Contact tracing app laws in the EU

Various European countries have launched a contact tracing app to help in the fight against COVID-19. Some of these apps were initiated by the government and other apps were initiated by private actors and thereafter endorsed by the government. I am doing comparative legal research into these contact tracing apps. I am interested in knowing if these contact tracing apps are based solely on existing legislation such as the General Data Protection Regulation (GDPR) or if they are accompanied by new legislation. I'm making my research notes public so that other people can also use them for their research. This is work in progress and since I am dependent on translations, the notes may contain mistakes. Please send me an email if you see a mistake or want to add missing information. And yes, I have to fix a few things on this website, such as how the menu bar sometimes overlaps with text, but I haven't had the time to figure out how to do that.

People have rightfully pointed out on Twitter that comparative legal research has its limitations. I need to look into the domestic legal context and how an app is implemented on regional or local levels in order to understand how an app is regulated on a national level. The overview I present here is just a start.

Various people sent me additional information and explained national legislation to me; obviously all errors are mine.

AT | BE | BG | HR | CY | CZ | DK | EAW | EE | FI | FR | DE | EL | HU | IE | IT | LV | LT | LU | MT | NL | NIR | NO | PL | RO | SCT | PT | SK | SI | ES | CH | SE

Austria

Contact tracing app?
Stopp Corona, introduced in March 2020 by the Austrian Red Cross and endorsed by the Austrian government.

Legal basis under GDPR?
The Datenschutzinformation of 10 June states the processing is based on art 6(1)(a), art 9(2)(a) and for some data on art 6(1)(f).

New legal framework?
I haven't found anything.

Additional documentation?
DPIA of the app (version 1.2) of 12 May 2020. DPIA of the app (version 2.0) of 31 July 2020. DPIA of the app (version 2.0) of 4 August 2020.

Information from the Austrian DPA on data protection and covid-19 of 20 May 2020. Position paper [opens pdf] of the Federal Ministry of Social Affairs, Health, Care, and Consumer Protection on contact tracing apps of 10 June 2020.

Belgium

Contact tracing app?
Coronalert, launched on 18 September for a select group of 10.000 Belgians. The app will be available nationally by the end of September. In the first months of the COVID-19 crisis, the Belgian government stated that it would not introduce a contact tracing app.

Legal basis under GDPR?
The Privacy Statement (provisional version) of 4 August states the processing is based on art 6(1)(e) and 9(2)(i).

New legal framework?
"Koninklijk besluit nr. 44 betreffende de gezamenlijke gegevensverwerking door Sciensano en de door de bevoegde regionale overheden of door de bevoegde agentschappen aangeduide contactcentra, gezondheidsinspecties en mobiele teams in het kader van een contactonderzoek bij personen die (vermoedelijk) met het coronavirus COVID-19 besmet zijn op basis van een gegevensbank bij Sciensano" of 26 June 2020 regulates the use of the app.

A "Koninklijk besluit" is a royal order.

Additional documentation?
Public consultation by the interfederal working group in charge of the development of the app. Opinions of the Belgian DPA regarding the koninklijk besluit.

Bulgaria

Contact tracing app?
ViruSafe, launched on 7 April 2020.

Legal basis under GDPR?
The Terms of Use (para 29) state the processing is based on consent and explicit consent.

New legal framework?
"Заповед № РД-01-184 от 06.04.2020 г. за въвеждане в експлоатация Национална информационна система за борба с COVID-19" of 6 April 2020 introduces an information system, which includes, among others, a contact tracing app.

If I am correct, in Bulgaria a ministry can issue a "Заповед", an order, which is a delegated action. According to a report in May, "[n]o legislation was passed allowing the state to use the data collected via the ViruSafe app. The rules governing the use of the collected data as well as the rights of users in relation to this use are laid down in the application’s terms of reference, to which each user has to explicitly agree before they start using the app" (p 15).

Croatia

Contact tracing app?
Stop COVID-19 app, launched in July.

Legal basis under GDPR?
The Privacy Policy of 26 June states the processing is based on art 6(1)(a).

New legal framework?
I can't find any.

Additional documentation?
DPIA (summary) of 27 July for the app. News item of the Croatian DPA of 21 July 2020 about a meeting with the Ministry of Health about the app.

Cyprus

Contact tracing app?
COVTRACER, developed by the Research Centre of Excellence in Research and Innovation (RISE) in Cyprus, supported by government, and launched in April.

Legal basis under GDPR?
The Privacy Policy of 30 March states that "[b]y using this app the user consents to this privacy policy", so I guess the legal basis is consent.

New legal framework?
According to this report (p 15), there are no plans to develop a legal framework to regulate the use of the app.

Czechia

Contact tracing app?
As part of the Smart Quarantine project, the Czech government runs the eRouška app and endorsed the Mapy.cz. app. Mapy.cz is a popular Czech web mapping service that added a covid-19 contact tracing functionality. It is not entirely clear to me who toke the initiative for the eRouška app. There is this COVID19CZ group of tech entrepeneurs and it could be that they originally developed the app and then later transferred it to the government.

Legal basis under GDPR?
The Privacy Policy for eRouška states the processing is based on 9(2)(a).

New legal framework?
None.

Additional documentation?
The Czech DPA issued a statement on 11 April 2020 on the Smart Quarantine project. In the statement, the DPA explains that it asked the Minister of Health for more information about the project. The DPA received only some basic information and therefore could not fully assess the Smart Quarantine project. The DPA stresses that, contrary to reports in the media, the Smart Quarantine project was not launched with the approval of the DPA itself. During a public hearing in the parliament in June, the DPA stated that it was consulted only on some parts of the Smart Quarantine project, after intervention by the DPA itself. The DPA also argued during the hearing that the contact tracing app needs a new legal framework. See also this Country report for Czechia published by the EU Agency for Fundamental Rights (July 2020), p 15.

Denmark

Contact tracing app?
Smittestop, launched in June.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(e) and art 9(2)(i) and (g).

New legal framework?
On 15 May 2020, the Danish government and political parties entered into an agreement for the Smittestop app. "Bekendtgørelse om behandling af oplysninger om elektronisk registrerede kontakter med henblik på at forebygge og inddæmme udbredelsen af Coronavirussygdom 2019 (COVID-19) of 17 June 2020 regulates the app.

I think a "Bekendtgørelse" is a regulation or order by the Danish government.

Additional documentation?
DPIA for the app. Statement of the Danish DPA on the app of 17 April 2020.

England and Wales

Contact tracing app?
NHS COVID-19 app, launched in September.

Legal basis under GDPR?
The Privacy Notice of 25 September for the national rollout states the processing is based on art 6(1)(e), 9(2)(g), (h) and (i).

Position on art 22 GDPR?
The Privacy Policy states "we considered whether the app uses Automated Decision Making (ADM) ... We consider that it does not but have complied with the legal and policy framework around Automated Decision Making ..."

New legal framework?
The government argues new legislation is unnecessary. Professor Lilian Edwards and colleagues drafted the Coronavirus (Safeguards) Bill 2020. The Joint Committee on Human Rights submitted a Digital Contact Tracing (Data Protection) Bill on 29 May, based on the bill by Professor Edwards.

More information?
The NHSX originally developed a centralised app and trialled it on the Isle of Wight. The trial was not very succesful as the app registered only about 4% of iPhones. On 18 June the government announced they ditched the centralised app and opted for a decentralised app based on the Google and Apple Exposure Notification framework.

DPIA of 25 September for the national release. To see the difference between this DPIA and the older DPIA, see the update to the DPIA for the NHS COVID-19 App relative to the DPIA for the August pilot of the app. Annexes to the DPIA. The DPIA was published only after the Open Rights Group threatened with legal action.

The UK DPA published a opinion on 17 April on the Apple and Google initiative. The DPA also published a document with data protection expectations regarding the development of a contact tracing app.

Estonia

Contact tracing app?
HOIA, launched in August.

Legal basis under GDPR?
The Privacy Policy states the processing is based on consent.

New legal framework?
Tervise infosüsteemi põhimäärus of 2016 regulates the Estonian central health information system. Vabariigi Valitsuse 1. detsembri 2016. a määruse nr 138 „Tervise infosüsteemi põhimäärus” muutmine of 16 July amended the regulation to create a legal basis for the contact tracing app. I hope I got this right.

Finland

Contact tracing app?
Koronavilkku, launched by the end of August.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(e) and 9(2)(i).

New legal framework?
Laki tartuntatautilain väliaikaisesta muuttamisesta of 9 July 2020 amended the Finnish Communicable Diseases Act. The new law added a temporary chapter to the Communicable Diseases Act to regulate the contact tracing app.

The laki was proposed by the Finnish government and approved by the parliament and thus has the status of formal law.

Additional information? The Finnish institute for health and welfare stated that between 1 and 15 September, 35% of the people diagnosed with coronavirus used the app to report the infection.

France

Contact tracing app?
StopCovid, launched in June.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(e).

New legal framework?
Décret n° 2020-650 du 29 mai 2020 relatif au traitement de données dénommé « StopCovid » regulates the app.

In France, the prime minister can issue decrees. Techcrunch reports that the release of the app and the decree have been approved by a vote in the National Assemblee. Such a vote was not mandatory, but the government wanted to have the support of the parliament.

Additional documentation?
The French DPA published Deliberation No. 2020-046 of 24 April 2020 delivering an opinion on a proposed mobile application called "StopCovid" and Deliberation No. 2020-056 of 25 May 2020 delivering an opinion on a draft decree relating to the mobile application known as "StopCovid". On 20 July 20, the DPA issued a formal notice against the Ministry of Health concerning the StopCovid app. Then on 3 September the DPA issued a decision with which it closed its proceedings against the Ministry of Health in which the DPA ordered the Ministry to remedy data protection issues in the StopCovid app.

The Conseil National du Númerique also published a statement on 24 April in support of the app.

Germany

Contact tracing app?
Corona-Warn-App, launched in June.

New legal basis under GDPR?
The Privacy Notice of 12 June states the processing is based on art 6(1)(a) and 9(2)(a).

Legal framework?
The German government argues on its website that "[s]ince downloading and using the app is voluntary for citizens, there is no need for statutory regulation of the voluntary use of the app by the population" (see under: "Am I obliged to use the Corona-Warn-App").

More information?
Datenschutz-Folgenabschätzung (version 1.0.1) for the app. The Federal DPA commented on 16 June that they saw no reason against installation of the app, although there were still weak points. The official DPIA was influenced by a DPIA created by a group of academics in April.

Gesellschaft für Freiheitsrechte gives a useful overview of the German fundamental rights framework and covid-19.

Greece

Contact tracing app? No.

Hungary

Contact tracing app?
VirusRadar, launched in May.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(a) and 9(2)(a) and also 6(1)(c) and 9(2)(i).

New legal framework?
Korm. rendelet 179/2020. (V. 4.) a veszélyhelyzet idején az egyes adatvédelmi és adatigénylési rendelkezésektől való eltérésről is a governmental decree that suspends the rights based on articles 15 to 22 GDPR for the purpose of preventing, understanding, and detecting the coronavirus. Section 10 of the "Government Decree 46/2020 (16 March) on the measures to be taken during the state of danger declared for the prevention of the human epidemic endangering life and property and causing massive disease outbreaks, for the elimination of its consequences, and for the protection of the health and lives of Hungarian citizens (III)" authorises the Minister responsible for innovation and technology to access and process any available data and obliges public and private actors to provide assistance and data requested to the Minister. In addition to that, "Government Decree 93/2020 (6 April) on certain rules relating to data processing and traffic applicable during the period of state of danger" authorises the Operational Corps Responsible for the Containment of the Coronavirus Epidemic to request data from all public or private actors for epidemiological monitoring. I suppose these powers also concern the data available via the VirusRadar app.

More information?
In a statement of 2 June, the EDPB responds to the Hungarian Government Decree 179/2020 and stresses that the GDPR remains applicable during the coronavirus crisis.

In Hungary, public authorities can also monitor home-quarantine via a mobile app, on the basis of "Government Decree 181/2020. (4 May) on the electronic monitoring of official home quarantines ordered with respect to the human epidemic endangering life and property and causing massive disease outbreaks". It is not entirely clear to me if this decree concerns the VirusRadar app. Lancos (2020) suggests it does, but another app called Házi Karantén Rendszer seems to be specifically for monitoring home quarantine. This document contains more info on the Házi Karantén Rendszer app in English.

According to this report (p 24-25), the VirusRadar app was introduced in May for Android devices, but approved by Apple for their devices only in June because of data protection issues. See also this Country report for Hungary published by the EU Agency for Fundamental Rights (May 2020)

Ireland

Contact tracing app?
COVID Tracker, launched in July.

Legal basis under GDPR?
The Data Protection Information Notice states the processing is based on consent.

New legal framework?
The Irish government reportedly (p 9) argues that additional specific legislation is not necessary because the app is based on consent.

Additional documentation?
DPIA of the app of 26 June 2020. Irish DPA review of June 2020 of the DPIA of the app.

Italy

Contact tracing app?
Immuni, launched in June.

Legal basis under GDPR?
The Privacy Policy states the processing of analytical cookies is based on art 6(1)(a) and the processing of "data di navigazione" on art 6(1)(e).

New legal framework?
Decreto-legge 30 aprile 2020, converted into law by Legge 25 giugno 2020, n. 70. Conversione in legge, con modificazioni, del decreto-legge 30 aprile 2020, n. 28, recante misure urgenti per la funzionalita' dei sistemi di intercettazioni di conversazioni e comunicazioni, ulteriori misure urgenti in materia di ordinamento penitenziario, nonche' disposizioni integrative e di coordinamento in materia di giustizia civile, amministrativa e contabile e misure urgenti per l'introduzione del sistema di allerta Covid-19. The decreto-leggo and legge regulate the covid-19 alert/warning system consisting of, among others, a contact tracing app.

Malgieri (2020) explains that in Italy, a decreto-legge has the same legal value as a legge. The government can approve a decreto-legge in times of emergency but if the decreto-leggo is not converted into a law by the parliament within 60 days it loses its effectiveness. The legge of 25 June did not amendent the provisions in the decreto-legge on the alert system.

Additional documentation?
I found this DPIA of 5 May for the app. I have not found official sources that link to this DPIA but the document header suggests that this a version for the general public. The Italian DPA published an opinion on 29 april 2020 on the bill for the app. The DPA on 1 June also published its authorization of the app and on 3 June a note on technical aspects for the DPIA for the app.

With thanks to Gionata for explaining Italian law correctly and @SilviaPetulante for figuring out the status of the DPIA!

Latvia

Contact tracing app?
Apturi Covid, launched in May.

Legal basis under GDPR?
The Privacy Policy of 22 May states the processing is based on the art 6(1)(a) and (e).

New legal framework?
I haven't found any.

Additional documentation?
The Latvian DPA published information on the Apturi Covid app on 5 June 2020 in which it further explains the privacy aspects of the app.

Lithuania

Contact tracing app?
Karantinas, introduced in April but suspended in May.

Legal basis under GDPR?
The Privacy Policy stated the processing was based on legitimate interests, compliance with a legal obligation, and compliance with the terms and conditions(?).

Legal framework?
According to this report (p 9), the government did not pass additional legislation for the Karantinas app because that was considered unnecessary.

More information?
On 25 May, the Lithuanian DPA suspended the use of the Karantinas app.

It is not entirely clear to me what the Karantinas app did. Some reports state that the app "enables daily coronavirus symptom tracking, encourages healthy actions ... and helps to care for people in self-isolation". Other reports describe that the app could also be used for the authorities to control if people comply with self-isolation. But other reports refer to the Karantinas app as a contact tracing app. Another news article reported that the Lithuanian government is planned to introduce a contact tracing app in August, but I don't know which app that is. The Karantinas app also introduced the gamification of covid-19 health monitoring: when people used the app and provided information about their health status they were rewarded with point that they could exchange for discounts in the app store.

Luxembourg

Contact tracing app?
No. The Luxembourg parliament reportedly is against an app.

Malta

Contact tracing app?
Covid Alert, launched in September.

Legal basis under GDPR?
The Privacy Policy of 31 August states the processing is based on art 6(1)(e) and 9(2)(i).

New legal framework?
I haven't found any.

Netherlands

Contact tracing app?
CoronaMelder. The app is currently being tested in some parts of the country and is supposed to be rolled out nationally in September.

Legal basis under GDPR?
The Privacy Statement for the test phase states the processing is based on explicit consent. The DPIA (p 26) for the app states the app is based on art 6(1)(e) and 9(2)(i).

New legal framework?
The Dutch government proposed a draft bill "Tijdelijke wet maatregelen covid-19". The bill contained, among others, a provision to create a legal basis for the use of digital tools. The Dutch Council of State, which advices the Dutch government and parliament on legislation and governance, remarked in an advice that the legal basis for digital tools was too broad and did not regulate in sufficient detail how to use digital tools during the coronavirus crisis. The Council of State therefore advised to remove provision regarding digital tools from the bill. The Dutch government followed this advice and removed the impugned provision from the bill. In public documentation, the Dutch government stated that it considered to draft a separate legal instrument for a contact tracing app. In August, the Dutch government nonetheless launched a contact tracing app without an accompanying legal framework. After the Dutch DPA criticized the lack of a legal framework, the Dutch government announced that it will create a fast tracked law (spoedwet), although the government still argues that such a legal framework is not really necessary. On 21 August, the government sent a bill for the "Tijdelijke wet notificatieapplicatie covid-19" to the House of Representatives. On 3 September, the goverment published an amended bill for the wet.

In the Netherlands, a wet has to be approved by the parliament.

Additional documentation?
There have been a lot of developments around the Dutch contact tracing app. On 7 July, the Dutch government published a DPIA for the app. On 6 August, the Dutch DPA finalised an advice on the contact tracing app and the DPIA, which the responsible Minister says (q 239) he received on 10 August per postal mail, after which the advice was formally published on 17 August. Meanwhile, the Dutch government commissioned a legal analysis by the state attorney, which scrutinizes the advice of the Dutch DPA and was published on 12 August. In addition to that, the government commissioned a second opinion on the DPIA for the app, conducted by a privacy advisory firm and published on 19 August. Then on 24 August the government published a new version of the DPIA for the app.

Northern Ireland

Contact tracing app?
StopCOVID NI, launched in September.

Legal basis under GDPR?
The Privacy Information of 28 July states the processing is based on art 6(1)(e) and 9(2)(i). Somewhat confusingly, the Google PLay store page for the StopCOVID NI app refers to another Privacy Notice, which states the processing "is likely to fall" under public task and legitimate interests. But when I look at the purposes described in this notice, it does not seem to be written for a contact tracing app.

New legal framework?
Not that I know.

Additional documentation?
The UK DPA published a opinion on 17 April on the Apple and Google initiative. The DPA also published a document with data protection expectations regarding the development of a contact tracing app.

DPIA of 31 July for for the app. The UK DPA also wrote a letter to the Department of Health on 31 July about the DPIA for the app.

Norway

Contact tracing app?
Smittestopp, launched in April. However, in June the Norwegian DPA notified the Norwegian Institute of Public Health (NIPH) that they intended to impose a temporay ban on the app. In July, the DPA indeed imposed a ban on the app. Consequently, the NIPH deleted all the data. On 28 September the NIPH announced that they started working on a new contact tracing app based on the Google and Apple Exposure Notifications framework.

Legal basis under GDPR?
The DPIA states the processing is based on art 6(1)(e) and 9(2)(i).

New legal framework?
"Lov om vern mot smittsomme sykdommer" of 1994 (Act on communicable diseases) and "Forskrift om digital smittesporing og epidemikontroll i anledning utbrudd av Covid-19" of 27 March 2020 (Regulations for digital contact tracing and epidemic control in connection with the outbreak of Covid-19).

If I get it right, a forskrift is issued by the executive branch. It is not adopted by the legislative branch. A lov is adopted by the legislative branch.

Additional documentation?
DPIA for the app. Unofficial translation and summary of the final report of the Norwegian government appointed expert group on the app.

Personal reflections on the app by Eivind Arvesen, member of the expert group. Report [pdf] by Simula, the developer of the Smittestopp app, in which they compare different contract tracing app options. Q&A in English of 9 April by Simula about the Smittestopp app.

Poland

Contact tracing app?
ProteGO Safe, launched in April.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(c) and 9(2)(i). The DPIA states the app does not process personal data, but I don't know when this DPIA was done, it might be outdated.

New legal framework?
Unknown.

Additional documentation?
DPIA [opens .xlsx] for the app. Discussion on the ProteGO Safe GitHub about a likely privacy violation and GDPR violation. Łukasz Wojtkowski discusses on Twitter how the introduction of the app was supported by pro-government bot activity.

Portugal

Contact tracing app?
StayAway, launched in September.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(a) and (e) and 9(2)(a) and (i).

New legal framework?
"Decreto-Lei no. 52/2020" of 11 August.

If I am correct, in Portugal a decreto-lei is issued by the government.

Additional documentation?
DPIA for the app. Portuguese DPA decision of 29 June 2020on the app.

Romania

Contact tracing app?
No official contact tracing app, but a local company Romanian InSpace Engineering (RISE) developed CovTrack. I don't know about the status of this app.

Scotland

Contact tracing app?
Protect Scotland, launched in September.

Legal basis under GDPR?
The Privacy Policy of 11 September details the legal grounds for various controllers and types of data, so that the processing is based on art 6(1)(a) and (e) and 9(2)(g), (i), and (j).

New legal framework?
Not that I know.

More information?
DPIA of 16 September for the app. The Transparency page on the website of the app explains that the the report The ethics and value of contact tracing apps: International insights and implications for Scotland" by Dr Pagliari informed the ethical framework for the app.

With thanks to @mattr3 for pointing me towards the transparency materials.

Slovakia

Contact tracing app?
Zostaň zdravý, which was developed by two private companies and then donated to the state. According to this report (p 10), the Slovak authorities intend to develop another app based on the Google and Apple Exposure Notification framework, but I have not found it yet.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(a) and (e) and 9(2)(a).

Legal framework?
I haven't found any.

More information?
This report (p 11) states that the app can also be used to control quarantine. This report (p 11) states a contract has been concluded between the National Health Information Center and the Public Health Authority on the use of the data. Description of the Zostaň zdravý app in English. Analysis of the app in English by Ján Jančár.

The Slovakian government also launched the Moje eZdravie app for citizens to communicate with national authorities. A security firm found that the app was insecure.

With thanks to @DrzavljanD for pointing out a correction.

Slovenia

Contact tracing app?
#OstaniZdrav, launched in August.

Legal basis under GDPR?
The Privacy Notice of the app states the processing is based on (explicit) consent.

New legal framework?
"Zakon o interventnih ukrepih za pripravo na drugi val COVID-19 (ZIUPDV)" of 9 July 2020 includes a provision on contact tracing apps.

If I am right, in Slovenia, "zakoni" are adopted by the National Assembly.

More information?
The Slovenian DPA reportedly (p 17) was not consulted about the bill for app. Comments of the Slovenian DPA of 30 June on the bill. More comments of the DPA of 7 July on the bill.

Spain

Contact tracing app?
Radar Covid, which should be available throughout Spain as of mid September.

Legal basis under GDPR?
The Privacy Policy states the processing is based on art 6(1)(a) and (e) and 9(2)(i) and (j).

New legal framework?
"Orden SND/297/2020, de 27 de marzo, por la que se encomienda a la Secretaría de Estado de Digitalización e Inteligencia Artificial, del Ministerio de Asuntos Económicos y Transformación Digital, el desarrollo de diversas actuaciones para la gestión de la crisis sanitaria ocasionada por el COVID-19" entrusted the Secretary of State for Digitalization and AI of the Ministry of Economic Affairs and Digital Transformation with the development of new actions to manage the covid-19 crisis. The orden also mentions a mobile app that can be used to inform the use about the probability of being infected, so I guess this forms some legal basis for the app. I have not found more detailed regulation.

In Spain, an orden is a royal decree.

More information?
The Spanish DPA published a study on 7 May in which it analyses several technologies that are used in the fight against covid-19, among which contact tracing apps. The DPA also published a statement on 23 June 2020 in which it clarifies its role in the development of the contact tracing app. The DPA explains it started an investigation on 21 May (I don't know if the investigation has been finished by now).

Spanish academics published a manifesto to demand transparency about public software development such as the Radar Covid app.

Switzerland

Contact tracing app?
SwissCovid, launched in June.

Legal basis under Swiss data protection legislation?
The Data Protection Statement states the processing is based on the EpG and the VPTS (see below). The GDPR does not apply in Switzerland.

New legal framework?
"Bundesgesetz über die Bekämpfung übertragbarer Krankheiten des Menschen (Epidemiengesetz, EpG)" of 2012 amended on 19 June 2020 by the Swiss Parliament. The amendment introduced a new article 60a to the EpG, which creates a legal basis for the contact tracing app. The amendment was accompanied by the "Verordnung über das Proximity-Tracing-System für das Coronavirus Sars-CoV-2 (VPTS)" of 24 June 2020, which regulates the details of the organisation, operation, and data processing of the app.

The Bundesgesetz and amendment are both adopted by the Swiss Parliament. The Verordnung is delegated legislation adopted by the Swiss Federal Council.

Additional documentation?
English translation of the Verordnung. This news item mentions a DPIA was done on 1 May 2020, but I cannot find it. This document [opens PDF] of the Swiss DPA of 12 June 2020 refers to the DP-3T model DPIA. Swiss data protection legislation does not require a DPIA.

A referendum was proposed under the name "Stop Swiss Covid" against the amendment to the EpG.

With thanks to @mikarv and @podehaye for getting the facts about Swiss data protection law right.

Sweden

Contact tracing app?
No. I think they have a few other apps, such as apps to collect data to study the spread of covid-19, but these are not contact tracing apps.

Other notes

Reportedly, there is a conflict between the GAEN criteria (1,5 m) for close contacts and the criteria of the Danish health authorities (1 m), which results in conflicting messages. The Smittestop website explains that if you receive a notification from your phone about a number of exposures, without receiving a message from the app that you have been close to someone with covid-19, then your phone has registered a contact with another app user who has been tested positive for covid-19, but that contact does not yet meet the criteria of the health authorities that it poses a risk of infection. Similar problems are reported for other apps. On the Github page for the SwissCovid app, people complained that their iOS notified them of an amount of potential exposures, whereas the app did not report anything. The FAQ for the SwissCovid app now advices that "SwissCovid users should simply ignore the [iOS] message". Similarly, on the Github page for the German Corona-Warn-App, people pointed out there is a difference between the amount of potential exposures notified by iOS and the app. The FAQ for the Corona-Warn-App also address this issue. Note, however, that these issues are caused by the GAEN framework, not by the contact tracing apps themselves.