for their bookkeeping, GoBD applies: - **Unveränderbarkeit** (immutability): Once a transaction is recorded, it cannot be changed without audit trail - **Verfahrensdokumentation**: Documentation of how the system works (we need to generate this) - **Belegfunktion**: Every booking needs a supporting document - **Journal-Funktion**: Chronological, complete, correct recording - **Kontenfunktion**: Accounts with running balances **Already implemented (Sprint 8):** Append-only ledger (financial_transactions), audit_events for all changes. **Still needed:** - GoBD-compliant export (structured, machine-readable) - Verfahrensdokumentation template (describes how CannaManage works) - Beleg-attachment for each transaction (already have receipt upload in documents) --- ### 1.6 Vereinsregisterverordnung (VRV) Changes that must be reported to the Registergericht: - Vorstandsänderung (board changes) — with MV protocol as proof - Satzungsänderung (statute changes) — with MV protocol + notarized copy - Sitzverlegung (registered address change) - Vereinsauflösung (dissolution) **Report implication:** Pre-formatted notification templates for Registergericht --- ## 2. Competitive Analysis ### 2.1 easyVerein (market leader for generic Vereine) **Pricing:** From €9/month (50 members) to €39/month (unlimited) | Feature | easyVerein | CannaManage (current) | CannaManage (Sprint 9) | |---------|-----------|----------------------|----------------------| | Mitgliederverwaltung | ✅ Full | ✅ Full | ✅ Full | | Buchhaltung/EÜR | ✅ With DATEV export | ✅ Kassenbuch (Sprint 8) | ✅ + EÜR generator | | SEPA-Lastschrift | ✅ XML export | ❌ Manual tracking | ❌ (Sprint 10+) | | Spendenquittungen | ✅ | ❌ N/A (not gemeinnützig) | ❌ N/A | | Vereinskalender | ✅ With sync | ✅ Calendar module | ✅ Calendar module | | Sitzungsprotokolle | ✅ Live-Protokoll | ✅ MV + Protokoll PDF | ✅ Enhanced | | DSGVO-Tools | ✅ Basic | ⚠️ Consent only | ✅ Full VVT + DSFA | | Cannabis compliance | ❌ Nothing | ✅ Full KCanG | ✅ Authority-ready | | Mitglieder-App | ✅ Native iOS/Android | ✅ PWA (Member Portal) | ✅ PWA | | Chat | ✅ Integrated | ✅ Forum | ✅ Forum | | Inventarverwaltung | ✅ Generic | ✅ Cannabis-specific stock | ✅ Enhanced | | Dateiverwaltung | ✅ | ✅ Documents module | ✅ Enhanced | | Online-Banking | ✅ FinTS/HBCI | ❌ | ❌ (Sprint 10+) | **easyVerein's reporting features (from their site):** - Finanzauswertungen & EÜR (financial evaluations) - DATEV-Export (for tax accountants) - Beiträge & Rechnungen (automated fee invoicing) - Serienbriefe/E-Mails (serial letters/bulk email) - Membership certificates **Gaps easyVerein can never fill:** - KCanG §26 documentation (cannabis-specific) - THC/CBD tracking - Distribution quota enforcement - Authority inspection readiness - Grow cycle documentation - Destruction protocols - Transport certificates ### 2.2 Other Competitors | Software | Focus | Reporting | Cannabis-relevant | |----------|-------|-----------|------------------| | WISO Mein Verein | Small clubs | EÜR, basic member reports | ❌ Generic only | | Vereinsflieger | Aviation clubs | Flight hours, technical logs | ❌ Completely different domain | | JVerein (Hibiscus) | Free/OSS | Basic bookkeeping + SEPA | ❌ Desktop-only, no compliance | | ClubDesk | Swiss | Member + finance + events | ❌ Not Germany-specific | | 1000° ePaper | Magazine clubs | Publication management | ❌ Irrelevant | | Cannamanage (DE) | — | — | No competitor exists at this level | ### 2.3 Gap Analysis Summary **CannaManage is the ONLY platform combining:** 1. Verein administration (members, MV, board, documents) 2. Cannabis compliance (KCanG §§19-27) 3. Financial management (EÜR, Kassenbuch, GoBD) 4. Authority readiness (one-click electronic export per §26 Abs. 2 + §27) 5. DSGVO compliance tools (VVT, DSFA, consent management) No existing product covers more than 2 of these 5 areas. This is the moat. --- ## 3. Feature Specification ### 3.1 Category A — Financial Reports | # | Report | Legal Basis | Format | Priority | |---|--------|-------------|--------|----------| | FIN-R01 | **EÜR (Einnahmen-Überschuss-Rechnung)** | §4(3) EStG, §63(3) AO | PDF + CSV | P0 | | FIN-R02 | **Jahresabschluss (Annual Financial Summary)** | §27(3) BGB → §666 BGB | PDF | P0 | | FIN-R03 | **Kassenbuch-Export (enhanced)** | §147 AO | PDF + CSV + DATEV | P0 | | FIN-R04 | **Beitragsbescheinigung (Fee Confirmation)** | §10b EStG (if applicable) | PDF per member | P1 | | FIN-R05 | **Ausgabenübersicht nach Kategorie** | Internal (Kassenprüfer) | PDF | P1 | **FIN-R01: EÜR Generator** - Input: All financial_transactions from calendar year - Output: Standard EÜR format (Anlage EÜR to Steuererklärung) - Categories: Einnahmen (Mitgliedsbeiträge, sonstige), Ausgaben (Miete, Strom, Material, Cannabis-Anbau, Verwaltung, Versicherung) - Includes: Kassensaldo Anfang/Ende, Ergebnis (Überschuss/Fehlbetrag) - Export: PDF (pretty) + CSV (for Steuerberater) + optional DATEV-compatible **FIN-R04: Beitragsbescheinigung** - Per-member annual confirmation of fees paid - NOT a Spendenquittung (cannabis clubs aren't gemeinnützig) - But members may deduct Vereinsbeiträge as Sonderausgaben in some cases - Template: Member name, Club name+address, amount paid, period, club signature ### 3.2 Category B — KCanG Compliance Reports | # | Report | Legal Basis | Format | Priority | |---|--------|-------------|--------|----------| | CAN-R01 | **Jahresbericht an Behörde** (Annual Authority Report) | §26(3) KCanG | PDF + structured JSON/XML | P0 | | CAN-R02 | **Weitergabe-Dokumentation** (Distribution Log) | §26(1) Nr. 5 KCanG | PDF + CSV | P0 | | CAN-R03 | **Bestandsführung** (Stock Inventory Report) | §26(1) Nr. 2 KCanG | PDF | P0 | | CAN-R04 | **Vernichtungsprotokoll** (Destruction Protocol) | §26(1) Nr. 4 KCanG | PDF | P0 | | CAN-R05 | **Anbaudokumentation** (Cultivation Report) | §26(1) Nr. 3 KCanG | PDF | P0 | | CAN-R06 | **Transportbescheinigung** (Transport Certificate) | §22(4) KCanG | PDF | P1 | | CAN-R07 | **Behörden-Gesamtexport** (Full Authority Export) | §26(2) + §27 KCanG | JSON + PDF bundle | P0 | | CAN-R08 | **Informationszettel** (Distribution Info Sheet) | §21(2) KCanG | PDF (printable) | P1 | | CAN-R09 | **Verlust-/Diebstahlmeldung** (Loss Report) | §26(5) KCanG | PDF | P2 | | CAN-R10 | **Risiko-Rückruf-Meldung** (Health Risk Recall) | §26(4) KCanG | PDF | P2 | **CAN-R01: Jahresbericht (most critical report)** Per §26 Abs. 3 KCanG, due January 31, must contain: ``` Anbauvereinigung: [Name, Erlaubnisnummer] Berichtszeitraum: 01.01.YYYY - 31.12.YYYY 1. Angebaute Mengen (nach Sorte): | Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) | 2. Weitergegebene Mengen (nach Sorte): | Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) | 3. Vernichtete Mengen (nach Sorte): | Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) | 4. Bestand zum 31.12. (nach Sorte): | Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) | ``` **CAN-R07: Behörden-Gesamtexport (Authority Full Export)** One-click export of EVERYTHING §26(2) requires, electronically transmittable: - All distribution records (§26(1) Nr. 5) - Stock history - Cultivation records - Destruction records - Transport records - Member register (name, birth year only — DSGVO minimum) Format: Structured JSON (machine-evaluatable per §147 Abs. 6 AO principles) + human-readable PDF summary. ### 3.3 Category C — Verein Administrative Reports | # | Report | Legal Basis | Format | Priority | |---|--------|-------------|--------|----------| | VER-R01 | **Mitgliederliste für Vereinsregister** | §67 BGB | PDF | P1 | | VER-R02 | **Vorstandsänderung-Meldung** (Board Change Notice) | VRV §§4-5 | PDF template | P1 | | VER-R03 | **Satzungsänderung-Dokumentation** | VRV §71 | PDF bundle | P2 | | VER-R04 | **Jahresbericht des Vorstands** (Annual Board Report) | §27(3) BGB → §666 BGB | PDF | P1 | | VER-R05 | **Tätigkeitsbericht** (Activity Report) | §63 AO (if gemeinnützig) | PDF | P2 | | VER-R06 | **Präventionsbeauftragter-Nachweis** | §23(4) KCanG | PDF | P1 | **VER-R01: Mitgliederliste** - §67 BGB: Members can demand member list access (names + addresses) - Format: Sortable by name, join date, status - Export for Vereinsregister: Name, address, entry date (minimal per DSGVO) **VER-R06: Präventionsbeauftragter-Nachweis** - Who is appointed (name, date of appointment) - Training certificate details (where trained, when, certificate number) - Activities log (consultations given, materials distributed, events organized) - Required by §23(4)-(6) KCanG for inspections ### 3.4 Category D — DSGVO/Data Protection Reports | # | Report | Legal Basis | Format | Priority | |---|--------|-------------|--------|----------| | DSG-R01 | **Verarbeitungsverzeichnis (VVT)** | Art. 30 DSGVO | PDF | P0 | | DSG-R02 | **Technisch-Organisatorische Maßnahmen (TOMs)** | Art. 32 DSGVO | PDF | P1 | | DSG-R03 | **Datenschutz-Folgenabschätzung (DSFA)** | Art. 35 DSGVO | PDF | P1 | | DSG-R04 | **Löschkonzept** (Deletion Concept) | Art. 17 DSGVO + §26(2) KCanG | PDF | P1 | | DSG-R05 | **Datenpannen-Meldung** (Breach Notification) | Art. 33/34 DSGVO | PDF template | P2 | **DSG-R01: Verarbeitungsverzeichnis (VVT)** Pre-filled template specific to Anbauvereinigungen: | Verarbeitungstätigkeit | Zweck | Betroffene | Datenarten | Rechtsgrundlage | Löschfrist | |----------------------|-------|-----------|-----------|----------------|-----------| | Mitgliederverwaltung | Vereinsorganisation | Mitglieder | Name, Adresse, Geburtsdatum, Bankdaten | Art. 6(1)(b) DSGVO | 2 Jahre nach Austritt | | Cannabis-Weitergabe | KCanG-Pflicht | Mitglieder | Name, Geburtsjahr, Menge, THC% | Art. 6(1)(c) DSGVO + §26 KCanG | 5 Jahre (§26(2) KCanG) | | Finanzverwaltung | Steuerrecht | Mitglieder | Zahlungsdaten | Art. 6(1)(c) DSGVO + §147 AO | 10 Jahre | | Videoüberwachung | Sicherung §22 KCanG | Besucher | Videobilder | Art. 6(1)(f) DSGVO | 72 Stunden | **DSG-R03: DSFA (required because cannabis = health data)** Pre-filled structure: 1. Systematische Beschreibung der Verarbeitung 2. Bewertung der Notwendigkeit und Verhältnismäßigkeit 3. Bewertung der Risiken für Betroffene 4. Abhilfemaßnahmen (encryption, access control, audit log, deletion automation) ### 3.5 Category E — Dashboard Enhancement (Compliance Status) **New: Berichtszentrale (Report Center) page** A centralized dashboard showing: ``` ┌─────────────────────────────────────────────────────────────────┐ │ BERICHTSZENTRALE │ ├─────────┬───────────────────────┬───────────────────────────────┤ │ STATUS │ NÄCHSTE FRISTEN │ SCHNELLZUGRIFF │ │ │ │ │ │ 🟢 KCanG │ 31.01 Jahresbericht │ [Behörden-Export] │ │ 🟢 Finanzen │ 31.03 EÜR │ [EÜR generieren] │ │ 🟡 DSGVO │ VVT nicht aktuell │ [VVT aktualisieren] │ │ 🟢 Verein │ Nächste MV: 15.03 │ [Jahresbericht Vorstand] │ │ │ │ │ ├─────────┴───────────────────────┴───────────────────────────────┤ │ BERICHTE NACH KATEGORIE │ │ │ │ 📊 Finanzen │ 🌿 Cannabis/KCanG │ 🏛️ Vereinsverwaltung │ 🔒 DSGVO │ │ • EÜR │ • Jahresbericht │ • Mitgliederliste │ • VVT │ │ • Kassenbuch │ • Weitergabe-Log │ • Vorstandsmeldung │ • TOMs │ │ • Jahresabschl.│ • Bestandsführung │ • Jahresbericht │ • DSFA │ │ • Beitrags- │ • Vernichtung │ • Präventions- │ • Lösch- │ │ bescheinigung│ • Anbaudoku │ nachweis │ konzept│ │ │ • Transport │ │ │ │ │ • Behörden-Export │ │ │ └──────────────────────────────────────────────────────────────────┘ ``` **Compliance Status Logic:** - 🟢 Green: All obligations met, no upcoming deadlines within 30 days - 🟡 Yellow: Deadline approaching (within 30 days) OR data incomplete - 🔴 Red: Deadline missed OR critical documentation gap **Tracked Deadlines:** | Deadline | Frequency | Legal Basis | |----------|-----------|-------------| | 31. January | Annual | §26(3) KCanG — Jahresbericht an Behörde | | 31. March | Annual | EÜR submission (Finanzamt) | | MV date | As per Satzung (typically annual) | §36 BGB | | Board term expiry | Per Satzung | §26 BGB | | 5-year data retention check | Continuous | §26(2) KCanG | | 10-year financial retention | Continuous | §147 AO | ### 3.6 Category F — Sidebar Categorization (UX Improvement) Current state: 14 items in a flat list + 1 Compliance item. Too long, no visual grouping. **Proposed new structure:** ``` 🌿 BETRIEB (Operations) ├── Dashboard ├── Mitglieder (Members) ├── Ausgabe (Distributions) ├── Lager (Stock) └── Anbau (Grow) 💬 KOMMUNIKATION (Communication) ├── Schwarzes Brett (Info Board) ├── Kalender (Calendar) └── Forum 🏛️ VERWALTUNG (Administration) ├── Finanzen (Finance) ├── Versammlungen (Assemblies) ├── Dokumente (Documents) ├── Vorstand (Board) └── Personal (Staff) 📋 COMPLIANCE ├── Berichtszentrale (Report Center) ← NEW ├── Protokoll (Audit Log) └── Einstellungen (Settings) ``` Benefits: - Collapsible sections reduce cognitive load - Logical grouping matches user mental model - "Berichtszentrale" is the new home for ALL reports - Old "Berichte" page redirects here - Compliance is always visible (legal obligation awareness) --- ## 4. Data Model Additions ### 4.1 New Tables/Entities Required ```sql -- V23: Destruction Protocol CREATE TABLE destruction_records ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), tenant_id UUID NOT NULL, batch_id UUID REFERENCES batches(id), destroyed_grams NUMERIC(8,2) NOT NULL, destroyed_propagation_count INTEGER DEFAULT 0, reason VARCHAR(500) NOT NULL, destruction_date DATE NOT NULL, witnessed_by_member_id UUID REFERENCES members(id), witnessed_by_name VARCHAR(200), method VARCHAR(200), -- "Verbrennung", "Kompostierung", etc. authority_notified BOOLEAN DEFAULT FALSE, authority_notified_at TIMESTAMPTZ, notes TEXT, created_by UUID NOT NULL, created_at TIMESTAMPTZ NOT NULL DEFAULT NOW() ); -- V24: Transport Records CREATE TABLE transport_records ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), tenant_id UUID NOT NULL, transport_date DATE NOT NULL, start_address TEXT NOT NULL, destination_address TEXT NOT NULL, cannabis_grams NUMERIC(8,2) NOT NULL, strains TEXT NOT NULL, -- JSON array: [{"name": "...", "grams": ...}] transporting_member_id UUID REFERENCES members(id), transporting_member_name VARCHAR(200) NOT NULL, authority_notified_at TIMESTAMPTZ, -- Must be 1 business day before authority_reference VARCHAR(200), certificate_generated BOOLEAN DEFAULT FALSE, created_by UUID NOT NULL, created_at TIMESTAMPTZ NOT NULL DEFAULT NOW() ); -- V25: Propagation Material Sources CREATE TABLE propagation_sources ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), tenant_id UUID NOT NULL, source_type VARCHAR(50) NOT NULL, -- 'PERSON', 'ANBAUVEREINIGUNG', 'JURISTISCHE_PERSON' source_name VARCHAR(200) NOT NULL, source_first_name VARCHAR(100), source_address TEXT NOT NULL, material_type VARCHAR(50) NOT NULL, -- 'SEED', 'CLONE', 'CUTTING' quantity INTEGER NOT NULL, received_date DATE NOT NULL, strain_name VARCHAR(200), notes TEXT, created_by UUID NOT NULL, created_at TIMESTAMPTZ NOT NULL DEFAULT NOW() ); -- V26: Prevention Officer Activity Log CREATE TABLE prevention_activities ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), tenant_id UUID NOT NULL, officer_member_id UUID REFERENCES members(id), activity_date DATE NOT NULL, activity_type VARCHAR(100) NOT NULL, -- 'CONSULTATION', 'TRAINING', 'MATERIAL_DISTRIBUTION', 'EVENT', 'CONCEPT_UPDATE' description TEXT NOT NULL, participants_count INTEGER, notes TEXT, created_by UUID NOT NULL, created_at TIMESTAMPTZ NOT NULL DEFAULT NOW() ); -- V27: Report Generation History CREATE TABLE generated_reports ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), tenant_id UUID NOT NULL, report_type VARCHAR(100) NOT NULL, -- 'EUR', 'AUTHORITY_ANNUAL', 'DISTRIBUTION_LOG', etc. report_title VARCHAR(300) NOT NULL, period_start DATE, period_end DATE, parameters JSONB, -- Any params used to generate file_path VARCHAR(500), file_size_bytes BIGINT, generated_by UUID NOT NULL, generated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), submitted_to_authority BOOLEAN DEFAULT FALSE, submitted_at TIMESTAMPTZ ); -- V28: Compliance Deadlines CREATE TABLE compliance_deadlines ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), tenant_id UUID NOT NULL, deadline_type VARCHAR(100) NOT NULL, title VARCHAR(300) NOT NULL, description TEXT, due_date DATE NOT NULL, legal_basis VARCHAR(200), status VARCHAR(50) NOT NULL DEFAULT 'PENDING', -- PENDING, COMPLETED, OVERDUE completed_at TIMESTAMPTZ, completed_by UUID, recurrence VARCHAR(50), -- ANNUAL, MONTHLY, ONE_TIME created_at TIMESTAMPTZ NOT NULL DEFAULT NOW() ); ``` ### 4.2 Modifications to Existing Tables ```sql -- Add THC% tracking to distributions (if not already present) ALTER TABLE distributions ADD COLUMN IF NOT EXISTS thc_percentage NUMERIC(4,2); ALTER TABLE distributions ADD COLUMN IF NOT EXISTS cbd_percentage NUMERIC(4,2); -- Add birth year to members for §26 reporting (DSGVO: only birth year, not full date) -- members.date_of_birth already exists — extract year for reports -- Add strain tracking to destruction/recall ALTER TABLE batches ADD COLUMN IF NOT EXISTS destroyed_grams NUMERIC(8,2) DEFAULT 0; ALTER TABLE batches ADD COLUMN IF NOT EXISTS destruction_date DATE; ALTER TABLE batches ADD COLUMN IF NOT EXISTS destruction_reason TEXT; ``` --- ## 5. Export Format Specifications ### 5.1 PDF (for authorities and members) - German language - Club letterhead (logo, name, address, Erlaubnisnummer) - Legal reference in footer (e.g., "Erstellt gem. §26 Abs. 3 KCanG") - Page numbers, generation date/time - Digitally signed? (optional, nice-to-have) ### 5.2 CSV (for accountants/DATEV) - ISO-8859-1 encoding (German standard for DATEV) - Semicolon-separated (German CSV standard) - Decimal comma (1.234,56 format) - Headers in German - DATEV-compatible column structure for financial exports ### 5.3 JSON (for API consumers and authority electronic submission) - UTF-8 - ISO 8601 dates - Structured per §26 KCanG requirements - Schema documented (OpenAPI) ### 5.4 XML (optional, for formal DATEV import) - DATEV XML format for Buchungsstapel - Only needed if clubs actually use DATEV (likely only large clubs with Steuerberater) --- ## 6. Retention Period Enforcement CannaManage must automatically track and enforce these periods: | Data Category | Retention | Legal Basis | Auto-Action | |---------------|-----------|-------------|-------------| | Distribution records | 5 years from record date | §26(2) KCanG | Flag for deletion review | | Financial transactions | 10 years from year-end | §147(3) AO | Block deletion | | Financial vouchers | 8 years from year-end | §147(3) AO | Block deletion | | Commercial correspondence | 6 years from year-end | §147(3) AO | Flag for review | | Member data (after exit) | 5 years (KCanG) + 10 years (AO) = **10 years** | Both | Auto-anonymize after 10y | | Audit log entries | 10 years | §147 AO | Immutable, never delete | | MV protocols | Indefinite | BGB | Never delete | **Implementation:** A `RetentionService` that: 1. Runs daily (scheduled) 2. Checks all records against their retention category 3. After retention expires: flags for admin review (never auto-deletes without human confirmation) 4. Generates monthly "Löschprotokoll" (deletion log) for DSGVO compliance --- ## 7. Sidebar Before/After Comparison ### Before (current — flat list, 15 items): ``` Main Dashboard | Mitglieder | Ausgabe | Lager | Anbau | Berichte | Schwarzes Brett | Finanzen | Versammlungen | Dokumente | Vorstand | Kalender | Forum | Personal Compliance Protokoll ``` ### After (Sprint 9 — grouped, collapsible): ``` 🌿 Betrieb Dashboard | Mitglieder | Ausgabe | Lager | Anbau 💬 Kommunikation Schwarzes Brett | Kalender | Forum 🏛️ Verwaltung Finanzen | Versammlungen | Dokumente | Vorstand | Personal 📋 Compliance Berichtszentrale | Protokoll | Einstellungen ``` --- ## 8. What We Already Have (Gap Summary) | Capability | Sprint Delivered | Status for Sprint 9 | |-----------|-----------------|-------------------| | Distribution tracking | Sprint 2 | ✅ Exists — needs THC%/CBD% per distribution | | Stock management | Sprint 2 | ✅ Exists — good basis for Bestandsführung | | Grow tracking | Sprint 4 | ✅ Exists — needs harvest weight tracking | | Monthly report (basic) | Sprint 5 | ⚠️ Exists — needs authority-format enhancement | | Member list report | Sprint 5 | ⚠️ Exists — needs Vereinsregister format | | Recall report | Sprint 5 | ⚠️ Exists — needs formal Vernichtungsprotokoll | | Kassenbuch | Sprint 8 | ✅ Exists — needs EÜR transformation | | Jahresabschluss PDF | Sprint 8 | ✅ Exists — keep, enhance | | MV Protocol PDF | Sprint 8 | ✅ Exists — keep | | Audit Log | Sprint 3 | ✅ Exists — foundation for GoBD compliance | | Consent Management | Sprint 6 | ✅ Exists — foundation for DSGVO reports | | Document Storage | Sprint 8 | ✅ Exists — store generated reports | | Prevention Officer tracking | Sprint 3 | ⚠️ Basic — needs activity log | **NEW features needed:** - Destruction protocol module - Transport documentation module - Propagation material source tracking - Authority annual report generator (§26(3)) - Authority full export (§26(2) + §27) - EÜR generator (from existing Kassenbuch data) - VVT/TOM/DSFA document generators - Compliance dashboard with deadline tracking - Sidebar reorganization - Report history + resubmission tracking - Retention period enforcement service --- ## 9. Non-Goals (explicitly out of scope) | Feature | Reason | When | |---------|--------|------| | SEPA Lastschrift | Requires BaFin registration, bank API | Sprint 10+ | | DATEV online integration | Requires DATEV partnership agreement | Sprint 11+ | | Online-Banking (FinTS) | Complex, regulated, security-critical | Sprint 11+ | | Digital signature on PDFs | Nice-to-have, not legally required | Sprint 10+ | | Authority API integration | No standard API exists yet (KCanG too new) | When standard emerges | | Multi-Verein (Dachverband) | Different product tier | V2.0 |