Checkout.com acts as the responsible party for data it collects about merchants directly, but when processing payment data on behalf of merchants, it acts under the merchant's instructions, meaning the merchant bears primary responsibility for cardholder data rights.
This analysis describes what Checkout.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction determines who is legally accountable for cardholder data rights requests: if a cardholder wants to exercise GDPR rights over their payment data, they may need to contact the merchant rather than Checkout.com directly for certain processing activities.
Cardholders whose payment data is processed through Checkout.com may find that their data rights requests need to be directed to the merchant, not Checkout.com, because Checkout.com is acting as a processor in those contexts and the merchant is the data controller.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Checkout.com has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Checkout.com acts as a data controller in respect of personal data that we collect about merchants and their representatives, and as a data processor when we process personal data on behalf of our merchant clients in connection with the payment services we provide to them.— Excerpt from Checkout.com's Checkout.com Privacy
1. REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4, 26, 28, and 29, which define the responsibilities of controllers and processors and require written data processing agreements. UK GDPR contains equivalent provisions. The ICO and EU national supervisory authorities are the primary enforcement bodies. Failure to have compliant data processing agreements in place between Checkout.com and its merchant clients creates regulatory exposure for both parties. 2. GOVERNANCE EXPOSURE: High. The controller/processor distinction has significant compliance implications for merchant clients, who must ensure their own privacy notices disclose Checkout.com's processing role and that GDPR-compliant data processing agreements (DPAs) are executed. Merchants who fail to implement this structure are exposed to supervisory authority enforcement. 3. JURISDICTION FLAGS: EU and UK merchants face the highest exposure given mandatory DPA requirements under GDPR Article 28. US merchants serving EU/UK customers must also comply. The structure also creates complexity for merchants in multiple jurisdictions who may be subject to different controller/processor accountability frameworks. 4. CONTRACT AND VENDOR IMPLICATIONS: Merchants should confirm that executed DPAs with Checkout.com are in place and that those agreements specify processing purposes, data categories, retention periods, subprocessor lists, and audit rights as required under GDPR Article 28(3). The policy's assertion of processor status for cardholder data means Checkout.com's standard contract terms should be reviewed to confirm they contain all mandatory DPA provisions. 5. COMPLIANCE CONSIDERATIONS: Merchant compliance teams should conduct a data mapping exercise to document all personal data flows to and from Checkout.com, update their own privacy notices to reflect Checkout.com's processor role, and ensure DPAs are current and reflect any changes to subprocessors. Internal procedures for handling data subject access requests should route cardholder requests through the merchant's own processes, with Checkout.com providing assistance as processor.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction determines who is legally accountable for cardholder data rights requests: if a cardholder wants to exercise GDPR rights over their payment data, they may need to contact the merchant rather than Checkout.com directly for certain processing activities.
Cardholders whose payment data is processed through Checkout.com may find that their data rights requests need to be directed to the merchant, not Checkout.com, because Checkout.com is acting as a processor in those contexts and the merchant is the data controller.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Checkout.com.