Adyen may collect and process sensitive data like biometric identifiers when verifying your identity for financial compliance purposes, either because the law requires it or because you have consented.
This analysis describes what Adyen's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Biometric data is among the most sensitive personal data categories and is subject to heightened legal protection under GDPR, CCPA, and state laws like Illinois BIPA; its collection for KYC creates specific legal obligations around consent, retention, and security.
Interpretive note: The provision does not specify which precise legal obligation basis applies to KYC biometric processing in each jurisdiction, creating uncertainty about whether the legal basis is adequately documented for GDPR and BIPA compliance purposes.
If Adyen processes your biometric data for identity verification, this is among the most sensitive personal data Adyen may hold about you, and you should be aware that specific consent or legal obligation grounds apply, with heightened protections in certain jurisdictions.
How other platforms handle this
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
AWS processes Customer Content you submit to Amazon Bedrock in accordance with the AWS Customer Agreement and applicable data protection terms. AWS does not use Customer Content processed by Amazon Bedrock to train Amazon's foundation models without your consent.
We process many types of data to support business decisioning, including data about people, businesses, organizations, places, economic activity, sustainability, legal, and other significant business events, and third-party risks. Some of the data we process is considered personal data. Some of the ...
Monitoring
Adyen has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"In some cases, we may process special categories of personal data, such as biometric data, for the purpose of identity verification and Know Your Customer (KYC) compliance requirements. We process such data only where we have a legal basis to do so, such as where processing is necessary for compliance with a legal obligation or where you have provided your explicit consent.— Excerpt from Adyen's Adyen Privacy Policy
REGULATORY LANDSCAPE: Special category data processing is governed by GDPR Article 9, which requires an explicit legal basis from Article 9(2) in addition to an Article 6 basis. Biometric data used for unique identification is explicitly listed as a special category. The Illinois Biometric Information Privacy Act imposes separate and stringent requirements on biometric data collection, retention schedules, and informed written consent that may apply to Adyen's US operations. California's CPRA also designates biometric information as sensitive personal information subject to opt-out rights. GOVERNANCE EXPOSURE: High. The processing of biometric data carries heightened regulatory exposure across multiple jurisdictions. Illinois BIPA has generated significant class action litigation, and the policy's reliance on legal obligation or consent without specifying the precise legal basis for each KYC use case may be insufficient in jurisdictions requiring more granular disclosure. JURISDICTION FLAGS: Illinois creates the highest exposure for biometric data given BIPA's private right of action and per-violation damages. California residents have opt-out rights for sensitive personal information under CPRA. EU and UK residents are protected by GDPR Article 9, which requires explicit consent or a specific legal obligation. Financial services regulatory requirements (AML, KYC directives) may provide a legal obligation basis in some jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: Merchants who require Adyen to perform biometric KYC checks on their customers should confirm in their DPA which party bears controller accountability for the biometric data processing. Liability for BIPA violations in particular can attach to both the entity collecting data and entities directing that collection. COMPLIANCE CONSIDERATIONS: Legal teams should confirm Adyen maintains a data retention schedule for biometric data consistent with BIPA's requirement to destroy biometric data within specified timeframes. Consent mechanisms for biometric data collection should be reviewed for GDPR Article 9 explicit consent standards. A Data Protection Impact Assessment may be required under GDPR Article 35 for large-scale biometric processing.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Biometric data is among the most sensitive personal data categories and is subject to heightened legal protection under GDPR, CCPA, and state laws like Illinois BIPA; its collection for KYC creates specific legal obligations around consent, retention, and security.
If Adyen processes your biometric data for identity verification, this is among the most sensitive personal data Adyen may hold about you, and you should be aware that specific consent or legal obligation grounds apply, with heightened protections in certain jurisdictions.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Adyen.