Legal & Regulatory Register¶

Document ID: REG-004 Document owner: Sebastian Windeck (DPO) Classification: Confidential Version: 1.0 Last updated: March 2026 Next review: March 2027 Frameworks: ISO 27001 (A.5.31, A.5.32, A.5.34) | SOC 2 (CC2.2, P1.1)

1. Purpose¶

This register identifies all legal, statutory, regulatory, and contractual requirements applicable to CTW Data Solutions GmbH and the Quick-ID platform. It is maintained as part of ISO 27001 compliance (Clause A.5.31) and supports SOC 2 compliance requirements.

2. Applicable Legislation¶

2.1 Data Protection¶

Regulation	Full Name	Jurisdiction	Applicability	Key Requirements	Owner	Status
GDPR	General Data Protection Regulation (EU) 2016/679	EU / EEA	✅ Mandatory	Lawful processing, data minimisation, data subject rights, DPO appointment, 72h breach notification, DPIAs, Art. 30 register	Sebastian Windeck (DPO)	✅ Compliant
BDSG	Bundesdatenschutzgesetz	Germany	✅ Mandatory	Supplements GDPR; additional employee data rules, DPO obligation for companies processing personal data at scale	Sebastian Windeck (DPO)	✅ Compliant
TTDSG	Telekommunikation-Telemedien-Datenschutz-Gesetz	Germany	✅ Applicable	Cookie consent, telecommunications privacy, telemedia services	Sebastian Windeck (DPO)	✅ Compliant

2.2 AI Regulation¶

Regulation	Full Name	Jurisdiction	Applicability	Key Requirements	Owner	Status
EU AI Act	Regulation (EU) 2024/1689	EU	✅ Applicable	Risk classification of AI systems, transparency obligations, conformity assessment, documentation requirements	Malte Toetzke (Chief of AI)	🔄 Assessment in progress

EU AI Act — Detailed Assessment¶

Effective dates:

Phase	Date	Requirement
Prohibited practices	February 2025	Banned AI practices take effect
GPAI rules	August 2025	General Purpose AI model obligations
High-risk classification	August 2026	Full obligations for high-risk AI systems
Full enforcement	August 2027	All provisions fully applicable

Quick-ID Risk Classification Assessment:

Question	Answer	Implication
Does Quick-ID make autonomous decisions about individuals?	No — Quick-ID extracts data from ID documents; it does not make accept/reject decisions about individuals	Reduces classification risk
Is Quick-ID used for biometric identification?	No — Quick-ID performs OCR and data extraction, not biometric matching (no facial recognition, no fingerprint matching)	Not classified as biometric system under Art. 6
Does Quick-ID fall under Annex III high-risk categories?	Unlikely — Annex III lists systems for law enforcement, migration, employment. Quick-ID is a B2B document processing tool	Likely limited risk or minimal risk classification
Does Quick-ID interact directly with natural persons?	No — Quick-ID is an API used by enterprise customers; end users interact with the customer's application, not Quick-ID directly	Transparency obligation may still apply via customers
Is Quick-ID a General Purpose AI (GPAI)?	No — Quick-ID is a purpose-specific document verification system	GPAI obligations do not apply

Preliminary Classification: Limited Risk / Minimal Risk

Quick-ID's primary function is OCR and data extraction from identity documents via API. It does not:

Make autonomous decisions about individuals
Perform biometric identification or categorisation
Fall under the Annex III high-risk categories
Operate as a general-purpose AI model

Recommended actions:

#	Action	Owner	Target Date	Status
1	Complete formal AI system risk classification with legal counsel	Malte Toetzke	June 2026	📋 Planned
2	Document Quick-ID AI system description (Art. 53 transparency)	Malte Toetzke	July 2026	📋 Planned
3	Prepare transparency notice for customers (Art. 50 — inform users they are interacting with AI-processed output)	Sebastian Windeck (DPO)	July 2026	📋 Planned
4	Establish AI system monitoring and logging (if classified as high-risk)	Sebastian Windeck (CTO)	August 2026	📋 Contingent
5	Review with legal counsel whether customer use cases could elevate Quick-ID to high-risk by context of use	Malte Toetzke	June 2026	📋 Planned

Important Note

The EU AI Act classification depends not only on the system itself but also on how it is deployed by customers. If a customer uses Quick-ID output for automated decision-making about individuals (e.g., KYC accept/reject), the customer's system as a whole may be classified as high-risk. CTW should clarify responsibility boundaries with customers.

2.3 Digital Identity & Trust Services¶

Regulation	Full Name	Jurisdiction	Applicability	Key Requirements	Owner	Status
eIDAS 2.0	EU Digital Identity Regulation	EU	🔮 Future	EU Digital Identity Wallet framework; qualified trust services	Jan Marc Castlunger (ISO)	📋 Monitoring

2.4 Industry Standards¶

Standard	Full Name	Applicability	Key Requirements	Owner	Status
ISO/IEC 27001:2022	Information security management	✅ Certification target	ISMS requirements; Annex A controls	Jan Marc Castlunger (ISO)	🔄 Implementing
SOC 2	Service Organization Controls	✅ Readiness target	Trust Services Criteria (Security, Availability, PI, Confidentiality, Privacy)	Jan Marc Castlunger (ISO)	🔄 Implementing
ISO/IEC 27701	Privacy information management	🔮 Future	PIMS extension to ISO 27001	Sebastian Windeck (DPO)	📋 Planned (post-certification)

3. Contractual Requirements¶

Source	Obligation	Compliance Method	Owner
Enterprise customer contracts	Data processing agreements (DPAs); data residency (EU); SLA 99.9% uptime	Standard DPA template; Azure Germany West Central; monitoring	Jan Marc Castlunger (ISO)
Microsoft Azure EA	Acceptable use; data processing terms; compliance shared responsibility	Azure DPA accepted; shared responsibility model documented	Sebastian Windeck (CTO)
GitHub Enterprise	Terms of service; data processing; code of conduct	GitHub DPA accepted	Sebastian Windeck (CTO)
Google Workspace	Data processing; acceptable use	Google Workspace DPA accepted	Sebastian Windeck (CTO)
Customer API terms	Rate limits; data retention; error handling; liability	API terms of service published at quick-id.com	Jan Marc Castlunger (ISO)

4. Compliance Monitoring¶

Activity	Frequency	Owner	Method
Review regulatory landscape for new laws	Quarterly	Sebastian Windeck (DPO)	Legal news monitoring; industry association updates
GDPR compliance self-assessment	Annually	Sebastian Windeck (DPO)	Art. 30 register review; DPIA assessment
EU AI Act developments tracking	Quarterly	Malte Toetzke (Chief of AI)	EU Commission publications; legal counsel updates
Customer contract obligation review	Annually	Jan Marc Castlunger (ISO)	Contract review; DPA updates
Supplier DPA validity check	Annually	Sebastian Windeck (DPO)	Supplier register review

5. Supervisory Authority¶

Authority	Jurisdiction	Contact
BfDI (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit)	Germany — Federal	bfdi.bund.de
State DPA (Landesdatenschutzbeauftragte)	Applicable German state	Depends on registered office location

6. Review Log¶

Date	Reviewer	Changes
March 2026	Sebastian Windeck (DPO)	Initial register created; EU AI Act assessment drafted

Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH Date: March 2026