RA agencies act on behalf of the Swisscom registration authority. In addition to the duties of careful execution of the registry's activities, data protection is also a priority. The data protection principles from Art. 28 GDPR apply, reflected in the precise form of the technical-organizational measures (TOM) in the RA agency contract. They are based on two sections of Art. 28 GDPR, which reflect the use of the app on the mobile device:
- The measure must "ensure the ability to ensure the confidentiality, integrity, availability, and resilience of the systems and services in connection with the processing on a long-term basis" and
- Include a procedure for regular review, evaluation, and evaluation of the effectiveness of technical and organizational measures to ensure processing security.
- The controller and the processor shall take steps to ensure that natural persons under their authority who have access to personal data process them only on instructions from the controller unless they are required to do so by Union or national law.
This means that in addition to using carefully selected and trained employees, the app's protection on the mobile device and access protection must be guaranteed. Are the devices adequately protected against viruses? Will it be prohibited to download programs from other app stores that do not offer sufficient protection? Do employees keep their PINs and passwords secret? Are devices not rooted?
The most important task of the RA agent is the strict examination of the identification documents submitted to them and, in particular, the rigorous verification of the field information read out by optical character recognition (OCR) from the ID card/passport as well as the correct recording of the mobile number.