DPIA of the German Corona Warn App

What doas a Data Protection Impact Assessment look like that the German Federal Data Protection Authority reviewed?

https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf

Interesting sections from the document structure

  • information on the organisation (with privacy team setup)
  • necessity of the DPIA
  • description of processing activities (evaluation target), with
    • context
    • purpose
    • process steps
    • system architecture
    • data flows and processes
    • data categories
    • data deletion
    • actors involved in the processing
    • additional documents
  • consideration of stakeholders’ vire
  • legal privacy assessment
    • categories of personal data
    • legal grounds
    • data subject rights
    • privacy-by-design measures
    • other privacy requirements
  • assessment of the necessity and proportionality of the processing
  • risk analysis
  • continuous privacy reviews