Adyen may collect and process sensitive data like biometric identifiers when verifying your identity for financial compliance purposes, either because the law requires it or because you have consented.
This analysis describes what Adyen's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data is among the most sensitive personal data categories and is subject to heightened legal protection under GDPR, CCPA, and state laws like Illinois BIPA; its collection for KYC creates specific legal obligations around consent, retention, and security.
Interpretive note: The provision does not specify which precise legal obligation basis applies to KYC biometric processing in each jurisdiction, creating uncertainty about whether the legal basis is adequately documented for GDPR and BIPA compliance purposes.
If Adyen processes your biometric data for identity verification, this is among the most sensitive personal data Adyen may hold about you, and you should be aware that specific consent or legal obligation grounds apply, with heightened protections in certain jurisdictions.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Adyen has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"In some cases, we may process special categories of personal data, such as biometric data, for the purpose of identity verification and Know Your Customer (KYC) compliance requirements. We process such data only where we have a legal basis to do so, such as where processing is necessary for compliance with a legal obligation or where you have provided your explicit consent.— Excerpt from Adyen's Adyen Privacy Policy
REGULATORY LANDSCAPE: Special category data processing is governed by GDPR Article 9, which requires an explicit legal basis from Article 9(2) in addition to an Article 6 basis. Biometric data used for unique identification is explicitly listed as a special category. The Illinois Biometric Information Privacy Act imposes separate and stringent requirements on biometric data collection, retention schedules, and informed written consent that may apply to Adyen's US operations. California's CPRA also designates biometric information as sensitive personal information subject to opt-out rights. GOVERNANCE EXPOSURE: High. The processing of biometric data carries heightened regulatory exposure across multiple jurisdictions. Illinois BIPA has generated significant class action litigation, and the policy's reliance on legal obligation or consent without specifying the precise legal basis for each KYC use case may be insufficient in jurisdictions requiring more granular disclosure. JURISDICTION FLAGS: Illinois creates the highest exposure for biometric data given BIPA's private right of action and per-violation damages. California residents have opt-out rights for sensitive personal information under CPRA. EU and UK residents are protected by GDPR Article 9, which requires explicit consent or a specific legal obligation. Financial services regulatory requirements (AML, KYC directives) may provide a legal obligation basis in some jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: Merchants who require Adyen to perform biometric KYC checks on their customers should confirm in their DPA which party bears controller accountability for the biometric data processing. Liability for BIPA violations in particular can attach to both the entity collecting data and entities directing that collection. COMPLIANCE CONSIDERATIONS: Legal teams should confirm Adyen maintains a data retention schedule for biometric data consistent with BIPA's requirement to destroy biometric data within specified timeframes. Consent mechanisms for biometric data collection should be reviewed for GDPR Article 9 explicit consent standards. A Data Protection Impact Assessment may be required under GDPR Article 35 for large-scale biometric processing.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data is among the most sensitive personal data categories and is subject to heightened legal protection under GDPR, CCPA, and state laws like Illinois BIPA; its collection for KYC creates specific legal obligations around consent, retention, and security.
If Adyen processes your biometric data for identity verification, this is among the most sensitive personal data Adyen may hold about you, and you should be aware that specific consent or legal obligation grounds apply, with heightened protections in certain jurisdictions.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Adyen.