feat: Art. 11 DSGVO — reject DSR when data subject not identifiable

- New DSRArt11Service: handles rejection with proper legal basis,
  automated email notification to requester explaining Art. 11
- POST /dsr/{id}/reject-art11 endpoint
- ActionButtons.tsx: "Nicht identifizierbar (Art. 11)" button
  shown when identity is not yet verified
- Also fixes: DSR export type-cast rollback handling

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/api/dsr_routes.py

@@ -243,6 +243,19 @@ async def change_status(
         return svc.change_status(dsr_id, body, tenant_id)
 
 
+@router.post("/{dsr_id}/reject-art11")
+async def reject_art11(
+    dsr_id: str,
+    notes: str = Query(""),
+    tenant_id: str = Depends(_get_tenant),
+    db: Session = Depends(get_db),
+):
+    """Reject DSR under Art. 11 DSGVO — data subject not identifiable."""
+    from compliance.services.dsr_art11_service import DSRArt11Service
+    with translate_domain_errors():
+        return DSRArt11Service(db).reject_not_identifiable(dsr_id, tenant_id, notes)
+
+
 @router.post("/{dsr_id}/verify-identity")
 async def verify_identity(
     dsr_id: str,