pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
cannamanage/docs/sprint-9/cannamanage-sprint9-analysis.md
T
Patrick Plate 26a77dd269 feat(sprint9): Phase 1 — Data model + ReportGenerator infrastructure 
- 7 new enums: ReportType, ExportFormat, DestructionMethod, TransportStatus,
  ComplianceArea, ComplianceStatus, RetentionCategory
- Extended: StaffPermission (+3), AuditEventType (+5), NotificationType (+2)
- Flyway V23-V29: destruction_records, transport_records, propagation_sources,
  prevention_activities, generated_reports, compliance_deadlines, distribution THC/CBD
- 6 new JPA entities extending AbstractTenantEntity
- 6 new Spring Data repositories with tenant-scoped queries
- ReportGenerator<T> interface + ReportGeneratorService (auto-discovery, format dispatch)
- ComplianceRecordsController (CRUD for destruction/transport/propagation/prevention)
- ComplianceDeadlineController (create, list, complete, overdue)
- DateRangeReportParameters record for report generation
2026-06-15 12:01:06 +02:00

760 lines
34 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Sprint 9 Feature Analysis — Reporting & Documentation Module (Berichtszentrale)
**Date:** 2026-06-15
**Author:** Patrick Plate / Lumen (Architect)
**Status:** Draft v1
**Sprint Goal:** Transform CannaManage into a compliance-first reporting powerhouse — every document a German Anbauvereinigung legally needs, generated automatically, authority-ready.
---
## Executive Summary
Sprint 9 delivers the **Berichtszentrale** (Report Center) — a comprehensive reporting and documentation module that addresses every legal obligation a German cannabis Anbauvereinigung has under the KCanG, BGB, Abgabenordnung, and DSGVO. While competitors tell clubs to "use Excel", CannaManage will generate authority-ready PDF reports with a single click.
This sprint also introduces **sidebar categorization** (the nav is getting too long with 15+ items) and a **compliance dashboard** that shows green/yellow/red status per regulatory area.
**Why this is a killer differentiator:**
- No competitor offers KCanG-specific reporting (§26 documentation, §27 authority inspection readiness)
- easyVerein offers EÜR and SEPA but knows nothing about cannabis compliance
- Vereinsflieger is aviation-only; generic tools don't understand Anbauvereinigung requirements
- The Behörde can demand electronic records at ANY time (§27 KCanG) — clubs need instant export capability
**Key numbers:**
- 12+ legally mandated reports identified
- 5 retention periods to enforce (5 years KCanG, 6 years AO commercial letters, 8 years AO vouchers, 10 years AO books, indefinite BGB MV minutes)
- 3 annual deadlines (31.01 authority report, annual EÜR, annual MV/Jahresabschluss)
- 4 export formats needed (PDF for authorities, CSV for accountants, JSON for API, XML for DATEV)
---
## 1. Legal Requirements Analysis
### 1.1 KCanG — Konsumcannabisgesetz (Cannabis-specific)
#### §26 KCanG — Dokumentations- und Berichtspflichten (PRIMARY OBLIGATION)
**§26 Abs. 1** — Continuous documentation requirements:
| # | Requirement | What to document | CannaManage Status |
|---|------------|-----------------|-------------------|
| 1 | §26(1) Nr. 1 | Source of propagation material: Name, Vorname, Anschrift of person/club providing seeds/clones | ❌ Not tracked |
| 2 | §26(1) Nr. 2 | Current stock: Grams of cannabis + count of propagation material on premises | ✅ Stock module exists |
| 3 | §26(1) Nr. 3 | Cultivation quantity: Grams of cannabis grown | ✅ Grow module exists |
| 4 | §26(1) Nr. 4 | Destruction quantity: Grams cannabis destroyed + count propagation material destroyed | ⚠️ Partial (recall exists, no formal destruction protocol) |
| 5 | §26(1) Nr. 5 | Distribution records per member: Name, Vorname, Geburtsjahr, Menge in Gramm, durchschnittlicher THC-Gehalt, Datum | ✅ Distributions module (needs THC% and birth year verification) |
| 6 | §26(1) Nr. 6 | Propagation material distribution: Name, Vorname, Geburtsjahr, Stückzahl, Datum | ❌ Not tracked |
| 7 | §26(1) Nr. 7 | Transport records: Grams, Sorten, transporting member name, date, start/end address | ❌ Not tracked |
**§26 Abs. 2** — Retention & Authority Access:
- Records must be kept for **5 years** (after member leaves? — unclear, likely from creation date)
- Must be transmittable **electronically** to authorities on demand
- Annual anonymized report due **by January 31** to the Behörde for evaluation per §43
**§26 Abs. 3** — Annual Quantity Report (due January 31):
- Total grams **cultivated** in previous calendar year
- Total grams **distributed** in previous calendar year
- Total grams **destroyed** in previous calendar year
- **End-of-year stock** (grams in inventory on Dec 31)
- Broken down by: **Sorten (strains)** and **average THC/CBD content**
**§26 Abs. 4** — Health risk notification:
- If cannabis poses health risk → immediate notification to authorities
- Recall, return, and destruction must be documented
**§26 Abs. 5** — Theft/unauthorized distribution reporting:
- Immediate notification to authorities if cannabis goes missing
#### §19 KCanG — Distribution Rules (affects report format)
- Max 25g/day per member (21+), max 50g/month
- Max 25g/day per Heranwachsende (18-21), max 30g/month, max 10% THC
- Every distribution requires: ID check + membership card verification
- **Report implication:** Monthly distribution report must flag any limit violations
#### §22 KCanG — Transport Documentation
- Transport between premises: must notify authority 1 business day before
- Transportbescheinigung required with: Club name/address, date, start/end, grams, strains, authority contact
- **Report implication:** Need a transport document generator
#### §23 KCanG — Youth Protection & Prevention
- Präventionsbeauftragter (Prevention Officer) must be appointed by Vorstand
- Gesundheits- und Jugendschutzkonzept (Health & Youth Protection Concept) required
- Prevention officer must demonstrate training credentials
- **Report implication:** Prevention activity log, training certificate tracking
#### §21 KCanG — Health Protection at Distribution
- Neutral packaging required
- Information sheet mandatory at every distribution with: weight, harvest date, best-before date, strain, THC%, CBD%, health warnings
- **Report implication:** Distribution slip generator (Informationszettel)
#### §27 KCanG — Authority Oversight
- Authorities conduct **regular on-site inspections** (Stichproben)
- They review §26 documentation on-site
- They can demand electronic transmission of all records
- **Report implication:** "Authority Export" button — one click to generate full compliant dataset
---
### 1.2 BGB — Vereinsrecht (Association Law)
#### §27 Abs. 3 BGB — Vorstand Accountability
> "Auf die Geschäftsführung des Vorstands finden die für den Auftrag geltenden Vorschriften der §§664 bis 670 entsprechende Anwendung."
This means:
- **§666 BGB (Auskunftspflicht):** The board must inform members about the state of affairs and render account after completion of duties
- **§259 BGB (Rechnungslegung):** Duty to present ordered accounts (Einnahmen/Ausgaben)
- **§670 BGB (Aufwendungsersatz):** Expense reimbursements must be documented
**Report implications:**
- **Jahresbericht des Vorstands** (Annual Board Report) — legal obligation to members
- **Rechenschaftsbericht** (Accountability Report) — financial summary to members at MV
- **Aufwendungsersatz-Dokumentation** — expense claim records with receipts
#### §36 BGB — Notice Periods for Mitgliederversammlung
- Satzung defines notice period (typically 2-4 weeks)
- **Report implication:** MV invitation must be documented with proof of timely delivery (we have this from Sprint 8)
#### §37 BGB — Extraordinary Assembly
- 10% of members can demand extraordinary MV
- **Report implication:** Petition tracking (signatures vs. threshold)
---
### 1.3 Abgabenordnung (AO) — Tax/Financial Obligations
#### §141 AO — Buchführungspflicht Threshold
Cannabis clubs are likely NOT exempt as "gemeinnützig" (§5 Abs. 1 Nr. 9 KStG probably doesn't apply since KCanG explicitly allows only Selbstkostendeckung — cost recovery, not charity).
Threshold for full bookkeeping (doppelte Buchführung):
- **>€800,000 revenue** OR **>€80,000 profit** → full Handelsbücher required
- Below threshold → **EÜR (Einnahmen-Überschuss-Rechnung)** per §4 Abs. 3 EStG suffices
Most cannabis clubs will be BELOW threshold (500 members × €30/month = €180K/year), so **EÜR is the correct format**.
#### §63 Abs. 3 AO — Ordnungsmäßige Aufzeichnungen
> "Die Körperschaft hat den Nachweis [...] durch ordnungsmäßige Aufzeichnungen über ihre Einnahmen und Ausgaben zu führen."
Even if NOT gemeinnützig, every Verein must keep orderly financial records.
#### §147 AO — Aufbewahrungsfristen (Retention Periods)
| Category | Period | Examples |
|----------|--------|----------|
| Bücher, Inventare, Jahresabschlüsse, Arbeitsanweisungen | **10 years** | Kassenbuch, EÜR, Eröffnungsbilanz |
| Buchungsbelege | **8 years** | Receipts, invoices, bank statements |
| Handels-/Geschäftsbriefe | **6 years** | Contracts, correspondence with authorities |
| Sonstige steuerrelevante Unterlagen | **6 years** | Tax returns, member fee confirmations |
**§147 Abs. 2** — Electronic storage is permitted if:
- Readable at any time during retention period
- Machine-evaluatable (searchable, exportable)
**§147 Abs. 6** — Authorities can:
- Inspect stored data during audit
- Demand machine-evaluatable export
- Demand data transfer in machine-readable format
**Report implication:** GoBD-compliant export (immutable, timestamped, searchable)
#### §4 Abs. 3 EStG — EÜR Format
For Vereine below §141 AO threshold:
- Simple Überschuss = Betriebseinnahmen Betriebsausgaben
- Must track: date, amount, category, description for each transaction
- Our Sprint 8 Kassenbuch already captures this — needs EÜR formatting
---
### 1.4 DSGVO — Data Protection
#### Art. 30 DSGVO — Verzeichnis der Verarbeitungstätigkeiten (VVT)
Every Verein processing personal data must maintain a VVT with:
- Purpose of processing
- Categories of data subjects (members, staff, suppliers)
- Categories of personal data (name, address, health data — cannabis IS health data!)
- Recipients (authorities, insurance, software providers)
- Transfers to third countries (cloud hosting location!)
- Retention periods per category
- Technical/organizational measures (TOMs)
**Critical:** Cannabis distribution data is **health-related data** (Art. 9 DSGVO — special categories). This requires:
- Explicit consent (we have ConsentService from Sprint 6)
- Data Protection Impact Assessment (DSFA) — Art. 35 DSGVO
- Higher security measures
#### Art. 33/34 DSGVO — Breach Notification
- Notify Datenschutzbehörde within **72 hours** of awareness
- Notify affected members if high risk
- **Report implication:** Breach notification template + incident log
#### Art. 35 DSGVO — Datenschutz-Folgenabschätzung (DSFA)
Required when processing involves "high risk" — cannabis data + health data qualifies.
- Must describe processing operations
- Assess necessity and proportionality
- Assess risks to rights/freedoms
- Identify mitigation measures
**Report implication:** Pre-filled DSFA template for Anbauvereinigungen
---
### 1.5 GoBD — Grundsätze ordnungsgemäßer Buchführung
Even if a cannabis club is below the §141 AO threshold, if they use software for their bookkeeping, GoBD applies:
- **Unveränderbarkeit** (immutability): Once a transaction is recorded, it cannot be changed without audit trail
- **Verfahrensdokumentation**: Documentation of how the system works (we need to generate this)
- **Belegfunktion**: Every booking needs a supporting document
- **Journal-Funktion**: Chronological, complete, correct recording
- **Kontenfunktion**: Accounts with running balances
**Already implemented (Sprint 8):** Append-only ledger (financial_transactions), audit_events for all changes.
**Still needed:**
- GoBD-compliant export (structured, machine-readable)
- Verfahrensdokumentation template (describes how CannaManage works)
- Beleg-attachment for each transaction (already have receipt upload in documents)
---
### 1.6 Vereinsregisterverordnung (VRV)
Changes that must be reported to the Registergericht:
- Vorstandsänderung (board changes) — with MV protocol as proof
- Satzungsänderung (statute changes) — with MV protocol + notarized copy
- Sitzverlegung (registered address change)
- Vereinsauflösung (dissolution)
**Report implication:** Pre-formatted notification templates for Registergericht
---
## 2. Competitive Analysis
### 2.1 easyVerein (market leader for generic Vereine)
**Pricing:** From €9/month (50 members) to €39/month (unlimited)
| Feature | easyVerein | CannaManage (current) | CannaManage (Sprint 9) |
|---------|-----------|----------------------|----------------------|
| Mitgliederverwaltung | ✅ Full | ✅ Full | ✅ Full |
| Buchhaltung/EÜR | ✅ With DATEV export | ✅ Kassenbuch (Sprint 8) | ✅ + EÜR generator |
| SEPA-Lastschrift | ✅ XML export | ❌ Manual tracking | ❌ (Sprint 10+) |
| Spendenquittungen | ✅ | ❌ N/A (not gemeinnützig) | ❌ N/A |
| Vereinskalender | ✅ With sync | ✅ Calendar module | ✅ Calendar module |
| Sitzungsprotokolle | ✅ Live-Protokoll | ✅ MV + Protokoll PDF | ✅ Enhanced |
| DSGVO-Tools | ✅ Basic | ⚠️ Consent only | ✅ Full VVT + DSFA |
| Cannabis compliance | ❌ Nothing | ✅ Full KCanG | ✅ Authority-ready |
| Mitglieder-App | ✅ Native iOS/Android | ✅ PWA (Member Portal) | ✅ PWA |
| Chat | ✅ Integrated | ✅ Forum | ✅ Forum |
| Inventarverwaltung | ✅ Generic | ✅ Cannabis-specific stock | ✅ Enhanced |
| Dateiverwaltung | ✅ | ✅ Documents module | ✅ Enhanced |
| Online-Banking | ✅ FinTS/HBCI | ❌ | ❌ (Sprint 10+) |
**easyVerein's reporting features (from their site):**
- Finanzauswertungen & EÜR (financial evaluations)
- DATEV-Export (for tax accountants)
- Beiträge & Rechnungen (automated fee invoicing)
- Serienbriefe/E-Mails (serial letters/bulk email)
- Membership certificates
**Gaps easyVerein can never fill:**
- KCanG §26 documentation (cannabis-specific)
- THC/CBD tracking
- Distribution quota enforcement
- Authority inspection readiness
- Grow cycle documentation
- Destruction protocols
- Transport certificates
### 2.2 Other Competitors
| Software | Focus | Reporting | Cannabis-relevant |
|----------|-------|-----------|------------------|
| WISO Mein Verein | Small clubs | EÜR, basic member reports | ❌ Generic only |
| Vereinsflieger | Aviation clubs | Flight hours, technical logs | ❌ Completely different domain |
| JVerein (Hibiscus) | Free/OSS | Basic bookkeeping + SEPA | ❌ Desktop-only, no compliance |
| ClubDesk | Swiss | Member + finance + events | ❌ Not Germany-specific |
| 1000° ePaper | Magazine clubs | Publication management | ❌ Irrelevant |
| Cannamanage (DE) | — | — | No competitor exists at this level |
### 2.3 Gap Analysis Summary
**CannaManage is the ONLY platform combining:**
1. Verein administration (members, MV, board, documents)
2. Cannabis compliance (KCanG §§19-27)
3. Financial management (EÜR, Kassenbuch, GoBD)
4. Authority readiness (one-click electronic export per §26 Abs. 2 + §27)
5. DSGVO compliance tools (VVT, DSFA, consent management)
No existing product covers more than 2 of these 5 areas. This is the moat.
---
## 3. Feature Specification
### 3.1 Category A — Financial Reports
| # | Report | Legal Basis | Format | Priority |
|---|--------|-------------|--------|----------|
| FIN-R01 | **EÜR (Einnahmen-Überschuss-Rechnung)** | §4(3) EStG, §63(3) AO | PDF + CSV | P0 |
| FIN-R02 | **Jahresabschluss (Annual Financial Summary)** | §27(3) BGB → §666 BGB | PDF | P0 |
| FIN-R03 | **Kassenbuch-Export (enhanced)** | §147 AO | PDF + CSV + DATEV | P0 |
| FIN-R04 | **Beitragsbescheinigung (Fee Confirmation)** | §10b EStG (if applicable) | PDF per member | P1 |
| FIN-R05 | **Ausgabenübersicht nach Kategorie** | Internal (Kassenprüfer) | PDF | P1 |
**FIN-R01: EÜR Generator**
- Input: All financial_transactions from calendar year
- Output: Standard EÜR format (Anlage EÜR to Steuererklärung)
- Categories: Einnahmen (Mitgliedsbeiträge, sonstige), Ausgaben (Miete, Strom, Material, Cannabis-Anbau, Verwaltung, Versicherung)
- Includes: Kassensaldo Anfang/Ende, Ergebnis (Überschuss/Fehlbetrag)
- Export: PDF (pretty) + CSV (for Steuerberater) + optional DATEV-compatible
**FIN-R04: Beitragsbescheinigung**
- Per-member annual confirmation of fees paid
- NOT a Spendenquittung (cannabis clubs aren't gemeinnützig)
- But members may deduct Vereinsbeiträge as Sonderausgaben in some cases
- Template: Member name, Club name+address, amount paid, period, club signature
### 3.2 Category B — KCanG Compliance Reports
| # | Report | Legal Basis | Format | Priority |
|---|--------|-------------|--------|----------|
| CAN-R01 | **Jahresbericht an Behörde** (Annual Authority Report) | §26(3) KCanG | PDF + structured JSON/XML | P0 |
| CAN-R02 | **Weitergabe-Dokumentation** (Distribution Log) | §26(1) Nr. 5 KCanG | PDF + CSV | P0 |
| CAN-R03 | **Bestandsführung** (Stock Inventory Report) | §26(1) Nr. 2 KCanG | PDF | P0 |
| CAN-R04 | **Vernichtungsprotokoll** (Destruction Protocol) | §26(1) Nr. 4 KCanG | PDF | P0 |
| CAN-R05 | **Anbaudokumentation** (Cultivation Report) | §26(1) Nr. 3 KCanG | PDF | P0 |
| CAN-R06 | **Transportbescheinigung** (Transport Certificate) | §22(4) KCanG | PDF | P1 |
| CAN-R07 | **Behörden-Gesamtexport** (Full Authority Export) | §26(2) + §27 KCanG | JSON + PDF bundle | P0 |
| CAN-R08 | **Informationszettel** (Distribution Info Sheet) | §21(2) KCanG | PDF (printable) | P1 |
| CAN-R09 | **Verlust-/Diebstahlmeldung** (Loss Report) | §26(5) KCanG | PDF | P2 |
| CAN-R10 | **Risiko-Rückruf-Meldung** (Health Risk Recall) | §26(4) KCanG | PDF | P2 |
**CAN-R01: Jahresbericht (most critical report)**
Per §26 Abs. 3 KCanG, due January 31, must contain:
```
Anbauvereinigung: [Name, Erlaubnisnummer]
Berichtszeitraum: 01.01.YYYY - 31.12.YYYY
1. Angebaute Mengen (nach Sorte):
| Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) |
2. Weitergegebene Mengen (nach Sorte):
| Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) |
3. Vernichtete Mengen (nach Sorte):
| Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) |
4. Bestand zum 31.12. (nach Sorte):
| Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) |
```
**CAN-R07: Behörden-Gesamtexport (Authority Full Export)**
One-click export of EVERYTHING §26(2) requires, electronically transmittable:
- All distribution records (§26(1) Nr. 5)
- Stock history
- Cultivation records
- Destruction records
- Transport records
- Member register (name, birth year only — DSGVO minimum)
Format: Structured JSON (machine-evaluatable per §147 Abs. 6 AO principles) + human-readable PDF summary.
### 3.3 Category C — Verein Administrative Reports
| # | Report | Legal Basis | Format | Priority |
|---|--------|-------------|--------|----------|
| VER-R01 | **Mitgliederliste für Vereinsregister** | §67 BGB | PDF | P1 |
| VER-R02 | **Vorstandsänderung-Meldung** (Board Change Notice) | VRV §§4-5 | PDF template | P1 |
| VER-R03 | **Satzungsänderung-Dokumentation** | VRV §71 | PDF bundle | P2 |
| VER-R04 | **Jahresbericht des Vorstands** (Annual Board Report) | §27(3) BGB → §666 BGB | PDF | P1 |
| VER-R05 | **Tätigkeitsbericht** (Activity Report) | §63 AO (if gemeinnützig) | PDF | P2 |
| VER-R06 | **Präventionsbeauftragter-Nachweis** | §23(4) KCanG | PDF | P1 |
**VER-R01: Mitgliederliste**
- §67 BGB: Members can demand member list access (names + addresses)
- Format: Sortable by name, join date, status
- Export for Vereinsregister: Name, address, entry date (minimal per DSGVO)
**VER-R06: Präventionsbeauftragter-Nachweis**
- Who is appointed (name, date of appointment)
- Training certificate details (where trained, when, certificate number)
- Activities log (consultations given, materials distributed, events organized)
- Required by §23(4)-(6) KCanG for inspections
### 3.4 Category D — DSGVO/Data Protection Reports
| # | Report | Legal Basis | Format | Priority |
|---|--------|-------------|--------|----------|
| DSG-R01 | **Verarbeitungsverzeichnis (VVT)** | Art. 30 DSGVO | PDF | P0 |
| DSG-R02 | **Technisch-Organisatorische Maßnahmen (TOMs)** | Art. 32 DSGVO | PDF | P1 |
| DSG-R03 | **Datenschutz-Folgenabschätzung (DSFA)** | Art. 35 DSGVO | PDF | P1 |
| DSG-R04 | **Löschkonzept** (Deletion Concept) | Art. 17 DSGVO + §26(2) KCanG | PDF | P1 |
| DSG-R05 | **Datenpannen-Meldung** (Breach Notification) | Art. 33/34 DSGVO | PDF template | P2 |
**DSG-R01: Verarbeitungsverzeichnis (VVT)**
Pre-filled template specific to Anbauvereinigungen:
| Verarbeitungstätigkeit | Zweck | Betroffene | Datenarten | Rechtsgrundlage | Löschfrist |
|----------------------|-------|-----------|-----------|----------------|-----------|
| Mitgliederverwaltung | Vereinsorganisation | Mitglieder | Name, Adresse, Geburtsdatum, Bankdaten | Art. 6(1)(b) DSGVO | 2 Jahre nach Austritt |
| Cannabis-Weitergabe | KCanG-Pflicht | Mitglieder | Name, Geburtsjahr, Menge, THC% | Art. 6(1)(c) DSGVO + §26 KCanG | 5 Jahre (§26(2) KCanG) |
| Finanzverwaltung | Steuerrecht | Mitglieder | Zahlungsdaten | Art. 6(1)(c) DSGVO + §147 AO | 10 Jahre |
| Videoüberwachung | Sicherung §22 KCanG | Besucher | Videobilder | Art. 6(1)(f) DSGVO | 72 Stunden |
**DSG-R03: DSFA (required because cannabis = health data)**
Pre-filled structure:
1. Systematische Beschreibung der Verarbeitung
2. Bewertung der Notwendigkeit und Verhältnismäßigkeit
3. Bewertung der Risiken für Betroffene
4. Abhilfemaßnahmen (encryption, access control, audit log, deletion automation)
### 3.5 Category E — Dashboard Enhancement (Compliance Status)
**New: Berichtszentrale (Report Center) page**
A centralized dashboard showing:
```
┌─────────────────────────────────────────────────────────────────┐
│ BERICHTSZENTRALE │
├─────────┬───────────────────────┬───────────────────────────────┤
│ STATUS │ NÄCHSTE FRISTEN │ SCHNELLZUGRIFF │
│ │ │ │
│ 🟢 KCanG │ 31.01 Jahresbericht │ [Behörden-Export] │
│ 🟢 Finanzen │ 31.03 EÜR │ [EÜR generieren] │
│ 🟡 DSGVO │ VVT nicht aktuell │ [VVT aktualisieren] │
│ 🟢 Verein │ Nächste MV: 15.03 │ [Jahresbericht Vorstand] │
│ │ │ │
├─────────┴───────────────────────┴───────────────────────────────┤
│ BERICHTE NACH KATEGORIE │
│ │
│ 📊 Finanzen │ 🌿 Cannabis/KCanG │ 🏛️ Vereinsverwaltung │ 🔒 DSGVO │
│ • EÜR │ • Jahresbericht │ • Mitgliederliste │ • VVT │
│ • Kassenbuch │ • Weitergabe-Log │ • Vorstandsmeldung │ • TOMs │
│ • Jahresabschl.│ • Bestandsführung │ • Jahresbericht │ • DSFA │
│ • Beitrags- │ • Vernichtung │ • Präventions- │ • Lösch- │
│ bescheinigung│ • Anbaudoku │ nachweis │ konzept│
│ │ • Transport │ │ │
│ │ • Behörden-Export │ │ │
└──────────────────────────────────────────────────────────────────┘
```
**Compliance Status Logic:**
- 🟢 Green: All obligations met, no upcoming deadlines within 30 days
- 🟡 Yellow: Deadline approaching (within 30 days) OR data incomplete
- 🔴 Red: Deadline missed OR critical documentation gap
**Tracked Deadlines:**
| Deadline | Frequency | Legal Basis |
|----------|-----------|-------------|
| 31. January | Annual | §26(3) KCanG — Jahresbericht an Behörde |
| 31. March | Annual | EÜR submission (Finanzamt) |
| MV date | As per Satzung (typically annual) | §36 BGB |
| Board term expiry | Per Satzung | §26 BGB |
| 5-year data retention check | Continuous | §26(2) KCanG |
| 10-year financial retention | Continuous | §147 AO |
### 3.6 Category F — Sidebar Categorization (UX Improvement)
Current state: 14 items in a flat list + 1 Compliance item. Too long, no visual grouping.
**Proposed new structure:**
```
🌿 BETRIEB (Operations)
├── Dashboard
├── Mitglieder (Members)
├── Ausgabe (Distributions)
├── Lager (Stock)
└── Anbau (Grow)
💬 KOMMUNIKATION (Communication)
├── Schwarzes Brett (Info Board)
├── Kalender (Calendar)
└── Forum
🏛️ VERWALTUNG (Administration)
├── Finanzen (Finance)
├── Versammlungen (Assemblies)
├── Dokumente (Documents)
├── Vorstand (Board)
└── Personal (Staff)
📋 COMPLIANCE
├── Berichtszentrale (Report Center) ← NEW
├── Protokoll (Audit Log)
└── Einstellungen (Settings)
```
Benefits:
- Collapsible sections reduce cognitive load
- Logical grouping matches user mental model
- "Berichtszentrale" is the new home for ALL reports
- Old "Berichte" page redirects here
- Compliance is always visible (legal obligation awareness)
---
## 4. Data Model Additions
### 4.1 New Tables/Entities Required
```sql
-- V23: Destruction Protocol
CREATE TABLE destruction_records (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
batch_id UUID REFERENCES batches(id),
destroyed_grams NUMERIC(8,2) NOT NULL,
destroyed_propagation_count INTEGER DEFAULT 0,
reason VARCHAR(500) NOT NULL,
destruction_date DATE NOT NULL,
witnessed_by_member_id UUID REFERENCES members(id),
witnessed_by_name VARCHAR(200),
method VARCHAR(200), -- "Verbrennung", "Kompostierung", etc.
authority_notified BOOLEAN DEFAULT FALSE,
authority_notified_at TIMESTAMPTZ,
notes TEXT,
created_by UUID NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- V24: Transport Records
CREATE TABLE transport_records (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
transport_date DATE NOT NULL,
start_address TEXT NOT NULL,
destination_address TEXT NOT NULL,
cannabis_grams NUMERIC(8,2) NOT NULL,
strains TEXT NOT NULL, -- JSON array: [{"name": "...", "grams": ...}]
transporting_member_id UUID REFERENCES members(id),
transporting_member_name VARCHAR(200) NOT NULL,
authority_notified_at TIMESTAMPTZ, -- Must be 1 business day before
authority_reference VARCHAR(200),
certificate_generated BOOLEAN DEFAULT FALSE,
created_by UUID NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- V25: Propagation Material Sources
CREATE TABLE propagation_sources (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
source_type VARCHAR(50) NOT NULL, -- 'PERSON', 'ANBAUVEREINIGUNG', 'JURISTISCHE_PERSON'
source_name VARCHAR(200) NOT NULL,
source_first_name VARCHAR(100),
source_address TEXT NOT NULL,
material_type VARCHAR(50) NOT NULL, -- 'SEED', 'CLONE', 'CUTTING'
quantity INTEGER NOT NULL,
received_date DATE NOT NULL,
strain_name VARCHAR(200),
notes TEXT,
created_by UUID NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- V26: Prevention Officer Activity Log
CREATE TABLE prevention_activities (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
officer_member_id UUID REFERENCES members(id),
activity_date DATE NOT NULL,
activity_type VARCHAR(100) NOT NULL, -- 'CONSULTATION', 'TRAINING', 'MATERIAL_DISTRIBUTION', 'EVENT', 'CONCEPT_UPDATE'
description TEXT NOT NULL,
participants_count INTEGER,
notes TEXT,
created_by UUID NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
-- V27: Report Generation History
CREATE TABLE generated_reports (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
report_type VARCHAR(100) NOT NULL, -- 'EUR', 'AUTHORITY_ANNUAL', 'DISTRIBUTION_LOG', etc.
report_title VARCHAR(300) NOT NULL,
period_start DATE,
period_end DATE,
parameters JSONB, -- Any params used to generate
file_path VARCHAR(500),
file_size_bytes BIGINT,
generated_by UUID NOT NULL,
generated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
submitted_to_authority BOOLEAN DEFAULT FALSE,
submitted_at TIMESTAMPTZ
);
-- V28: Compliance Deadlines
CREATE TABLE compliance_deadlines (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
tenant_id UUID NOT NULL,
deadline_type VARCHAR(100) NOT NULL,
title VARCHAR(300) NOT NULL,
description TEXT,
due_date DATE NOT NULL,
legal_basis VARCHAR(200),
status VARCHAR(50) NOT NULL DEFAULT 'PENDING', -- PENDING, COMPLETED, OVERDUE
completed_at TIMESTAMPTZ,
completed_by UUID,
recurrence VARCHAR(50), -- ANNUAL, MONTHLY, ONE_TIME
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
```
### 4.2 Modifications to Existing Tables
```sql
-- Add THC% tracking to distributions (if not already present)
ALTER TABLE distributions ADD COLUMN IF NOT EXISTS thc_percentage NUMERIC(4,2);
ALTER TABLE distributions ADD COLUMN IF NOT EXISTS cbd_percentage NUMERIC(4,2);
-- Add birth year to members for §26 reporting (DSGVO: only birth year, not full date)
-- members.date_of_birth already exists — extract year for reports
-- Add strain tracking to destruction/recall
ALTER TABLE batches ADD COLUMN IF NOT EXISTS destroyed_grams NUMERIC(8,2) DEFAULT 0;
ALTER TABLE batches ADD COLUMN IF NOT EXISTS destruction_date DATE;
ALTER TABLE batches ADD COLUMN IF NOT EXISTS destruction_reason TEXT;
```
---
## 5. Export Format Specifications
### 5.1 PDF (for authorities and members)
- German language
- Club letterhead (logo, name, address, Erlaubnisnummer)
- Legal reference in footer (e.g., "Erstellt gem. §26 Abs. 3 KCanG")
- Page numbers, generation date/time
- Digitally signed? (optional, nice-to-have)
### 5.2 CSV (for accountants/DATEV)
- ISO-8859-1 encoding (German standard for DATEV)
- Semicolon-separated (German CSV standard)
- Decimal comma (1.234,56 format)
- Headers in German
- DATEV-compatible column structure for financial exports
### 5.3 JSON (for API consumers and authority electronic submission)
- UTF-8
- ISO 8601 dates
- Structured per §26 KCanG requirements
- Schema documented (OpenAPI)
### 5.4 XML (optional, for formal DATEV import)
- DATEV XML format for Buchungsstapel
- Only needed if clubs actually use DATEV (likely only large clubs with Steuerberater)
---
## 6. Retention Period Enforcement
CannaManage must automatically track and enforce these periods:
| Data Category | Retention | Legal Basis | Auto-Action |
|---------------|-----------|-------------|-------------|
| Distribution records | 5 years from record date | §26(2) KCanG | Flag for deletion review |
| Financial transactions | 10 years from year-end | §147(3) AO | Block deletion |
| Financial vouchers | 8 years from year-end | §147(3) AO | Block deletion |
| Commercial correspondence | 6 years from year-end | §147(3) AO | Flag for review |
| Member data (after exit) | 5 years (KCanG) + 10 years (AO) = **10 years** | Both | Auto-anonymize after 10y |
| Audit log entries | 10 years | §147 AO | Immutable, never delete |
| MV protocols | Indefinite | BGB | Never delete |
**Implementation:** A `RetentionService` that:
1. Runs daily (scheduled)
2. Checks all records against their retention category
3. After retention expires: flags for admin review (never auto-deletes without human confirmation)
4. Generates monthly "Löschprotokoll" (deletion log) for DSGVO compliance
---
## 7. Sidebar Before/After Comparison
### Before (current — flat list, 15 items):
```
Main
Dashboard | Mitglieder | Ausgabe | Lager | Anbau | Berichte |
Schwarzes Brett | Finanzen | Versammlungen | Dokumente | Vorstand |
Kalender | Forum | Personal
Compliance
Protokoll
```
### After (Sprint 9 — grouped, collapsible):
```
🌿 Betrieb
Dashboard | Mitglieder | Ausgabe | Lager | Anbau
💬 Kommunikation
Schwarzes Brett | Kalender | Forum
🏛️ Verwaltung
Finanzen | Versammlungen | Dokumente | Vorstand | Personal
📋 Compliance
Berichtszentrale | Protokoll | Einstellungen
```
---
## 8. What We Already Have (Gap Summary)
| Capability | Sprint Delivered | Status for Sprint 9 |
|-----------|-----------------|-------------------|
| Distribution tracking | Sprint 2 | ✅ Exists — needs THC%/CBD% per distribution |
| Stock management | Sprint 2 | ✅ Exists — good basis for Bestandsführung |
| Grow tracking | Sprint 4 | ✅ Exists — needs harvest weight tracking |
| Monthly report (basic) | Sprint 5 | ⚠️ Exists — needs authority-format enhancement |
| Member list report | Sprint 5 | ⚠️ Exists — needs Vereinsregister format |
| Recall report | Sprint 5 | ⚠️ Exists — needs formal Vernichtungsprotokoll |
| Kassenbuch | Sprint 8 | ✅ Exists — needs EÜR transformation |
| Jahresabschluss PDF | Sprint 8 | ✅ Exists — keep, enhance |
| MV Protocol PDF | Sprint 8 | ✅ Exists — keep |
| Audit Log | Sprint 3 | ✅ Exists — foundation for GoBD compliance |
| Consent Management | Sprint 6 | ✅ Exists — foundation for DSGVO reports |
| Document Storage | Sprint 8 | ✅ Exists — store generated reports |
| Prevention Officer tracking | Sprint 3 | ⚠️ Basic — needs activity log |
**NEW features needed:**
- Destruction protocol module
- Transport documentation module
- Propagation material source tracking
- Authority annual report generator (§26(3))
- Authority full export (§26(2) + §27)
- EÜR generator (from existing Kassenbuch data)
- VVT/TOM/DSFA document generators
- Compliance dashboard with deadline tracking
- Sidebar reorganization
- Report history + resubmission tracking
- Retention period enforcement service
---
## 9. Non-Goals (explicitly out of scope)
| Feature | Reason | When |
|---------|--------|------|
| SEPA Lastschrift | Requires BaFin registration, bank API | Sprint 10+ |
| DATEV online integration | Requires DATEV partnership agreement | Sprint 11+ |
| Online-Banking (FinTS) | Complex, regulated, security-critical | Sprint 11+ |
| Digital signature on PDFs | Nice-to-have, not legally required | Sprint 10+ |
| Authority API integration | No standard API exists yet (KCanG too new) | When standard emerges |
| Multi-Verein (Dachverband) | Different product tier | V2.0 |
Reference in New Issue View Git Blame Copy Permalink