<https://noyb.eu/sites/default/files/2020-04/Ad%20hoc%20Paper_Corona%20Tracki...> In the wake of the Corona crisis, many governments and non-governmental institutions consider the usage of infection tracking systems to fight the pandemic. They float different ideas how these systems shall look like (see examples here). While reviewing some of those ideas, noyb has prepared this ad hoc paper on legal requirements for virus tracking systems. While this paper can give a general and superficial overview of the minimal requirements of the GDPR and possible compliance strategies, it naturally remains abstract and needs to be adapted to any specific tracking project. We feel that compliance with baseline privacy protections is crucial for the acceptance of any such tracking system by the public. This paper is not a policy document and does not make any political assessment of different tracking approaches. It also does not attempt to assess which processing operations would be necessary from a medical or statistical perspective. Max Schrems Chairperson, noyb.eu We intend to update this paper over the next days and weeks. Please check for the latest version of this paper on noyb.eu. 1. SCOPE OF THIS PAPER (TRACKING APPS) This paper is focused on known technical methods to tracking infections of individuals with SARS-CoV-2. These approaches focus on interactions between individuals where such interaction happens in a sufficiently close physical proximity and long enough for the virus to be transmitted – but between individuals that are not intimate enough to inform each other about their infection status without the use of a digital tracking system. Realistic scenarios are e.g. encounters with co-travelers on a train or bus or longer interactions in stores, restaurants and alike. In contrast, the tracking of briefly passing stranger on the street (as the interaction is usually not intense enough) or the tracking of co-workers or family members (as they are known to the infected person anyways) seem to be of limited benefit. This paper does not cover the use of personal data for statistical purposes or policy assessments (like mobile phone data analysed for movement statistics) or the use of personal data for the surveillance of quarantined persons. [...]