Adyen wears two hats: sometimes it decides how your data is used (controller), and sometimes it just processes your data on behalf of the business you bought from (processor). Which role applies determines where you should direct your privacy requests.
This analysis describes what Adyen's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
If Adyen is acting as a processor for a merchant, you may need to go to that merchant, not Adyen, to exercise rights like deletion or access, which adds a step and could delay or complicate your request.
In processor contexts, Adyen's policy directs individuals to contact the merchant rather than Adyen to exercise data rights, meaning your ability to access or delete payment-related personal data depends on which entity you approach and whether they cooperate.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should conta...
Monitoring
Adyen has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Adyen acts as a data controller when it determines the purposes and means of processing personal data. Adyen acts as a data processor when it processes personal data on behalf of its merchants and other business partners. In such cases, the merchant or business partner is the data controller and Adyen processes personal data according to their instructions.— Excerpt from Adyen's Adyen Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8) defining controller and processor, and Article 28 governing processor obligations. The UK GDPR contains equivalent provisions. The distinction determines which entity bears primary accountability for responding to data subject requests under Articles 15-22. Enforcement is primarily by the Dutch Autoriteit Persoonsgegevens for Adyen's EU operations. GOVERNANCE EXPOSURE: High. The controller-processor distinction has material compliance implications for merchants using Adyen, who as data controllers bear primary responsibility for ensuring Adyen's processing is governed by a compliant Data Processing Agreement. If Adyen's DPA terms do not align with its public privacy statement disclosures, this creates a gap that regulators could flag. JURISDICTION FLAGS: EU and UK jurisdictions create the highest exposure given GDPR and UK GDPR accountability requirements. California's CPRA uses different terminology (service provider vs. third party) but the functional distinction is analogous, and misclassification could affect opt-out obligations for California residents. CONTRACT AND VENDOR IMPLICATIONS: Merchants and business partners contracting with Adyen should verify their Data Processing Agreements explicitly cover all processing described in this public statement, including sub-processor lists and international transfer mechanisms. The provision shifts operational accountability for data subject request handling to the merchant in processor contexts, which should be reflected in the merchant's own customer-facing privacy disclosures. COMPLIANCE CONSIDERATIONS: Compliance teams at merchant organizations should audit whether their privacy notices accurately describe Adyen's role and data processing activities. They should also confirm their DPAs with Adyen are current and include sub-processor notification obligations, particularly for new third-party integrations Adyen may add.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
If Adyen is acting as a processor for a merchant, you may need to go to that merchant, not Adyen, to exercise rights like deletion or access, which adds a step and could delay or complicate your request.
In processor contexts, Adyen's policy directs individuals to contact the merchant rather than Adyen to exercise data rights, meaning your ability to access or delete payment-related personal data depends on which entity you approach and whether they cooperate.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Adyen.