pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
26a77dd269718ac3dd0c20aa2cb165a17441c8c7
cannamanage/docs/sprint-9/cannamanage-sprint9-analysis.md
T
Patrick Plate 26a77dd269 feat(sprint9): Phase 1 — Data model + ReportGenerator infrastructure 
- 7 new enums: ReportType, ExportFormat, DestructionMethod, TransportStatus,
  ComplianceArea, ComplianceStatus, RetentionCategory
- Extended: StaffPermission (+3), AuditEventType (+5), NotificationType (+2)
- Flyway V23-V29: destruction_records, transport_records, propagation_sources,
  prevention_activities, generated_reports, compliance_deadlines, distribution THC/CBD
- 6 new JPA entities extending AbstractTenantEntity
- 6 new Spring Data repositories with tenant-scoped queries
- ReportGenerator<T> interface + ReportGeneratorService (auto-discovery, format dispatch)
- ComplianceRecordsController (CRUD for destruction/transport/propagation/prevention)
- ComplianceDeadlineController (create, list, complete, overdue)
- DateRangeReportParameters record for report generation
2026-06-15 12:01:06 +02:00

34 KiB
Raw Blame History

Sprint 9 Feature Analysis — Reporting & Documentation Module (Berichtszentrale)

Date: 2026-06-15 Author: Patrick Plate / Lumen (Architect) Status: Draft v1 Sprint Goal: Transform CannaManage into a compliance-first reporting powerhouse — every document a German Anbauvereinigung legally needs, generated automatically, authority-ready.

Executive Summary

Sprint 9 delivers the Berichtszentrale (Report Center) — a comprehensive reporting and documentation module that addresses every legal obligation a German cannabis Anbauvereinigung has under the KCanG, BGB, Abgabenordnung, and DSGVO. While competitors tell clubs to "use Excel", CannaManage will generate authority-ready PDF reports with a single click.

This sprint also introduces sidebar categorization (the nav is getting too long with 15+ items) and a compliance dashboard that shows green/yellow/red status per regulatory area.

Why this is a killer differentiator:

  • No competitor offers KCanG-specific reporting (§26 documentation, §27 authority inspection readiness)
  • easyVerein offers EÜR and SEPA but knows nothing about cannabis compliance
  • Vereinsflieger is aviation-only; generic tools don't understand Anbauvereinigung requirements
  • The Behörde can demand electronic records at ANY time (§27 KCanG) — clubs need instant export capability

Key numbers:

  • 12+ legally mandated reports identified
  • 5 retention periods to enforce (5 years KCanG, 6 years AO commercial letters, 8 years AO vouchers, 10 years AO books, indefinite BGB MV minutes)
  • 3 annual deadlines (31.01 authority report, annual EÜR, annual MV/Jahresabschluss)
  • 4 export formats needed (PDF for authorities, CSV for accountants, JSON for API, XML for DATEV)

1. Legal Requirements Analysis

1.1 KCanG — Konsumcannabisgesetz (Cannabis-specific)

§26 KCanG — Dokumentations- und Berichtspflichten (PRIMARY OBLIGATION)

§26 Abs. 1 — Continuous documentation requirements:

# Requirement What to document CannaManage Status
1 §26(1) Nr. 1 Source of propagation material: Name, Vorname, Anschrift of person/club providing seeds/clones Not tracked
2 §26(1) Nr. 2 Current stock: Grams of cannabis + count of propagation material on premises Stock module exists
3 §26(1) Nr. 3 Cultivation quantity: Grams of cannabis grown Grow module exists
4 §26(1) Nr. 4 Destruction quantity: Grams cannabis destroyed + count propagation material destroyed ⚠️ Partial (recall exists, no formal destruction protocol)
5 §26(1) Nr. 5 Distribution records per member: Name, Vorname, Geburtsjahr, Menge in Gramm, durchschnittlicher THC-Gehalt, Datum Distributions module (needs THC% and birth year verification)
6 §26(1) Nr. 6 Propagation material distribution: Name, Vorname, Geburtsjahr, Stückzahl, Datum Not tracked
7 §26(1) Nr. 7 Transport records: Grams, Sorten, transporting member name, date, start/end address Not tracked

§26 Abs. 2 — Retention & Authority Access:

  • Records must be kept for 5 years (after member leaves? — unclear, likely from creation date)
  • Must be transmittable electronically to authorities on demand
  • Annual anonymized report due by January 31 to the Behörde for evaluation per §43

§26 Abs. 3 — Annual Quantity Report (due January 31):

  • Total grams cultivated in previous calendar year
  • Total grams distributed in previous calendar year
  • Total grams destroyed in previous calendar year
  • End-of-year stock (grams in inventory on Dec 31)
  • Broken down by: Sorten (strains) and average THC/CBD content

§26 Abs. 4 — Health risk notification:

  • If cannabis poses health risk → immediate notification to authorities
  • Recall, return, and destruction must be documented

§26 Abs. 5 — Theft/unauthorized distribution reporting:

  • Immediate notification to authorities if cannabis goes missing

§19 KCanG — Distribution Rules (affects report format)

  • Max 25g/day per member (21+), max 50g/month
  • Max 25g/day per Heranwachsende (18-21), max 30g/month, max 10% THC
  • Every distribution requires: ID check + membership card verification
  • Report implication: Monthly distribution report must flag any limit violations

§22 KCanG — Transport Documentation

  • Transport between premises: must notify authority 1 business day before
  • Transportbescheinigung required with: Club name/address, date, start/end, grams, strains, authority contact
  • Report implication: Need a transport document generator

§23 KCanG — Youth Protection & Prevention

  • Präventionsbeauftragter (Prevention Officer) must be appointed by Vorstand
  • Gesundheits- und Jugendschutzkonzept (Health & Youth Protection Concept) required
  • Prevention officer must demonstrate training credentials
  • Report implication: Prevention activity log, training certificate tracking

§21 KCanG — Health Protection at Distribution

  • Neutral packaging required
  • Information sheet mandatory at every distribution with: weight, harvest date, best-before date, strain, THC%, CBD%, health warnings
  • Report implication: Distribution slip generator (Informationszettel)

§27 KCanG — Authority Oversight

  • Authorities conduct regular on-site inspections (Stichproben)
  • They review §26 documentation on-site
  • They can demand electronic transmission of all records
  • Report implication: "Authority Export" button — one click to generate full compliant dataset

1.2 BGB — Vereinsrecht (Association Law)

§27 Abs. 3 BGB — Vorstand Accountability

"Auf die Geschäftsführung des Vorstands finden die für den Auftrag geltenden Vorschriften der §§664 bis 670 entsprechende Anwendung."

This means:

  • §666 BGB (Auskunftspflicht): The board must inform members about the state of affairs and render account after completion of duties
  • §259 BGB (Rechnungslegung): Duty to present ordered accounts (Einnahmen/Ausgaben)
  • §670 BGB (Aufwendungsersatz): Expense reimbursements must be documented

Report implications:

  • Jahresbericht des Vorstands (Annual Board Report) — legal obligation to members
  • Rechenschaftsbericht (Accountability Report) — financial summary to members at MV
  • Aufwendungsersatz-Dokumentation — expense claim records with receipts

§36 BGB — Notice Periods for Mitgliederversammlung

  • Satzung defines notice period (typically 2-4 weeks)
  • Report implication: MV invitation must be documented with proof of timely delivery (we have this from Sprint 8)

§37 BGB — Extraordinary Assembly

  • 10% of members can demand extraordinary MV
  • Report implication: Petition tracking (signatures vs. threshold)

1.3 Abgabenordnung (AO) — Tax/Financial Obligations

§141 AO — Buchführungspflicht Threshold

Cannabis clubs are likely NOT exempt as "gemeinnützig" (§5 Abs. 1 Nr. 9 KStG probably doesn't apply since KCanG explicitly allows only Selbstkostendeckung — cost recovery, not charity).

Threshold for full bookkeeping (doppelte Buchführung):

  • >€800,000 revenue OR >€80,000 profit → full Handelsbücher required
  • Below threshold → EÜR (Einnahmen-Überschuss-Rechnung) per §4 Abs. 3 EStG suffices

Most cannabis clubs will be BELOW threshold (500 members × €30/month = €180K/year), so EÜR is the correct format.

§63 Abs. 3 AO — Ordnungsmäßige Aufzeichnungen

"Die Körperschaft hat den Nachweis [...] durch ordnungsmäßige Aufzeichnungen über ihre Einnahmen und Ausgaben zu führen."

Even if NOT gemeinnützig, every Verein must keep orderly financial records.

§147 AO — Aufbewahrungsfristen (Retention Periods)

Category Period Examples
Bücher, Inventare, Jahresabschlüsse, Arbeitsanweisungen 10 years Kassenbuch, EÜR, Eröffnungsbilanz
Buchungsbelege 8 years Receipts, invoices, bank statements
Handels-/Geschäftsbriefe 6 years Contracts, correspondence with authorities
Sonstige steuerrelevante Unterlagen 6 years Tax returns, member fee confirmations

§147 Abs. 2 — Electronic storage is permitted if:

  • Readable at any time during retention period
  • Machine-evaluatable (searchable, exportable)

§147 Abs. 6 — Authorities can:

  • Inspect stored data during audit
  • Demand machine-evaluatable export
  • Demand data transfer in machine-readable format

Report implication: GoBD-compliant export (immutable, timestamped, searchable)

§4 Abs. 3 EStG — EÜR Format

For Vereine below §141 AO threshold:

  • Simple Überschuss = Betriebseinnahmen Betriebsausgaben
  • Must track: date, amount, category, description for each transaction
  • Our Sprint 8 Kassenbuch already captures this — needs EÜR formatting

1.4 DSGVO — Data Protection

Art. 30 DSGVO — Verzeichnis der Verarbeitungstätigkeiten (VVT)

Every Verein processing personal data must maintain a VVT with:

  • Purpose of processing
  • Categories of data subjects (members, staff, suppliers)
  • Categories of personal data (name, address, health data — cannabis IS health data!)
  • Recipients (authorities, insurance, software providers)
  • Transfers to third countries (cloud hosting location!)
  • Retention periods per category
  • Technical/organizational measures (TOMs)

Critical: Cannabis distribution data is health-related data (Art. 9 DSGVO — special categories). This requires:

  • Explicit consent (we have ConsentService from Sprint 6)
  • Data Protection Impact Assessment (DSFA) — Art. 35 DSGVO
  • Higher security measures

Art. 33/34 DSGVO — Breach Notification

  • Notify Datenschutzbehörde within 72 hours of awareness
  • Notify affected members if high risk
  • Report implication: Breach notification template + incident log

Art. 35 DSGVO — Datenschutz-Folgenabschätzung (DSFA)

Required when processing involves "high risk" — cannabis data + health data qualifies.

  • Must describe processing operations
  • Assess necessity and proportionality
  • Assess risks to rights/freedoms
  • Identify mitigation measures

Report implication: Pre-filled DSFA template for Anbauvereinigungen

1.5 GoBD — Grundsätze ordnungsgemäßer Buchführung

Even if a cannabis club is below the §141 AO threshold, if they use software for their bookkeeping, GoBD applies:

  • Unveränderbarkeit (immutability): Once a transaction is recorded, it cannot be changed without audit trail
  • Verfahrensdokumentation: Documentation of how the system works (we need to generate this)
  • Belegfunktion: Every booking needs a supporting document
  • Journal-Funktion: Chronological, complete, correct recording
  • Kontenfunktion: Accounts with running balances

Already implemented (Sprint 8): Append-only ledger (financial_transactions), audit_events for all changes.

Still needed:

  • GoBD-compliant export (structured, machine-readable)
  • Verfahrensdokumentation template (describes how CannaManage works)
  • Beleg-attachment for each transaction (already have receipt upload in documents)

1.6 Vereinsregisterverordnung (VRV)

Changes that must be reported to the Registergericht:

  • Vorstandsänderung (board changes) — with MV protocol as proof
  • Satzungsänderung (statute changes) — with MV protocol + notarized copy
  • Sitzverlegung (registered address change)
  • Vereinsauflösung (dissolution)

Report implication: Pre-formatted notification templates for Registergericht

2. Competitive Analysis

2.1 easyVerein (market leader for generic Vereine)

Pricing: From €9/month (50 members) to €39/month (unlimited)

Feature easyVerein CannaManage (current) CannaManage (Sprint 9)
Mitgliederverwaltung Full Full Full
Buchhaltung/EÜR With DATEV export Kassenbuch (Sprint 8) + EÜR generator
SEPA-Lastschrift XML export Manual tracking (Sprint 10+)
Spendenquittungen N/A (not gemeinnützig) N/A
Vereinskalender With sync Calendar module Calendar module
Sitzungsprotokolle Live-Protokoll MV + Protokoll PDF Enhanced
DSGVO-Tools Basic ⚠️ Consent only Full VVT + DSFA
Cannabis compliance Nothing Full KCanG Authority-ready
Mitglieder-App Native iOS/Android PWA (Member Portal) PWA
Chat Integrated Forum Forum
Inventarverwaltung Generic Cannabis-specific stock Enhanced
Dateiverwaltung Documents module Enhanced
Online-Banking FinTS/HBCI (Sprint 10+)

easyVerein's reporting features (from their site):

  • Finanzauswertungen & EÜR (financial evaluations)
  • DATEV-Export (for tax accountants)
  • Beiträge & Rechnungen (automated fee invoicing)
  • Serienbriefe/E-Mails (serial letters/bulk email)
  • Membership certificates

Gaps easyVerein can never fill:

  • KCanG §26 documentation (cannabis-specific)
  • THC/CBD tracking
  • Distribution quota enforcement
  • Authority inspection readiness
  • Grow cycle documentation
  • Destruction protocols
  • Transport certificates

2.2 Other Competitors

Software Focus Reporting Cannabis-relevant
WISO Mein Verein Small clubs EÜR, basic member reports Generic only
Vereinsflieger Aviation clubs Flight hours, technical logs Completely different domain
JVerein (Hibiscus) Free/OSS Basic bookkeeping + SEPA Desktop-only, no compliance
ClubDesk Swiss Member + finance + events Not Germany-specific
1000° ePaper Magazine clubs Publication management Irrelevant
Cannamanage (DE) No competitor exists at this level

2.3 Gap Analysis Summary

CannaManage is the ONLY platform combining:

  1. Verein administration (members, MV, board, documents)
  2. Cannabis compliance (KCanG §§19-27)
  3. Financial management (EÜR, Kassenbuch, GoBD)
  4. Authority readiness (one-click electronic export per §26 Abs. 2 + §27)
  5. DSGVO compliance tools (VVT, DSFA, consent management)

No existing product covers more than 2 of these 5 areas. This is the moat.

3. Feature Specification

3.1 Category A — Financial Reports

# Report Legal Basis Format Priority
FIN-R01 EÜR (Einnahmen-Überschuss-Rechnung) §4(3) EStG, §63(3) AO PDF + CSV P0
FIN-R02 Jahresabschluss (Annual Financial Summary) §27(3) BGB → §666 BGB PDF P0
FIN-R03 Kassenbuch-Export (enhanced) §147 AO PDF + CSV + DATEV P0
FIN-R04 Beitragsbescheinigung (Fee Confirmation) §10b EStG (if applicable) PDF per member P1
FIN-R05 Ausgabenübersicht nach Kategorie Internal (Kassenprüfer) PDF P1

FIN-R01: EÜR Generator

  • Input: All financial_transactions from calendar year
  • Output: Standard EÜR format (Anlage EÜR to Steuererklärung)
  • Categories: Einnahmen (Mitgliedsbeiträge, sonstige), Ausgaben (Miete, Strom, Material, Cannabis-Anbau, Verwaltung, Versicherung)
  • Includes: Kassensaldo Anfang/Ende, Ergebnis (Überschuss/Fehlbetrag)
  • Export: PDF (pretty) + CSV (for Steuerberater) + optional DATEV-compatible

FIN-R04: Beitragsbescheinigung

  • Per-member annual confirmation of fees paid
  • NOT a Spendenquittung (cannabis clubs aren't gemeinnützig)
  • But members may deduct Vereinsbeiträge as Sonderausgaben in some cases
  • Template: Member name, Club name+address, amount paid, period, club signature

3.2 Category B — KCanG Compliance Reports

# Report Legal Basis Format Priority
CAN-R01 Jahresbericht an Behörde (Annual Authority Report) §26(3) KCanG PDF + structured JSON/XML P0
CAN-R02 Weitergabe-Dokumentation (Distribution Log) §26(1) Nr. 5 KCanG PDF + CSV P0
CAN-R03 Bestandsführung (Stock Inventory Report) §26(1) Nr. 2 KCanG PDF P0
CAN-R04 Vernichtungsprotokoll (Destruction Protocol) §26(1) Nr. 4 KCanG PDF P0
CAN-R05 Anbaudokumentation (Cultivation Report) §26(1) Nr. 3 KCanG PDF P0
CAN-R06 Transportbescheinigung (Transport Certificate) §22(4) KCanG PDF P1
CAN-R07 Behörden-Gesamtexport (Full Authority Export) §26(2) + §27 KCanG JSON + PDF bundle P0
CAN-R08 Informationszettel (Distribution Info Sheet) §21(2) KCanG PDF (printable) P1
CAN-R09 Verlust-/Diebstahlmeldung (Loss Report) §26(5) KCanG PDF P2
CAN-R10 Risiko-Rückruf-Meldung (Health Risk Recall) §26(4) KCanG PDF P2

CAN-R01: Jahresbericht (most critical report)

Per §26 Abs. 3 KCanG, due January 31, must contain:

Anbauvereinigung: [Name, Erlaubnisnummer]
Berichtszeitraum: 01.01.YYYY - 31.12.YYYY

1. Angebaute Mengen (nach Sorte):
   | Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) |
   
2. Weitergegebene Mengen (nach Sorte):
   | Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) |
   
3. Vernichtete Mengen (nach Sorte):
   | Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) |
   
4. Bestand zum 31.12. (nach Sorte):
   | Sorte | Menge (g) | Ø THC (%) | Ø CBD (%) |

CAN-R07: Behörden-Gesamtexport (Authority Full Export)

One-click export of EVERYTHING §26(2) requires, electronically transmittable:

  • All distribution records (§26(1) Nr. 5)
  • Stock history
  • Cultivation records
  • Destruction records
  • Transport records
  • Member register (name, birth year only — DSGVO minimum)

Format: Structured JSON (machine-evaluatable per §147 Abs. 6 AO principles) + human-readable PDF summary.

3.3 Category C — Verein Administrative Reports

# Report Legal Basis Format Priority
VER-R01 Mitgliederliste für Vereinsregister §67 BGB PDF P1
VER-R02 Vorstandsänderung-Meldung (Board Change Notice) VRV §§4-5 PDF template P1
VER-R03 Satzungsänderung-Dokumentation VRV §71 PDF bundle P2
VER-R04 Jahresbericht des Vorstands (Annual Board Report) §27(3) BGB → §666 BGB PDF P1
VER-R05 Tätigkeitsbericht (Activity Report) §63 AO (if gemeinnützig) PDF P2
VER-R06 Präventionsbeauftragter-Nachweis §23(4) KCanG PDF P1

VER-R01: Mitgliederliste

  • §67 BGB: Members can demand member list access (names + addresses)
  • Format: Sortable by name, join date, status
  • Export for Vereinsregister: Name, address, entry date (minimal per DSGVO)

VER-R06: Präventionsbeauftragter-Nachweis

  • Who is appointed (name, date of appointment)
  • Training certificate details (where trained, when, certificate number)
  • Activities log (consultations given, materials distributed, events organized)
  • Required by §23(4)-(6) KCanG for inspections

3.4 Category D — DSGVO/Data Protection Reports

# Report Legal Basis Format Priority
DSG-R01 Verarbeitungsverzeichnis (VVT) Art. 30 DSGVO PDF P0
DSG-R02 Technisch-Organisatorische Maßnahmen (TOMs) Art. 32 DSGVO PDF P1
DSG-R03 Datenschutz-Folgenabschätzung (DSFA) Art. 35 DSGVO PDF P1
DSG-R04 Löschkonzept (Deletion Concept) Art. 17 DSGVO + §26(2) KCanG PDF P1
DSG-R05 Datenpannen-Meldung (Breach Notification) Art. 33/34 DSGVO PDF template P2

DSG-R01: Verarbeitungsverzeichnis (VVT)

Pre-filled template specific to Anbauvereinigungen:

Verarbeitungstätigkeit Zweck Betroffene Datenarten Rechtsgrundlage Löschfrist
Mitgliederverwaltung Vereinsorganisation Mitglieder Name, Adresse, Geburtsdatum, Bankdaten Art. 6(1)(b) DSGVO 2 Jahre nach Austritt
Cannabis-Weitergabe KCanG-Pflicht Mitglieder Name, Geburtsjahr, Menge, THC% Art. 6(1)(c) DSGVO + §26 KCanG 5 Jahre (§26(2) KCanG)
Finanzverwaltung Steuerrecht Mitglieder Zahlungsdaten Art. 6(1)(c) DSGVO + §147 AO 10 Jahre
Videoüberwachung Sicherung §22 KCanG Besucher Videobilder Art. 6(1)(f) DSGVO 72 Stunden

DSG-R03: DSFA (required because cannabis = health data)

Pre-filled structure:

  1. Systematische Beschreibung der Verarbeitung
  2. Bewertung der Notwendigkeit und Verhältnismäßigkeit
  3. Bewertung der Risiken für Betroffene
  4. Abhilfemaßnahmen (encryption, access control, audit log, deletion automation)

3.5 Category E — Dashboard Enhancement (Compliance Status)

New: Berichtszentrale (Report Center) page

A centralized dashboard showing:

┌─────────────────────────────────────────────────────────────────┐
│  BERICHTSZENTRALE                                               │
├─────────┬───────────────────────┬───────────────────────────────┤
│ STATUS  │ NÄCHSTE FRISTEN       │ SCHNELLZUGRIFF                │
│         │                       │                               │
│ 🟢 KCanG │ 31.01 Jahresbericht  │ [Behörden-Export]            │
│ 🟢 Finanzen │ 31.03 EÜR        │ [EÜR generieren]            │
│ 🟡 DSGVO │ VVT nicht aktuell    │ [VVT aktualisieren]         │
│ 🟢 Verein │ Nächste MV: 15.03  │ [Jahresbericht Vorstand]    │
│         │                       │                               │
├─────────┴───────────────────────┴───────────────────────────────┤
│ BERICHTE NACH KATEGORIE                                         │
│                                                                  │
│ 📊 Finanzen    │ 🌿 Cannabis/KCanG │ 🏛️ Vereinsverwaltung │ 🔒 DSGVO │
│ • EÜR          │ • Jahresbericht   │ • Mitgliederliste     │ • VVT    │
│ • Kassenbuch   │ • Weitergabe-Log  │ • Vorstandsmeldung    │ • TOMs   │
│ • Jahresabschl.│ • Bestandsführung │ • Jahresbericht       │ • DSFA   │
│ • Beitrags-    │ • Vernichtung     │ • Präventions-        │ • Lösch- │
│   bescheinigung│ • Anbaudoku       │   nachweis            │   konzept│
│                │ • Transport       │                        │          │
│                │ • Behörden-Export  │                        │          │
└──────────────────────────────────────────────────────────────────┘

Compliance Status Logic:

  • 🟢 Green: All obligations met, no upcoming deadlines within 30 days
  • 🟡 Yellow: Deadline approaching (within 30 days) OR data incomplete
  • 🔴 Red: Deadline missed OR critical documentation gap

Tracked Deadlines:

Deadline Frequency Legal Basis
31. January Annual §26(3) KCanG — Jahresbericht an Behörde
31. March Annual EÜR submission (Finanzamt)
MV date As per Satzung (typically annual) §36 BGB
Board term expiry Per Satzung §26 BGB
5-year data retention check Continuous §26(2) KCanG
10-year financial retention Continuous §147 AO

3.6 Category F — Sidebar Categorization (UX Improvement)

Current state: 14 items in a flat list + 1 Compliance item. Too long, no visual grouping.

Proposed new structure:

🌿 BETRIEB (Operations)
  ├── Dashboard
  ├── Mitglieder (Members)
  ├── Ausgabe (Distributions)
  ├── Lager (Stock)
  └── Anbau (Grow)

💬 KOMMUNIKATION (Communication)
  ├── Schwarzes Brett (Info Board)
  ├── Kalender (Calendar)
  └── Forum

🏛️ VERWALTUNG (Administration)
  ├── Finanzen (Finance)
  ├── Versammlungen (Assemblies)
  ├── Dokumente (Documents)
  ├── Vorstand (Board)
  └── Personal (Staff)

📋 COMPLIANCE
  ├── Berichtszentrale (Report Center) ← NEW
  ├── Protokoll (Audit Log)
  └── Einstellungen (Settings)

Benefits:

  • Collapsible sections reduce cognitive load
  • Logical grouping matches user mental model
  • "Berichtszentrale" is the new home for ALL reports
  • Old "Berichte" page redirects here
  • Compliance is always visible (legal obligation awareness)

4. Data Model Additions

4.1 New Tables/Entities Required

-- V23: Destruction Protocol
CREATE TABLE destruction_records (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    batch_id UUID REFERENCES batches(id),
    destroyed_grams NUMERIC(8,2) NOT NULL,
    destroyed_propagation_count INTEGER DEFAULT 0,
    reason VARCHAR(500) NOT NULL,
    destruction_date DATE NOT NULL,
    witnessed_by_member_id UUID REFERENCES members(id),
    witnessed_by_name VARCHAR(200),
    method VARCHAR(200),           -- "Verbrennung", "Kompostierung", etc.
    authority_notified BOOLEAN DEFAULT FALSE,
    authority_notified_at TIMESTAMPTZ,
    notes TEXT,
    created_by UUID NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- V24: Transport Records
CREATE TABLE transport_records (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    transport_date DATE NOT NULL,
    start_address TEXT NOT NULL,
    destination_address TEXT NOT NULL,
    cannabis_grams NUMERIC(8,2) NOT NULL,
    strains TEXT NOT NULL,           -- JSON array: [{"name": "...", "grams": ...}]
    transporting_member_id UUID REFERENCES members(id),
    transporting_member_name VARCHAR(200) NOT NULL,
    authority_notified_at TIMESTAMPTZ,  -- Must be 1 business day before
    authority_reference VARCHAR(200),
    certificate_generated BOOLEAN DEFAULT FALSE,
    created_by UUID NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- V25: Propagation Material Sources
CREATE TABLE propagation_sources (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    source_type VARCHAR(50) NOT NULL,  -- 'PERSON', 'ANBAUVEREINIGUNG', 'JURISTISCHE_PERSON'
    source_name VARCHAR(200) NOT NULL,
    source_first_name VARCHAR(100),
    source_address TEXT NOT NULL,
    material_type VARCHAR(50) NOT NULL,  -- 'SEED', 'CLONE', 'CUTTING'
    quantity INTEGER NOT NULL,
    received_date DATE NOT NULL,
    strain_name VARCHAR(200),
    notes TEXT,
    created_by UUID NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- V26: Prevention Officer Activity Log
CREATE TABLE prevention_activities (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    officer_member_id UUID REFERENCES members(id),
    activity_date DATE NOT NULL,
    activity_type VARCHAR(100) NOT NULL,  -- 'CONSULTATION', 'TRAINING', 'MATERIAL_DISTRIBUTION', 'EVENT', 'CONCEPT_UPDATE'
    description TEXT NOT NULL,
    participants_count INTEGER,
    notes TEXT,
    created_by UUID NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

-- V27: Report Generation History
CREATE TABLE generated_reports (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    report_type VARCHAR(100) NOT NULL,  -- 'EUR', 'AUTHORITY_ANNUAL', 'DISTRIBUTION_LOG', etc.
    report_title VARCHAR(300) NOT NULL,
    period_start DATE,
    period_end DATE,
    parameters JSONB,                   -- Any params used to generate
    file_path VARCHAR(500),
    file_size_bytes BIGINT,
    generated_by UUID NOT NULL,
    generated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    submitted_to_authority BOOLEAN DEFAULT FALSE,
    submitted_at TIMESTAMPTZ
);

-- V28: Compliance Deadlines
CREATE TABLE compliance_deadlines (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    tenant_id UUID NOT NULL,
    deadline_type VARCHAR(100) NOT NULL,
    title VARCHAR(300) NOT NULL,
    description TEXT,
    due_date DATE NOT NULL,
    legal_basis VARCHAR(200),
    status VARCHAR(50) NOT NULL DEFAULT 'PENDING',  -- PENDING, COMPLETED, OVERDUE
    completed_at TIMESTAMPTZ,
    completed_by UUID,
    recurrence VARCHAR(50),  -- ANNUAL, MONTHLY, ONE_TIME
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

4.2 Modifications to Existing Tables

-- Add THC% tracking to distributions (if not already present)
ALTER TABLE distributions ADD COLUMN IF NOT EXISTS thc_percentage NUMERIC(4,2);
ALTER TABLE distributions ADD COLUMN IF NOT EXISTS cbd_percentage NUMERIC(4,2);

-- Add birth year to members for §26 reporting (DSGVO: only birth year, not full date)
-- members.date_of_birth already exists — extract year for reports

-- Add strain tracking to destruction/recall
ALTER TABLE batches ADD COLUMN IF NOT EXISTS destroyed_grams NUMERIC(8,2) DEFAULT 0;
ALTER TABLE batches ADD COLUMN IF NOT EXISTS destruction_date DATE;
ALTER TABLE batches ADD COLUMN IF NOT EXISTS destruction_reason TEXT;

5. Export Format Specifications

5.1 PDF (for authorities and members)

  • German language
  • Club letterhead (logo, name, address, Erlaubnisnummer)
  • Legal reference in footer (e.g., "Erstellt gem. §26 Abs. 3 KCanG")
  • Page numbers, generation date/time
  • Digitally signed? (optional, nice-to-have)

5.2 CSV (for accountants/DATEV)

  • ISO-8859-1 encoding (German standard for DATEV)
  • Semicolon-separated (German CSV standard)
  • Decimal comma (1.234,56 format)
  • Headers in German
  • DATEV-compatible column structure for financial exports

5.3 JSON (for API consumers and authority electronic submission)

  • UTF-8
  • ISO 8601 dates
  • Structured per §26 KCanG requirements
  • Schema documented (OpenAPI)

5.4 XML (optional, for formal DATEV import)

  • DATEV XML format for Buchungsstapel
  • Only needed if clubs actually use DATEV (likely only large clubs with Steuerberater)

6. Retention Period Enforcement

CannaManage must automatically track and enforce these periods:

Data Category Retention Legal Basis Auto-Action
Distribution records 5 years from record date §26(2) KCanG Flag for deletion review
Financial transactions 10 years from year-end §147(3) AO Block deletion
Financial vouchers 8 years from year-end §147(3) AO Block deletion
Commercial correspondence 6 years from year-end §147(3) AO Flag for review
Member data (after exit) 5 years (KCanG) + 10 years (AO) = 10 years Both Auto-anonymize after 10y
Audit log entries 10 years §147 AO Immutable, never delete
MV protocols Indefinite BGB Never delete

Implementation: A RetentionService that:

  1. Runs daily (scheduled)
  2. Checks all records against their retention category
  3. After retention expires: flags for admin review (never auto-deletes without human confirmation)
  4. Generates monthly "Löschprotokoll" (deletion log) for DSGVO compliance

7. Sidebar Before/After Comparison

Before (current — flat list, 15 items):

Main
  Dashboard | Mitglieder | Ausgabe | Lager | Anbau | Berichte | 
  Schwarzes Brett | Finanzen | Versammlungen | Dokumente | Vorstand | 
  Kalender | Forum | Personal
Compliance
  Protokoll

After (Sprint 9 — grouped, collapsible):

🌿 Betrieb
  Dashboard | Mitglieder | Ausgabe | Lager | Anbau
💬 Kommunikation
  Schwarzes Brett | Kalender | Forum
🏛️ Verwaltung
  Finanzen | Versammlungen | Dokumente | Vorstand | Personal
📋 Compliance
  Berichtszentrale | Protokoll | Einstellungen

8. What We Already Have (Gap Summary)

Capability Sprint Delivered Status for Sprint 9
Distribution tracking Sprint 2 Exists — needs THC%/CBD% per distribution
Stock management Sprint 2 Exists — good basis for Bestandsführung
Grow tracking Sprint 4 Exists — needs harvest weight tracking
Monthly report (basic) Sprint 5 ⚠️ Exists — needs authority-format enhancement
Member list report Sprint 5 ⚠️ Exists — needs Vereinsregister format
Recall report Sprint 5 ⚠️ Exists — needs formal Vernichtungsprotokoll
Kassenbuch Sprint 8 Exists — needs EÜR transformation
Jahresabschluss PDF Sprint 8 Exists — keep, enhance
MV Protocol PDF Sprint 8 Exists — keep
Audit Log Sprint 3 Exists — foundation for GoBD compliance
Consent Management Sprint 6 Exists — foundation for DSGVO reports
Document Storage Sprint 8 Exists — store generated reports
Prevention Officer tracking Sprint 3 ⚠️ Basic — needs activity log

NEW features needed:

  • Destruction protocol module
  • Transport documentation module
  • Propagation material source tracking
  • Authority annual report generator (§26(3))
  • Authority full export (§26(2) + §27)
  • EÜR generator (from existing Kassenbuch data)
  • VVT/TOM/DSFA document generators
  • Compliance dashboard with deadline tracking
  • Sidebar reorganization
  • Report history + resubmission tracking
  • Retention period enforcement service

9. Non-Goals (explicitly out of scope)

Feature Reason When
SEPA Lastschrift Requires BaFin registration, bank API Sprint 10+
DATEV online integration Requires DATEV partnership agreement Sprint 11+
Online-Banking (FinTS) Complex, regulated, security-critical Sprint 11+
Digital signature on PDFs Nice-to-have, not legally required Sprint 10+
Authority API integration No standard API exists yet (KCanG too new) When standard emerges
Multi-Verein (Dachverband) Different product tier V2.0
Reference in New Issue View Git Blame Copy Permalink