Adyen processes personal data from your transactions under GDPR and its Privacy Policy, and as a merchant you are responsible for making sure you have valid legal grounds to share your customers' data with Adyen.
This analysis describes what Adyen's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Merchants who do not have adequate privacy notices or data processing agreements in place with Adyen may face GDPR compliance exposure if their customers' payment data is processed without proper legal basis.
Interpretive note: The specific DPA structure and international transfer mechanism details could not be confirmed from the truncated document; merchants should request Adyen's current DPA to verify GDPR compliance measures.
This provision places responsibility on merchants to ensure their own customers have been properly informed about and consented to their personal data being shared with Adyen for payment processing, which has direct implications for end consumer privacy rights.
How other platforms handle this
To the extent that Duo processes any Personal Data (as defined in the Duo Privacy Data Sheet) on behalf of Customer in connection with Customer's use of the Services, the terms of the Duo Data Processing Agreement ('DPA'), which are hereby incorporated by reference into this Agreement, shall apply a...
Cloudflare's current Privacy Policy is incorporated into this Agreement by this reference and is located at https://www.cloudflare.com/privacypolicy/. In addition, by using the Services, you acknowledge and agree that internet transmissions are never completely private or secure.
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
Monitoring
Adyen has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"In providing the services, Adyen will process personal data in accordance with its Privacy Policy and applicable data protection laws, including the General Data Protection Regulation. You are responsible for ensuring that you have the necessary consents and legal bases to share personal data with Adyen for the purposes of payment processing.— Excerpt from Adyen's Adyen Terms
REGULATORY LANDSCAPE: This provision engages directly with GDPR, which governs the processing of personal data of EU/EEA data subjects. The relevant enforcement authorities are national data protection authorities in each EU member state, with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) as the lead supervisory authority for Adyen as a Netherlands-incorporated processor. UK merchants are subject to the UK GDPR and ICO oversight. GDPR Articles 26 and 28 are particularly relevant to the controller and processor relationship between merchants and Adyen. GOVERNANCE EXPOSURE: High. The allocation of responsibility to merchants for ensuring valid legal bases for sharing customer data with Adyen creates a compliance obligation that many smaller merchants may not have fully operationalized, particularly where payment flows involve sensitive transaction data that could reveal purchasing behavior, health-related purchases, or financial circumstances. JURISDICTION FLAGS: All EU/EEA merchants face GDPR obligations, including the requirement to have a valid Data Processing Agreement (DPA) with Adyen as a processor. UK merchants require a UK GDPR-compliant DPA. California merchants should assess whether CCPA-covered personal information flows through Adyen's processing and whether Adyen qualifies as a service provider under that framework. CONTRACT AND VENDOR IMPLICATIONS: A signed Data Processing Agreement with Adyen is a prerequisite for GDPR-compliant use of the platform where EU/EEA personal data is processed. Procurement and legal teams should verify that Adyen's DPA covers international data transfer mechanisms (Standard Contractual Clauses or equivalent) where processing occurs outside the EEA. COMPLIANCE CONSIDERATIONS: Merchants should update their customer-facing privacy notices to disclose Adyen as a payment processing sub-processor. Data mapping exercises should include transaction data flows through Adyen, including any data retention periods specified in Adyen's DPA or Privacy Policy. CCPA service provider agreements should be reviewed where applicable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Merchants who do not have adequate privacy notices or data processing agreements in place with Adyen may face GDPR compliance exposure if their customers' payment data is processed without proper legal basis.
This provision places responsibility on merchants to ensure their own customers have been properly informed about and consented to their personal data being shared with Adyen for payment processing, which has direct implications for end consumer privacy rights.
ConductAtlas has identified this type of provision across 6 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Adyen.