Austria - Stopp-Corona App

From Cybersec Standards
Jump to: navigation, search

App Website

Stopp-Corona App

Data Security Info Provided By App

Data Security page provided by app maker

App Maker or Organization

Austrian Red Cross

App Purpose

Contact tracing

App Platform

Protocol

Data Collected By App

  • IP address
  • Date and time of the request
  • Configuration (language settings, device type and version of the operating system)
  • Private data is protected, but its inclusion is not required to use the app. Per the app's data security faq: "For the time being, no input of personal data is necessary to use the app. On your end device, unique, random sequences of numbers ("random IDs") are generated at the operating system level, which are used by the app and transmitted to our server in the event of an infection or suspicious activity report."
  • "The processing of this personal data by you takes place on the basis of the legitimate interest (Art. 6 Para. 1 lit.f GDPR): the temporary processing of the listed data by the system is necessary to enable communication between the terminal and the server. This data is not stored or combined with other personal data from you."
  • Phone number must be used to report infection, and this is retained for 30 days.
  • "We would like to point out that, according to Section 5 (3) of the Epidemic Act, all persons, such as physicians, laboratories, employers, family members and staff from community facilities who could contribute to the surveys, are obliged to provide information at the request of a district administrative authority. Even if such a transmission of data (telephone number) by the Red Cross to the responsible district administrative authority is not intended and is also not technically implemented, we could under certain circumstances be forced to provide your telephone number. Should such a case occur, the legal basis is Art 6 Para. 1 lit c in conjunction with Art. 9 Para. 2 lit i GDPR."

App Claims To Be Compliant With

GDPR and the Austrian Data Protection Act (DSG)

Data Security Controls

During handshake: "Encrypted metadata (Associated Encrypted Metadata - AEM) is used to transport the protocol versioning and the transmission power (Tx) for a better distance approximation. The associated encrypted metadata changes approximately every 10 minutes at the same speed as the Rolling Proximity Identifier to prevent wireless tracking of the device."

Access Controls

Integrity Controls

External Processors

We rely on external service providers for the provision of our service, who are referred to as processors according to the GDPR. The transfer of personal data is justified by the fact that we carefully selected our external service providers as processors within the framework of Art. 28 Para. 1 GDPR, regularly checked and contractually obliged to process all personal data exclusively in accordance with our instructions and to comply with the GDPR to keep. The following services are specific: 5.3.1 Operation and maintenance of the Stop Corona app (including backend) We have outsourced the development, operation and maintenance of the software to a reliable partner: Accenture GmbH, Börsegeb Gebäude, Schottenring 16, 1010 Vienna. Accenture takes care of the hosting and technical operation of the app and the server as well as maintenance in the event of a malfunction and technical data security using other individually approved service providers. As a hosting service provider, Accenture uses Microsoft's cloud service called Azure. Microsoft may use other processors https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JOJ1 We use the Austrian hosting service World-Direct eBusiness solutions GmbH, Lassallestrasse 9, 1020 Vienna as our processor to store the phone number. https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JOJ1 5.3.2 Exposure Notification Framework from Google and Apple - external service (no order processing) The technical interfaces for the implementation of a functioning automatic digital handshake were developed by the major system manufacturers Apple and Google specifically for this type of app in the so-called “Exposure Notification Framework” (see Apple https://www.apple.com/covid19/contacttracing and for Google https://www.google.com/covid19/exposurenotifications). This interface is already available at the operating system level of your end device as part of the “Exposure Notification API”, provided the operating system has been updated to a corresponding version. There is a direct legal relationship between the operator of the operating system (Apple or Google) on the basis of the respective license terms with the user. The Red Cross is only responsible for these processing operations insofar as the app uses the manufacturer's interface. However, the app does not transfer the data to Apple or Google, so there is no order processing. 5.4. Transfer to third countries We also process data in countries outside the European Economic Area ("EEA"). This affects the above-mentioned sub-processor Microsoft. For the USA, the European Commission made a decision on July 12, 2016 that an appropriate level of data protection exists under the regulations of the EU-U.S. Privacy Shield (adequacy decision, Art. 45 Para. 3 GDPR). Microsoft is an EU-U.S. Privacy Shield certified company. 5.5. Transmission to other app users In connection with the use of the Stop Corona app, data is transmitted to the individual app users, which is necessary for the app to function. The above-mentioned random IDs (TEK and RPI) of other app users are collected on the end devices when a digital handshake is carried out or suspected cases, illnesses or all-clear signals are reported. The legal basis for this is Art. 6 Para. 1 lit. a and Art. 9 Para. 2 lit. a GDPR (consent). However, we would like to point out that after revoking your consent (by deleting the Stop Corona app), we have no option of deleting tokens directly from other devices, as we cannot assign these tokens to either a person or a specific device.