Checkout.com acts as the responsible party for data it collects about merchants directly, but when processing payment data on behalf of merchants, it acts under the merchant's instructions, meaning the merchant bears primary responsibility for cardholder data rights.
This analysis describes what Checkout.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction determines who is legally accountable for cardholder data rights requests: if a cardholder wants to exercise GDPR rights over their payment data, they may need to contact the merchant rather than Checkout.com directly for certain processing activities.
Cardholders whose payment data is processed through Checkout.com may find that their data rights requests need to be directed to the merchant, not Checkout.com, because Checkout.com is acting as a processor in those contexts and the merchant is the data controller.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should conta...
Monitoring
Checkout.com has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Checkout.com acts as a data controller in respect of personal data that we collect about merchants and their representatives, and as a data processor when we process personal data on behalf of our merchant clients in connection with the payment services we provide to them.— Excerpt from Checkout.com's Checkout.com Privacy
1. REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4, 26, 28, and 29, which define the responsibilities of controllers and processors and require written data processing agreements. UK GDPR contains equivalent provisions. The ICO and EU national supervisory authorities are the primary enforcement bodies. Failure to have compliant data processing agreements in place between Checkout.com and its merchant clients creates regulatory exposure for both parties. 2. GOVERNANCE EXPOSURE: High. The controller/processor distinction has significant compliance implications for merchant clients, who must ensure their own privacy notices disclose Checkout.com's processing role and that GDPR-compliant data processing agreements (DPAs) are executed. Merchants who fail to implement this structure are exposed to supervisory authority enforcement. 3. JURISDICTION FLAGS: EU and UK merchants face the highest exposure given mandatory DPA requirements under GDPR Article 28. US merchants serving EU/UK customers must also comply. The structure also creates complexity for merchants in multiple jurisdictions who may be subject to different controller/processor accountability frameworks. 4. CONTRACT AND VENDOR IMPLICATIONS: Merchants should confirm that executed DPAs with Checkout.com are in place and that those agreements specify processing purposes, data categories, retention periods, subprocessor lists, and audit rights as required under GDPR Article 28(3). The policy's assertion of processor status for cardholder data means Checkout.com's standard contract terms should be reviewed to confirm they contain all mandatory DPA provisions. 5. COMPLIANCE CONSIDERATIONS: Merchant compliance teams should conduct a data mapping exercise to document all personal data flows to and from Checkout.com, update their own privacy notices to reflect Checkout.com's processor role, and ensure DPAs are current and reflect any changes to subprocessors. Internal procedures for handling data subject access requests should route cardholder requests through the merchant's own processes, with Checkout.com providing assistance as processor.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction determines who is legally accountable for cardholder data rights requests: if a cardholder wants to exercise GDPR rights over their payment data, they may need to contact the merchant rather than Checkout.com directly for certain processing activities.
Cardholders whose payment data is processed through Checkout.com may find that their data rights requests need to be directed to the merchant, not Checkout.com, because Checkout.com is acting as a processor in those contexts and the merchant is the data controller.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Checkout.com.