Contact tracing app laws in the EU

Various European countries have launched a contact tracing app to help in the fight against Covid-19. Some of these apps were initiated by the government and other apps were initiated by private actors and thereafter endorsed by the government. As part of the project "Legal and societal conditions for Covid-19 technologies", I am doing comparative legal research into these contact tracing apps. I am interested in knowing if these contact tracing apps are based solely on existing legislation such as the General Data Protection Regulation (GDPR) or if they are accompanied by new legislation. I'm making my research notes public so that other people can also use them for their research. This is work in progress and since I am dependent on translations, the notes may contain mistakes. Please send me an email if you see a mistake or want to add missing information. And yes, I have to fix a few things on this website, such as how the menu bar sometimes overlaps with text, but I haven't had the time to figure out how to do that.

The project "Legal and societal conditions for Covid-19 technologies" was commissioned by ZonMw, a Dutch funding organization for health research, and is led by Prof N Helberg, Prof CH de Vreese, Prof JVJ van Hoboken, en Prof M van Eechoud. The team consists of researchers from the the Institute of Information Law (IViR) and the Amsterdam School of Communication Research (ASCoR), University of Amsterdam.

People have rightfully pointed out on Twitter that comparative legal research has its limitations. I need to look into the domestic legal context and how an app is implemented on regional or local levels in order to understand how an app is regulated on a national level. The overview I present here is just a start.

Various people sent me additional information and explained national legislation to me; obviously all errors are mine.

AT | BE | BG | HR | CY | CZ | DK | EAW | EE | FI | FR | DE | EL | HU | IS | IE | IT | LV | LT | LU | MT | NL | NIR | NO | PL | RO | SCT | PT | SK | SI | ES | CH | SE

Austria

Contact tracing app?
Stopp Corona, introduced in March 2020 by the Austrian Red Cross and endorsed by the Austrian government.

Legal basis under GDPR?
The Data Protection Information of 10 June 2020 for the app states that the processing is based on art 6(1)(a), art 9(2)(a) and for some data on art 6(1)(f). Note that the website of the app refers to a general privacy policy for the website of the Austrian Red Cross, which is not the correct link.

New legal framework?
I haven't found anything.

Additional documentation?
DPIA [pdf] of the app (version 2.0) of 4 August 2020.

The following two links do not work anymore: DPIA [pdf] of the app (version 1.2) of 12 May 2020. DPIA [pdf] of the app (version 2.0) of 31 July 2020.

Information from the Austrian DPA on data protection and covid-19 of 1 October 2020. Position paper [pdf] of the Federal Ministry of Social Affairs, Health, Care, and Consumer Protection on contact tracing apps of 10 June 2020.

Belgium

Contact tracing app?
Coronalert, rolled out nationally in September. In the first months of the COVID-19 crisis, the Belgian government stated that it would not introduce a contact tracing app.

Legal basis under GDPR?
The Privacy Statement (version 1.0) of 18 September states the processing is based on art 6(1)(e) and 9(2)(i).

Position on art 22 GDPR?
The Privacy Statement says the app "does not take any automated decisions with regard to a user within the meaning of article 22 of the General Data Protection Regulation".

New legal framework?
"Koninklijk besluit tot uitvoering van het koninklijk besluit nr. 44 [pdf]" of 17 September 2020 implements "Koninklijk besluit nr. 44 [pdf] betreffende de gezamenlijke gegevensverwerking door Sciensano en de door de bevoegde regionale overheden of door de bevoegde agentschappen aangeduide contactcentra, gezondheidsinspecties en mobiele teams in het kader van een contactonderzoek bij personen die (vermoedelijk) met het coronavirus COVID-19 besmet zijn op basis van een gegevensbank bij Sciensano" of 26 June 2020. These Koninklijk besluiten together regulate the use of the app. Consolidated version [pdf].

A "Koninklijk besluit" is a royal order.

Additional documentation?
DPIA [pdf] in Dutch of 15 September 2020 for the app. DPIA [pdf] in French of 16 September 2020 for the app. Public consultation by the interfederal working group in charge of the development of the app. Opinions of the Belgian DPA regarding the Koninklijk besluit.

Bulgaria

Contact tracing app?
ViruSafe, launched on 7 April 2020.

Legal basis under GDPR?
The Terms of Use (para 29) state the processing is based on consent and explicit consent.

New legal framework?
"Заповед № РД-01-184 от 06.04.2020 г. за въвеждане в експлоатация Национална информационна система за борба с COVID-19" of 6 April 2020 introduces an information system, which includes, among others, a contact tracing app.

If I am correct, in Bulgaria a ministry can issue a "Заповед", an order, which is a delegated action. According to a report in May, "[n]o legislation was passed allowing the state to use the data collected via the ViruSafe app. The rules governing the use of the collected data as well as the rights of users in relation to this use are laid down in the application’s terms of reference, to which each user has to explicitly agree before they start using the app" (p 15).

Croatia

Contact tracing app?
Stop COVID-19 app, launched in July.

Legal basis under GDPR?
The Privacy Notice of 16 November 2020 (in English) states that the processing is based on art 6(1)(e) and art 9(2)(i) and (h). The Privacy Policy of 26 June previously stated that the processing was based on art 6(1)(a).

New legal framework?
I can't find any.

Additional documentation?
DPIA [pdf] (summary in English) of 16 November 2020 for the app. News item of the Croatian DPA of 21 July 2020 about a meeting with the Ministry of Health about the app.

Cyprus

Contact tracing app?
COVTRACER, developed by the Research Centre of Excellence in Research and Innovation (RISE) in Cyprus, supported by government, and launched in April.

Legal basis under GDPR?
The Privacy Policy of 30 March states that "[b]y using this app the user consents to this privacy policy", so I guess the legal basis is consent.

New legal framework?
According to this report (p 15), there are no plans to develop a legal framework to regulate the use of the app.

Czechia

Contact tracing app?
As part of the Smart Quarantine project, the Czech government runs the eRouška app and endorsed the Mapy.cz. app. Mapy.cz is a popular Czech web mapping service that added a covid-19 contact tracing functionality. It is not entirely clear to me who toke the initiative for the eRouška app. There is this COVID19CZ group of tech entrepeneurs and it could be that they originally developed the app and then later transferred it to the government.

Legal basis under GDPR?
The Terms and Conditions for eRouška states that the processing is based on art 6(1)(e) and art 9(2)(a) and (i). Previously, the Privacy Policy stated that the processing was based on 9(2)(a).

New legal framework?
None.

Additional documentation?
The Czech DPA issued a statement on 11 April 2020 on the Smart Quarantine project. In the statement, the DPA explains that it asked the Minister of Health for more information about the project. The DPA received only some basic information and therefore could not fully assess the Smart Quarantine project. The DPA stresses that, contrary to reports in the media, the Smart Quarantine project was not launched with the approval of the DPA itself. During a public hearing in the parliament in June, the DPA stated that it was consulted only on some parts of the Smart Quarantine project, after intervention by the DPA itself. The DPA also argued during the hearing that the contact tracing app needs a new legal framework. See also this Country report for Czechia published by the EU Agency for Fundamental Rights (July 2020), p 15.

Denmark

Contact tracing app?
Smittestop, launched in June.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(e) and art 9(2)(i) and (g).

New legal framework?
On 15 May 2020, the Danish government and political parties entered into an agreement for the Smittestop app. "Bekendtgørelse om behandling af oplysninger om elektronisk registrerede kontakter med henblik på at forebygge og inddæmme udbredelsen af Coronavirussygdom 2019 (COVID-19) of 17 June 2020 regulates the app.

A "Bekendtgørelse" is an executive order.

Additional documentation?
DPIA for the app. Statement of the Danish DPA on the app of 17 April 2020.

England and Wales

Contact tracing app?
NHS COVID-19 app, launched in September.

Legal basis under GDPR?
The Privacy Notice of 10 December 2020 states that the processing is based on art 6(1)(e), 9(2)(g), (h) and (i).

Position on art 22 GDPR?
The Privacy Policy states "we considered whether the app uses Automated Decision Making (ADM) ... We consider that it does not but have complied with the legal and policy framework around Automated Decision Making ..."

New legal framework?
The government argues new legislation is unnecessary. Professor Lilian Edwards and colleagues drafted the Coronavirus (Safeguards) Bill 2020. The Joint Committee on Human Rights submitted a Digital Contact Tracing (Data Protection) Bill on 29 May, based on the bill by Professor Edwards.

More information?
The NHSX originally developed a centralised app and trialled it on the Isle of Wight. The trial was not very succesful as the app registered only about 4% of iPhones. On 18 June the government announced they ditched the centralised app and opted for a decentralised app based on the Google and Apple Exposure Notification framework.

DPIA of 10 December 2020 for the app. Annexes to the DPIA. The DPIA was published only after the Open Rights Group threatened with legal action.

The UK DPA published a opinion on 17 April on the Apple and Google initiative. The DPA also published a document with data protection expectations regarding the development of a contact tracing app. There is speculation that in a future update, the app might include functionalities for test results and vaccination records.

Estonia

Contact tracing app?
HOIA, launched in August.

Legal basis under GDPR?
The Privacy Policy states the processing is based on consent.

New legal framework?
Tervise infosüsteemi põhimäärus of 2016 regulates the Estonian central health information system. Vabariigi Valitsuse 1. detsembri 2016. a määruse nr 138 „Tervise infosüsteemi põhimäärus” muutmine of 16 July amended the regulation to create a legal basis for the contact tracing app. I hope I got this right.

Finland

Contact tracing app?
Koronavilkku, launched by the end of August.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(e) and 9(2)(i).

New legal framework?
Laki tartuntatautilain väliaikaisesta muuttamisesta of 9 July 2020 amended the Finnish Communicable Diseases Act. The new law added a temporary chapter to the Communicable Diseases Act to regulate the contact tracing app.

The laki was proposed by the Finnish government and approved by the parliament and thus has the status of formal law.

Additional information? The Finnish institute for health and welfare stated that between 1 and 15 September, 35% of the people diagnosed with coronavirus used the app to report the infection.

France

Contact tracing app?
TousAntiCovid, the rebranded version of the StopCovid app, which was originally launched in June.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(e).

New legal framework?
Décret n° 2020-650 du 29 mai 2020 relatif au traitement de données dénommé « StopCovid » regulates the app.

In France, the prime minister can issue decrees. The release of the app and the decree have been approved by a vote in the National Assemblee. Such a vote was not mandatory, but the government wanted to have the support of the parliament.

Additional documentation?
The French DPA published Deliberation No. 2020-046 of 24 April 2020 delivering an opinion on a proposed mobile application called "StopCovid" and Deliberation No. 2020-056 of 25 May 2020 delivering an opinion on a draft decree relating to the mobile application known as "StopCovid". On 20 July 2020, the DPA issued a formal notice against the Ministry of Health concerning the StopCovid app. Then on 3 September the DPA issued a decision with which it closed its proceedings against the Ministry of Health in which the DPA ordered the Ministry to remedy data protection issues in the StopCovid app. The DPA published another opinion on 14 September 2020 in which it states that the operation of the app generally complies with the GDPR and that it will continue to monitor the operation of the app. The DPA

The Conseil National du Númerique also published a statement on 24 April in support of the app.

A group of French crypotography and security experts signed a letter on 26 April 2020 warning for mass surveillance via the app.

Germany

Contact tracing app?
Corona-Warn-App, launched in June.

New legal basis under GDPR?
The Privacy Notice of 17 October 2020 states the processing is based on art 6(1)(a) and 9(2)(a).

Legal framework?
The German government argues on its website that "[s]ince downloading and using the app is voluntary for citizens, there is no need for statutory regulation of the voluntary use of the app by the population" (see under: "Am I obliged to use the Corona-Warn-App").

More information?
Datenschutz-Folgenabschätzung (version 1.1) of 16 October for the app. The Federal DPA commented on 16 June that they saw no reason against installation of the app, although there were still weak points. The official DPIA was influenced by a DPIA created by a group of academics in April.

Gesellschaft für Freiheitsrechte gives a useful overview of the German fundamental rights framework and covid-19.

Greece

Contact tracing app? No.

Hungary

Contact tracing app?
VirusRadar, launched in May.

Legal basis under GDPR?
The Privacy Policy of 10 June 2020 states the processing is based on art 6(1)(a) and 9(2)(a) and for some processing operations on art 6(1)(c) and 9(2)(i).

New legal framework?
Korm. rendelet 179/2020. (V. 4.) a veszélyhelyzet idején az egyes adatvédelmi és adatigénylési rendelkezésektől való eltérésről is a governmental decree that suspends the rights based on articles 15 to 22 GDPR for the purpose of preventing, understanding, and detecting the coronavirus. Section 10 of the "Government Decree 46/2020 (16 March) on the measures to be taken during the state of danger declared for the prevention of the human epidemic endangering life and property and causing massive disease outbreaks, for the elimination of its consequences, and for the protection of the health and lives of Hungarian citizens (III)" authorises the Minister responsible for innovation and technology to access and process any available data and obliges public and private actors to provide assistance and data requested to the Minister. In addition to that, "Government Decree 93/2020 (6 April) on certain rules relating to data processing and traffic applicable during the period of state of danger" authorises the Operational Corps Responsible for the Containment of the Coronavirus Epidemic to request data from all public or private actors for epidemiological monitoring. I suppose these powers also concern the data available via the VirusRadar app.

More information?
In a statement of 2 June, the EDPB responds to the Hungarian Government Decree 179/2020 and stresses that the GDPR remains applicable during the coronavirus crisis.

In Hungary, public authorities can also monitor home-quarantine via a mobile app, on the basis of "Government Decree 181/2020. (4 May) on the electronic monitoring of official home quarantines ordered with respect to the human epidemic endangering life and property and causing massive disease outbreaks". It is not entirely clear to me if this decree concerns the VirusRadar app. Lancos (2020) suggests it does, but another app called Házi Karantén Rendszer seems to be specifically for monitoring home quarantine.

According to this report (p 24-25), the VirusRadar app was introduced in May for Android devices, but approved by Apple for their devices only in June because of data protection issues. See also this Country report for Hungary published by the EU Agency for Fundamental Rights (May 2020)

Iceland

Contact tracing app?
Rakning C-19, launched in April.

Legal basis under GDPR?
The Privacy Statement states the processing is based on consent.

New legal framework?
I have not found any. However, in addition to data protection law, Iceland has the Rules no. 837/2006 on Electronic Surveillance, which regulates electronic surveillance in the workplace, in schools, and in other areas generally traversed by a limited number of people. These rules were issued by the Icelandic DPA.

Ireland

Contact tracing app?
COVID Tracker, launched in July.

Legal basis under GDPR?
The Data Protection Information Notice (version 1.05) of 8 October 2020 states that the processing is based on art 6(1)(a) and 9(2)(a).

New legal framework?
The Irish government reportedly (p 9) argues that additional specific legislation is not necessary because the app is based on consent.

Additional documentation?
DPIA of the app of 26 June 2020. Irish DPA review of June 2020 of the DPIA of the app.

Italy

Contact tracing app?
Immuni, launched in June.

Legal basis under GDPR?
The Privacy Policy states the processing of analytical cookies is based on art 6(1)(a) and the processing of "data di navigazione" on art 6(1)(e).

New legal framework?
Decreto-legge 30 aprile 2020, converted into law by Legge 25 giugno 2020, n. 70. Conversione in legge, con modificazioni, del decreto-legge 30 aprile 2020, n. 28, recante misure urgenti per la funzionalita' dei sistemi di intercettazioni di conversazioni e comunicazioni, ulteriori misure urgenti in materia di ordinamento penitenziario, nonche' disposizioni integrative e di coordinamento in materia di giustizia civile, amministrativa e contabile e misure urgenti per l'introduzione del sistema di allerta Covid-19. The decreto-leggo and legge regulate the covid-19 alert/warning system consisting of, among others, a contact tracing app.

Malgieri (2020) explains that in Italy, a decreto-legge has the same legal value as a legge. The government can approve a decreto-legge in times of emergency but if the decreto-leggo is not converted into a law by the parliament within 60 days it loses its effectiveness. The legge of 25 June did not amendent the provisions in the decreto-legge on the alert system.

Additional documentation?
I found this DPIA of 5 May for the app. I have not found official sources that link to this DPIA but the document header suggests that this a version for the general public. The Italian DPA published an opinion on 29 april 2020 on the bill for the app. The DPA on 1 June also published its authorization of the app and on 3 June a note on technical aspects for the DPIA for the app. Telecom Italia, a telecom provider, offers its customers access to the app without using up their data bundles.

With thanks to Gionata for explaining Italian law correctly and @SilviaPetulante for figuring out the status of the DPIA!

Latvia

Contact tracing app?
Apturi Covid, launched in May.

Legal basis under GDPR?
The Privacy Policy (version 2) of 26 October 2020 states that the processing is based on "public health and safety". The previous Privacy Policy of 22 May stated that the processing was based on the art 6(1)(a) and (e).

New legal framework?
Article 6(3)(1) of Covid-19 infekcijas izplatības pārvaldības likums of 5 June 2020 talks about a system to identify and warn persons at high risk of infection and the EU gateway for interoperability, so I think this creates a legal basis for the app. Ministru kabineta noteikumi Nr. 360 Epidemioloģiskās drošības pasākumi Covid-19 infekcijas izplatības ierobežošanai of 9 June 2020 was amended by Ministru kabineta noteikumi Nr. 647 of 27 October 2020 and since then contains a chapter (XII) on, what seems to be, a contact tracing app.

I think a Ministru kabineta noteikumi is an executive order.

Additional documentation?
The Latvian DPA published information on the Apturi Covid app on 5 June 2020 in which it further explains the privacy aspects of the app.

Lithuania

Contact tracing app?
Korona Stop LT, launched in November. Before that, the Karantinas app was introduced in April, but the Lithuanian DPA suspended this app in May 2020.

Legal basis under GDPR?
The Privacy Policy for Korona Stop LT of 24 November 2020 states that the processing is based on art 6(1)(a) and 9(2)(a). The Privacy Policy for Karantinas stated the processing was based on legitimate interests, compliance with a legal obligation, and compliance with the terms and conditions(?).

Legal framework?
According to this report (p 9), the government did not pass additional legislation for the Karantinas app because that was considered unnecessary.

More information?
On 25 May, the Lithuanian DPA suspended the use of the Karantinas app.

It is not entirely clear to me what the Karantinas app did. Some reports state that the app "enables daily coronavirus symptom tracking, encourages healthy actions ... and helps to care for people in self-isolation". Other reports describe that the app could also be used for the authorities to control if people comply with self-isolation. But other reports refer to the Karantinas app as a contact tracing app. Another news article reported that the Lithuanian government is planned to introduce a contact tracing app in August, but I don't know which app that is. The Karantinas app also introduced the gamification of covid-19 health monitoring: when people used the app and provided information about their health status they were rewarded with point that they could exchange for discounts in the app store.

Luxembourg

Contact tracing app?
No. The Luxembourg parliament reportedly is against an app.

Malta

Contact tracing app?
Covid Alert, launched in September.

Legal basis under GDPR?
The Privacy Policy of 1 October 2020 states the processing is based on art 6(1)(e) and 9(2)(i).

New legal framework?
Legal Notice 379 of 2020, the "Contact tracing and alerting mobile application order", creates a legal basis and reglates the processing.

Netherlands

Contact tracing app?
CoronaMelder, rolled out nationally in October.

Legal basis under GDPR?
The Privacy Statement states that the processing is based on the public interest task.

New legal framework?
The Dutch government proposed a draft bill "Tijdelijke wet maatregelen covid-19". The bill contained, among others, a provision to create a legal basis for the use of digital tools. The Dutch Council of State, which advices the Dutch government and parliament on legislation and governance, remarked in an advice that the legal basis for digital tools was too broad and did not regulate in sufficient detail how to use digital tools during the coronavirus crisis. The Council of State therefore advised to remove provision regarding digital tools from the bill. The Dutch government followed this advice and removed the impugned provision from the bill. In public documentation, the Dutch government stated that it considered to draft a separate legal instrument for a contact tracing app. In August, the Dutch government nonetheless started to test a contact tracing app without an accompanying legal framework. After the Dutch DPA criticized the lack of a legal framework, the Dutch government announced that it would create a fast tracked law (spoedwet), although the government still argues that such a legal framework is not really necessary. The Tijdelijke wet notificatieapplicatie covid-19 came into effect in October 2020. The act amends the Dutch Public Health Act (Wet publieke gezondheid) by adding new provisions (6d, 64bis, and 67a) to create a legal basis for the app and regulate the use of the app.

In the Netherlands, a wet has to be approved by the parliament.

Additional documentation?
There have been a lot of developments around the Dutch contact tracing app. On 7 July, the Dutch government published a DPIA for the app. On 6 August, the Dutch DPA finalised an advice on the contact tracing app and the DPIA, which the responsible Minister says (p 239) he received on 10 August per postal mail, after which the advice was formally published on 17 August. Meanwhile, the Dutch government commissioned a legal analysis by the state attorney, which scrutinizes the advice of the Dutch DPA and was published on 12 August. In addition to that, the government commissioned a second opinion on the DPIA for the app, conducted by a privacy advisory firm and published on 19 August. Then on 24 August the government published a new version of the DPIA for the app.

Northern Ireland

Contact tracing app?
StopCOVID NI, launched in September.

Legal basis under GDPR?
The Privacy Information of 28 July states the processing is based on art 6(1)(e) and 9(2)(i). Somewhat confusingly, the Google Play store page for the StopCOVID NI app refers to another Privacy Notice of 6 April 2020, which states the processing "is likely to fall" under public task and legitimate interests. But when I look at the purposes described in this notice, it does not seem to be written for a contact tracing app.

New legal framework?
Not that I know.

Additional documentation?
The UK DPA published a opinion on 17 April on the Apple and Google initiative. The DPA also published a document with data protection expectations regarding the development of a contact tracing app.

DPIA of 31 July for for the app. The UK DPA also wrote a letter to the Department of Health on 31 July about the DPIA for the app.

Norway

Contact tracing app?
Smittestopp, launched in April. However, in June the Norwegian DPA notified the Norwegian Institute of Public Health (NIPH) that they intended to impose a temporay ban on the app. In July, the DPA indeed imposed a ban on the app. Consequently, the NIPH deleted all the data. On 28 September the NIPH announced that they started working on a new contact tracing app based on the Google and Apple Exposure Notifications framework.

Legal basis under GDPR?
The DPIA states the processing was based on art 6(1)(e) and 9(2)(i).

New legal framework?
"Lov om vern mot smittsomme sykdommer" of 1994 (Act on communicable diseases) and Forskrift om digital smittesporing og epidemikontroll i anledning utbrudd av Covid-19 of 27 March 2020 (Regulations for digital contact tracing and epidemic control in connection with the outbreak of Covid-19).

If I get it right, a forskrift is issued by the executive branch. It is not adopted by the legislative branch. A lov is adopted by the legislative branch.

Additional documentation?
DPIA for the app. Unofficial translation and summary of the final report of the Norwegian government appointed expert group on the app.

Personal reflections on the app by Eivind Arvesen, member of the expert group. Report [pdf] by Simula, the developer of the Smittestopp app, in which they compare different contract tracing app options. Q&A in English of 9 April by Simula about the Smittestopp app.

Poland

Contact tracing app?
ProteGO Safe. A first version was launched in April and then renewed version in June 2020.

Legal basis under GDPR?
The Privacy Policy [pdf] (v4.8) states that the processing is based on art 6(1)(e) and 9(2)(i). An older Privacy Policy [docx] stated that the processing was based on art 6(1)(c) and 9(2)(i). The DPIA states that the app does not process personal data.

New legal framework?
Unknown.

Additional documentation?
DPIA [xlsx] for the app. The government also provided quite some extra documentation about the app. I think this includes older versions of the privacy policy and terms & conditions, also in English, and some reports. Letter [pdf] from the Polish DPA of 30 April about the app.

The Ministry of Ministry of Economic Development, Labour and Technology initially suggested at a press conference that the app could be used to manage shopping numbers in malls, which would incentivize the use of the app, but this plan was dropped. The government refutes the information on its website too.

The Panoptykon Foundation was critical of the first version of the app but approves the current version of the app.

Portugal

Contact tracing app?
StayAway, launched in September.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(a) and (e) and 9(2)(a) and (i).

New legal framework?
"Decreto-Lei no. 52/2020" of 11 August. In October 2020, the Portuguese government submitted Proposta de Lei 62/XIV "Determina a obrigatoriedade do uso de máscara para o acesso ou permanência nos espaços e vias públicas e a obrigatoriedade da utilização da aplicação STAYAWAY COVID". A provision in this legal proposal made the use of the contact tracing app mandatory in certain public spaces and sectors, but the provision was withdrawn after criticism. The legal proposal led to questions by the European Parliament to the Commission. See also the Country report for Portugal [pdf], published by the EU Agency for Fundamental Rights (November 2020), p 4.

If I am correct, in Portugal a decreto-lei is issued by the government.

Additional documentation?
DPIA (v2) of 11 Augustus 2020 for the app. Portuguese DPA decision of 29 June 2020 on the app. D3, a Portuguese digital rights organization, launched the Rastreamento campaign to make people aware of the risks of the contact tracing app.

Romania

Contact tracing app?
First Contact, launched in November 2020. A local company called Romanian InSpace Engineering (RISE) also developed CovTrack but I don't know about the status of this app.

Legal basis under GDPR?
The Privacy Policy says the app does not use any personal data. Maybe that is why the Privacy Policy doesn't give a legal basis.

New legal framework?
I cannot find any.

Scotland

Contact tracing app?
Protect Scotland, launched in September.

Legal basis under GDPR?
The Privacy Policy of 11 September 2020 details the legal grounds for various controllers and types of data, so that the processing is based on art 6(1)(a) and (e) and 9(2)(g), (i), and (j).

New legal framework?
Not that I know.

More information?
DPIA of 16 September for the app. The Transparency page on the website of the app explains that the the report The ethics and value of contact tracing apps: International insights and implications for Scotland" by Dr Pagliari informed the ethical framework for the app.

With thanks to @mattr3 for pointing me towards the transparency materials.

Slovakia

Contact tracing app?
Zostaň zdravý, which was developed by two private companies and then donated to the state. I think the app was launched mid-March 2020. According to this report (p 10-11), the Slovak authorities intend to develop another app based on the Google and Apple Exposure Notification framework, but I have not found this app.

Legal basis under GDPR?
The Privacy Policy states that the processing is based on art 6(1)(a) and (d). An old Privacy Policy stated that the processing was based on art 6(1)(a) and (e) and 9(2)(a).

Legal framework?
I haven't found any. This report (p 11) states a contract has been concluded between the National Health Information Center and the Public Health Authority on the use of the data.

More information?
This app also contains "Innovatrics Face Recognition feature to ensure that people who were positively tested or are suspected to have Covid-19 will adhere to the quarantine". This functionality is related to the state quarantine measures in the country. Privacy and security analysis of the app in English by Ján Jančár.

With thanks to @DrzavljanD for pointing out a correction.

Slovenia

Contact tracing app?
#OstaniZdrav, launched in August. The app is based on the German app.

Legal basis under GDPR?
The Privacy Notice of 28 July 2020 of the app states the processing is based on (explicit) consent.

New legal framework?
"Zakon o interventnih ukrepih za pripravo na drugi val COVID-19 (ZIUPDV)" of 9 July 2020 creates a legal basis for a contact tracing app and regulates the app. Article 28 of the act provides that the use of the app is voluntary, but that people who have a suitable smartphone and are infected or need to quarantine are obliged to use the app. The Minister of Public Administration has later said that the use of the app will be voluntary for everyones. I am not sure what is the status of article 28 currently.

Odlok o začasni delni omejitvi gibanja ljudi in prepovedi zbiranja ljudi zaradi preprečevanja okužb s SARS-CoV-2 of 13 December 2020 makes the use of the contact tracing app mandatory for citizens of four Slovenian regions if they want to leave their own municipality. An odlok is government decree.

If I am right, in Slovenia, "zakoni" are adopted by the National Assembly.

More information?
The Slovenian DPA reportedly (p 17) was not consulted about the bill for app. Comments of the Slovenian DPA of 30 June on the bill. More comments of the DPA of 7 July on the bill. The DPA also said on other occasions that the legal basis for the app is inadequate.

Spain

Contact tracing app?
Radar Covid, available nationwide since October 2020.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(a) and (e) and 9(2)(i) and (j).

New legal framework?
"Orden SND/297/2020, de 27 de marzo, por la que se encomienda a la Secretaría de Estado de Digitalización e Inteligencia Artificial, del Ministerio de Asuntos Económicos y Transformación Digital, el desarrollo de diversas actuaciones para la gestión de la crisis sanitaria ocasionada por el COVID-19" entrusted the Secretary of State for Digitalization and AI of the Ministry of Economic Affairs and Digital Transformation with the development of new actions to manage the covid-19 crisis. The orden mentions a mobile app that can be used to inform the user about the probability of being infected, but I am not sure if this concerns a contact tracing app or a self-diagnosis app. The Privacy Policy also refers to Real Decreto-ley 21/2020, de 9 de junio, de medidas urgentes de prevención, contención y coordinación para hacer frente a la crisis sanitaria ocasionada por el COVID-19, but I am not sure what this law means for the app. Finally, Resoluciónde 13 de octubre de 2020, de la Subsecretaría, por la que se publica el Acuerdo entre el Ministerio de Asuntos Económicos y Transformación Digital y el Ministerio de Sanidad, acerca de la aplicación "Radar COVID" is an agreement between two ministers to delegate tasks related to the contact tracing app. The resoluciónde also talks about the autonomous communities

In Spain, an orden is a royal decree.

More information?
The Spanish DPA published a study on 7 May in which it analyses several technologies that are used in the fight against covid-19, among which contact tracing apps. The DPA also published a statement on 23 June 2020 in which it clarifies its role in the development of the contact tracing app. The DPA explains it started an investigation on 21 May (I don't know if the investigation has been finished by now).

Spanish academics published a manifesto to demand transparency about public software development such as the Radar Covid app.

Switzerland

Contact tracing app?
SwissCovid, launched in June.

Legal basis under Swiss data protection legislation?
The Data Protection Statement of 24 June 2020 states the processing is based on the EpG and the VPTS (see below). The GDPR does not apply in Switzerland.

New legal framework?
"Bundesgesetz über die Bekämpfung übertragbarer Krankheiten des Menschen (Epidemiengesetz, EpG)" of 2012 amended on 19 June 2020 by the Swiss Parliament. The amendment introduced a new article 60a to the EpG, which creates a legal basis for the contact tracing app. The amendment was accompanied by the "Verordnung über das Proximity-Tracing-System für das Coronavirus Sars-CoV-2 (VPTS)" of 24 June 2020, which regulates the details of the organisation, operation, and data processing of the app. The Verordnung contains an exemption for third parties, that is, Google and Apple, from the obligation to publish the source code.

The Bundesgesetz and amendment are both adopted by the Swiss Parliament. The Verordnung is delegated legislation adopted by the Swiss Federal Council.

Additional documentation?
English translation of the Verordnung. This news item mentions a DPIA was done on 1 May 2020, but I cannot find it. This document [opens PDF] of the Swiss DPA of 12 June 2020 refers to the DP-3T model DPIA. Swiss data protection legislation does not require a DPIA.

A referendum was proposed under the name "Stop Swiss Covid" against the amendment to the EpG.

With thanks to @mikarv and @podehaye for getting the facts about Swiss data protection law right.

Sweden

Contact tracing app?
No. Researchers at Lund University have launched the COVID Symptom Tracker, an app to map the spread of infection in Sweden, but this is not a contact tracing app. In December 2020, a Swedish minister said that the government has asked the public health agency to look into contact tracing apps of other countries and considering if parts of infection control can be done digitally. If I am correct, they will report back on this in April 2021.

Other notes

Reportedly, there is a conflict between the GAEN criteria (1,5 m) for close contacts and the criteria of the Danish health authorities (1 m), which results in conflicting messages. The Smittestop website explains that if you receive a notification from your phone about a number of exposures, without receiving a message from the app that you have been close to someone with covid-19, then your phone has registered a contact with another app user who has been tested positive for covid-19, but that contact does not yet meet the criteria of the health authorities that it poses a risk of infection. Similar problems are reported for other apps. On the Github page for the SwissCovid app, people complained that their iOS notified them of an amount of potential exposures, whereas the app did not report anything. The FAQ for the SwissCovid app now advices that "SwissCovid users should simply ignore the [iOS] message". Similarly, on the Github page for the German Corona-Warn-App, people pointed out there is a difference between the amount of potential exposures notified by iOS and the app. The FAQ for the Corona-Warn-App also address this issue. Note, however, that these issues are caused by the GAEN framework, not by the contact tracing apps themselves.