Adyen Payments and Data Protection – What Website Operators Need to Know

When a website operator uses Adyen as a payment provider, it processes payment and customer information (account data, transaction data, card numbers, billing address) for the purpose of payment processing, fraud prevention and compliance on the basis of performance of a contract (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR – AML, anti-money laundering) and legitimate interests (Art. 6(1)(f) GDPR – fraud prevention, security). Adyen is an EU company based in the Netherlands and acts both as an independent controller and as a processor. This guide explains what information belongs in the privacy policy and what special features need to be considered with Adyen.

A. Purpose and Function of Adyen

Adyen is a global payment service provider and acquirer that enables online and offline shops to accept payments. The website operator typically integrates Adyen via a payment form or a checkout flow into its shop or e-commerce system. Adyen supports various payment methods and functionalities:

• Credit and debit card processing: Visa, Mastercard, American Express, etc.
• Alternative payment methods: PayPal, Apple Pay, Google Pay, Sofort, Ideal, Giropay, etc.
• Payment gateway and processing: Secure processing and forwarding to banks and card networks
• Fraud detection and prevention: Real-time analysis of transactions for suspicious patterns
• Compliance and AML: Automatic verification for money laundering risks, sanctions list screening
• Reporting and analytics: Detailed transaction and revenue reports for the operator

Integration is usually done via an Adyen API call or via a hosted payment form (Adyen Hosted Payment Page). During payment, card data or account details are transferred directly to Adyen (not to the website operator) – this is an important security mechanism.

B. Mandatory Disclosures in the Privacy Policy regarding Adyen

Pursuant to the GDPR, a website operator must transparently disclose in its privacy policy which data is processed, for what purposes and on what legal basis. For Adyen, the following information is required:

• Purposes: Payment processing, fraud detection, compliance (AML/KYC), bank account verification, reporting
• Legal bases: Performance of a contract (Art. 6(1)(b) – payment processing), legal obligation (Art. 6(1)(c) – AML, KYC, GwG), legitimate interests (Art. 6(1)(f) – fraud prevention, security)
• Recipients/categories: Adyen N.V., banks, card networks (Visa, Mastercard), external fraud detection services, possibly regulatory authorities
• Third-country transfers: Not required (Adyen is EU-based), but data may be forwarded to international partners (e.g. card networks, correspondent banks)
• Retention period: Depending on the type of data and legal basis; typically 6-10 years for compliance
• Data categories: See section E

Important note: Payment data is highly sensitive and is subject to special regulations (PCI DSS). The website operator should provide transparent and detailed information without disclosing sensitive card numbers. The matterius generator creates such formulations with a high data protection standard.

C. Provider of Adyen: Adyen N.V.

Legal name: Adyen N.V.
Address: Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands
Country of registered office: Netherlands (European Union)
DPF status: Not required (EU company, not US-based)
Privacy policy: https://www.adyen.com/policies-and-disclaimer/privacy-policy
Data Protection Officer (DPO): dpo@adyen.com
LGPD contact (Brazil): lgpd@adyen.com
DPA: A Data Processing Agreement is available and should be agreed with Adyen. Adyen acts partly as a processor (for certain processes) and partly as an independent controller (for compliance).

D. Data Processing by Adyen – Sequence

E. Data Collected when Using Adyen

Adyen collects various categories of data, depending on the payment method and the integrated process. This data can be classified into the following standardised data categories:

• User account data: Username/identifier (if logged in), email address, telephone number
• Account authentication: Password (for PayPal, bank accounts, etc. – one-way encrypted, not for credit cards)
• Payment method data: Card number (first and last 4 digits), expiry date, CVV (temporarily processed), account holder, billing address, address of card holder
• Transaction data: Amount, currency, reference number, timestamp, business code
• Web server log data: IP address, date/time, user agent, browser/OS, referrer
• Device data: Device type, operating system, screen resolution
• Account authentication & login data: Login histories (for recurring payments)
• Technical telemetry data: Errors, loading times, timeout events
• Coarse location data: IP-based location (optional for fraud prevention)
• Conversion events: Payment completion, payment failure, payment not authorised

Optionally, biometric data may also be collected if the customer uses 3D Secure or biometric authorisation (e.g. fingerprint, face recognition).

F. Purposes of Use when Using Adyen

Adyen processes data for several clearly defined purposes. These data can be classified into the following purpose classes:

• Performance of a contract: Authorisation and processing of payments, generation of transaction reports
• Provision of functionality: Provision of the payment gateway, error handling, technical support
• Security and abuse protection: Real-time fraud detection, detection of suspicious patterns, protection against chargeback fraud
• Compliance: Verification against sanctions lists (AML/KYC), anti-money laundering (GwG), compliance with regulatory requirements
• Legal enforcement: Proof of transactions, chargeback management, dispute resolution
• General marketing: Generation of business and revenue reports for the website operator (aggregated, not personalised)

G. Legal Bases for Adyen

The processing of payment data by Adyen is based on several combined legal bases:

1. Performance of a contract (Art. 6(1)(b) GDPR): Payment processing is part of the purchase contract between customer and website operator. The transfer to Adyen is necessary for the performance of this contract.

2. Legal obligation (Art. 6(1)(c) GDPR): Adyen is obliged to comply with anti-money laundering (AML), know-your-customer (KYC) and anti-money laundering laws (GwG in Germany, AML directives in the EU). This processing is mandated by law.

3. Legitimate interests (Art. 6(1)(f) GDPR): Fraud detection and fraud prevention are legitimate interests of both Adyen and the website operator. Protection against chargeback and fraud usually outweighs the interests of the customer.

The combinations can be complicated. A transparent presentation in the privacy policy is essential. The matterius generator takes all three legal bases into account and summarises them in an understandable form.

H. Special Features and Notes on Adyen

• Role: Independent controller AND partly processor: Adyen primarily acts as an independent controller (for AML, fraud detection, compliance), but can also act as a processor for certain processes. A DPA should be agreed to clarify these roles.
• Card protection and PCI DSS: Adyen is PCI DSS Level 1 certified. Card numbers are not stored permanently; a token is used instead. This is a high security standard.
• AML and KYC: Adyen carries out automatic checks against sanctions lists, PEP databases (Politically Exposed Persons) and money laundering risk indicators. This data may be stored for 6-10 years.
• Internal disclosure: Adyen sub-processors and partners (e.g. correspondent banks, fraud detection services) gain access to payment data. A list should be available on request.
• Token for recurring payments: If the customer agrees, Adyen can store a payment token to process future payments without re-entering the card. This is helpful for subscriptions, but must be explicitly documented in the terms and conditions and privacy policy.
• Chargebacks and dispute handling: Adyen stores transaction data for chargebacks and dispute handling longer than for pure processing purposes (up to 540 days).
• No third-country transfers (EU base): Since Adyen is based in the Netherlands, no transfers are made to unsafe third countries. However, data may be transmitted to international card networks and correspondent banks – this must be documented.

I. FAQ on Adyen

J. Conclusion and Recommendation on Adyen

Adyen is an established and secure payment service provider with high compliance and security standards (PCI DSS Level 1). The data processing is complex, as several legal bases are combined (contract, legal obligation, legitimate interests). For GDPR compliance, the following points are essential: (1) transparent presentation of all three legal bases, (2) disclosure of AML/KYC processing and its long retention period, (3) signed DPA with Adyen, (4) information about token use for recurring payments (if used), (5) mentioning security certifications (PCI DSS).

Problematic: A simplified text template that only mentions "payment processing", without mentioning AML/KYC and retention period. Better: A topic-oriented approach in the section "Payments and Compliance" that handles Adyen and other payment providers together and clearly explains the complex legal bases. This information is based on provider information and publicly accessible sources (status: 2026-04-22). In individual cases, legal advice may be required.