On February 2nd, the EDPS published orientations on manual contact tracing by EU Institutions in the context of the COVID-19 crisis.
The main takeaway is that, in view of the high sensitivity of the data at stake and the high risk for the privacy of individuals, European institutions, agencies and bodies need to conduct a DPIA when developing and implementing a manual contact tracing operation. By performing a DPIA, controllers will be able to design a
robust and data protection-compliant system, which will then be admissible under the public interest legal basis.
Source: EDPS Guidelines