The decentralized and open-source German CoronaWarnApp is often discussed as positive example with regards to data protection. We, a group of data protection researchers, anaylsed this aspect with the tool of a data protection impact assessment (DPIA) and found many insights that cannot be found by just looking at the source code. We show where the app is done right, but we also show, what's missing to be a showcase example in data protection. This talk gives a overview of the app discussion, explains the tool "DPIA" and also discusses the fundamental shortcomings of the official DPIA produced by Telekom and SAP.