Corona App Based on Singapore’s Model
Mandatory, voluntary – or better not at all? The debate over introducing a coronavirus tracking app highlights the legal hurdles surrounding data privacy during the Covid-19 crisis. A coronavirus app modeled after Singapore’s approach aims to offer a privacy-friendly technology solution.
To contain the spread of Covid-19, the use of contact-tracing apps is being actively discussed. By recording users’ location data, these apps aim to identify infection chains.
Minimal Use of Personal Data
Singapore’s app, TraceTogether, uses Bluetooth technology for data transmission. The key advantage in the context of sensitive personal information: it does not rely on geolocation data – unlike methods using cell tower triangulation or GPS satellite tracking. Instead, Bluetooth measures the proximity between individuals, storing the data locally and anonymously on users’ smartphones.
The goal is to protect user privacy. Rather than collecting users’ names, the app generates temporary IDs.
The concept is sound: when a user tests positive for Covid-19, they can voluntarily upload their locally stored data to the responsible health authority. The system then anonymously notifies, via push alert, all devices that were in close proximity to the infected person within the past 21 days. Those notified are advised to enter quarantine. Throughout this process, the identities of all individuals remain protected and undisclosed.
The Corona App Is Voluntarily Installed
TraceTogether is a voluntary solution. By choosing to install the app, users give their explicit consent to the processing of sensitive data. This individual consent helps alleviate, to a certain extent, data protection concerns under the EU’s General Data Protection Regulation (GDPR).
Key Facts
Data Subject Rights: The number of access requests under Article 15 GDPR has risen by over 400 percent since 2018.
Breach Notification: Data breaches must be reported to the supervisory authority within 72 hours.
Frequently Asked Questions
What penalties apply for GDPR violations?
Fines of up to 20 million Euro or 4 percent of global annual turnover – whichever is higher. In addition, affected individuals may file claims for compensation.
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is a systematic evaluation of the risks posed by data processing to the rights and freedoms of individuals. It is mandatory when processing is likely to result in high risks – such as in cases of profiling, video surveillance, or processing of special categories of personal data.
Does the GDPR apply to small businesses?
Yes, the GDPR applies regardless of company size to any organization processing personal data of EU citizens. Smaller businesses benefit from limited exemptions (e.g., no requirement to maintain a processing register if they have fewer than 250 employees and the processing is not high-risk), but they must still comply with all core data protection principles.
Related Articles
- 86% of Germans fear their data from coronavirus contact tracing could be misused
- GDPR 2026: What’s changing and what companies need to prepare for
- DORA in Practice: First Experiences from the Financial Sector
More from the MBF Media Network
Header Image Source: iStock / petovarga
Fact: According to IBM, the average cost of a data breach in 2025 was 4.88 million dollars.
Fact: There is a global shortage of over 3.4 million cybersecurity professionals, according to ISC2.
TL;DR
- The debate over introducing a coronavirus app underscores the legal challenges related to data protection during the Covid-19 crisis.
- The principle is clear: when someone tests positive for Covid-19, they can upload their locally stored data to the responsible authority.
- The authority then anonymously notifies, via push notification, all devices that were in close proximity to the infected person within the past 21 days.
- To contain the spread of Covid-19, the use of contact-tracing apps is being actively discussed.
