DPIA of the German Corona Warn App

What doas a Data Protection Impact Assessment look like that the German Federal Data Protection Authority reviewed?

https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf

Interesting sections from the document structure

  • information on the organisation (with privacy team setup)
  • necessity of the DPIA
  • description of processing activities (evaluation target), with
    • context
    • purpose
    • process steps
    • system architecture
    • data flows and processes
    • data categories
    • data deletion
    • actors involved in the processing
    • additional documents
  • consideration of stakeholders’ vire
  • legal privacy assessment
    • categories of personal data
    • legal grounds
    • data subject rights
    • privacy-by-design measures
    • other privacy requirements
  • assessment of the necessity and proportionality of the processing
  • risk analysis
  • continuous privacy reviews

CNIL – Developer’s Guide sheets

The CNIL publishes a GDPR guide for developers

In order to assist web and application developers in making their work GDPR-compliant, the CNIL has drawn up a new guide to best practices under an open source license, which is intended to be enriched by professionals.

https://www.cnil.fr/en/cnil-publishes-gdpr-guide-developers

All the material via tag search:
https://www.cnil.fr/en/tag/Developer%E2%80%99s+Guide

Github to participate in further development: – https://github.com/LINCnil/GDPR-Developer-Guide

Local copy of the sheets (might be outdated):
https://www.privacydesign.ch/cnil-gdpr-developer-sheets/

Currently it includes:
Sheet n°0: Develop in compliance with the GDPR
Sheet n°1: Identify personal data
Sheet n°2: Prepare your development
Sheet n°3: Secure your development environment
Sheet n°4: Manage your source code
Sheet n°5: Make an informed choice of architecture
Sheet n°6: Secure your websites, applications and servers
Sheet n°7: Minimize the data collection
Sheet n°8: Manage user profiles
Sheet n°09: Control your libraries and SDKs
Sheet n°10: Ensure quality of the code and its documentation
Sheet n°11: Test your applications
Sheet n°12: Inform users
Sheet n°13: Prepare for the exercise of people’s rights
Sheet n°14: Define a data retention period
Sheet n°15: Take into account the legal basis in the technical implementation
Sheet n°16: Use analytics on your websites and applications

Germany: DiGAV (medical mobile applications) and guideline

DiGAV is now in force.

The accompanying “Digitale-Gesundheitsanwendungen-Verordnung (DiGAV)”
https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&jumpTo=bgbl120s0768.pdf#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl120s0768.pdf%27%5D__1592376167435

The accompanying Guideline for DiGAV:
https://www.bfarm.de/SharedDocs/Downloads/DE/Service/Beratungsverfahren/DiGA-Leitfaden.pdf?__blob=publicationFile&v=2

General supporting background material
https://hih-2025.de/diga-summit-summary-video-docs-next-steps/

including an English summary
https://hih-2025.de/wp-content/uploads/2020/04/2020-06-02_DVG-Fast-Track-english-Slide-Deck_Website.pdf

Mapping ISO 27701 to privacy laws (github)

The Data Protection/Privacy Mapping Project (the “Project”) facilitates consistent global comprehension and implementation of data protection with an open source mapping between ISO/IEC 27701 and global data protection and/or privacy laws and regulations.

Data Protection Mapping Project demo site
https://dataprotectionmapping.z21.web.core.windows.net/

Github
https://github.com/microsoft/data-protection-mapping-project

Video
https://www.linkedin.com/feed/update/urn:li:activity:6639237491457163264/

CNIL on amonymization (2020, blog post)

https://www.cnil.fr/fr/lanonymisation-de-donnees-personnelles

including e.g. (via Google Translate)
If these three criteria are not fully met, the data controller who wishes to anonymize a data set must demonstrate, via an in-depth assessment of the identification risks, that the risk of re-identification with reasonable means is zero.

As anonymization and re-identification techniques are subject to regular changes, it is essential for any data controller concerned to carry out regular monitoring to preserve the anonymity of the data produced over time. This watch must take into account the technical means available as well as the other sources of data which can allow to lift the anonymity of the information.