Identification process with own data does not require order data processing?

There are projects in which Swisscom relies on legally recognized and audited identification methods with third parties. A typical example is a bank that carries out a presence identification of a person as part of its KYC process. In this case, Swisscom receives a copy of the bank’s data for business purposes (signature). Order data processing is unnecessary here, as two parties are responsible for the data. Conversely, the Joint Controllership Principle of the GDPR is not applied here either, as data responsiveness does not serve the same business purpose, and both parties do not act responsibly for a specific business purpose. The bank acts for its business purpose, e.g., opening an account, and Swisscom pursues its goal of issuing signatures. Nevertheless, in this case, our contracts on the “delegation of registration authority activity” also contain a minimum of provisions on how to proceed regarding data protection and the GDPR.