自2020年初SARS-CoV-2在欧洲开始传播以来，人们强烈呼吁采取技术解决方案来应对或遏制疫情，其中接触者追踪应用程序成为争论的核心。根据《欧盟通用数据保护条例》(GDPR)，如果数据处理可能对权利和自由造成高风险，则要求控制者进行数据保护影响评估(DPIA)(GDPR第35条)。DPIA是一种结构化的风险分析，提前识别并评估与基本权利相关的数据处理可能带来的后果，并描述旨在解决这些风险的措施，或者表明无法做到这一点。基于标准数据保护模型(SDM)，我们展示了德国Corona-Warn-App(CWA)的科学且方法清晰的DPIA结果。结果显示，即使采用去中心化架构也存在众多严重的弱点和风险，目前实施中仍有许多未解决的问题。研究还发现，所提出的任何设计均未基于匿名数据或确保适当的匿名化。此外，知情同意并非处理过程的合法法律依据。对于所有仍未充分保障数据主体权利的方面，我们简要概述了解决方案。

Since SARS-CoV-2 started spreading in Europe in early 2020, there has been a strong call for technical solutions to combat or contain the pandemic, with contact tracing apps at the heart of the debates. The EU's General Data Protection Regulation (GDPR) requires controllers to carry out a data protection impact assessment (DPIA) where their data processing is likely to result in a high risk to the rights and freedoms (Art. 35 GDPR). A DPIA is a structured risk analysis that identifies and evaluates possible consequences of data processing relevant to fundamental rights in advance and describes the measures envisaged to address these risks or expresses the inability to do so. Based on the Standard Data Protection Model (SDM), we present the results of a scientific and methodologically clear DPIA of the German German Corona-Warn-App (CWA). It shows that even a decentralized architecture involves numerous serious weaknesses and risks, including larger ones still left unaddressed in current implementations. It also found that none of the proposed designs operates on anonymous data or ensures proper anonymisation. It also showed that informed consent would not be a legitimate legal ground for the processing. For all points where data subjects' rights are still not sufficiently safeguarded, we briefly outline solutions.