Mollie Checkout and Data Protection – What Belongs in the Privacy Policy

Anyone who integrates Mollie Checkout into their website or online shop is integrating a regulated European payment service provider. In doing so, Mollie processes payment data – from bank data to credit card numbers – under the rules of the GDPR. This processing must be correctly disclosed in the privacy policy.

A. Purpose and Function of Mollie Checkout

Mollie is a payment service provider based in Amsterdam (Netherlands), regulated by the Dutch Central Bank (De Nederlandsche Bank, DNB). The company enables website operators to accept payments from customers – a central function in e-commerce.

Checkout integration:

Mollie offers various integration options:

• Hosted Payment Page (HPP): The customer is redirected to an external, encrypted Mollie checkout page, enters their payment data there and is redirected back to the website after successful payment. This variant minimizes the website operator's data contact with payment data.

• Embedded Checkout / Mollie Components: Payment fields (e.g. for credit cards) are embedded directly in the website. Entry takes place via an encrypted iFrame that communicates with Mollie servers – the website operator does not see the data entered.

• Build-Your-Own-Checkout (API): Advanced integration via the Mollie API, in which the developer builds a custom checkout.

Other Mollie functions (such as invoice management, subscriptions, dashboard) are not addressed here, as they do not belong to the checkout integration.

B. Mandatory Disclosures in the Privacy Policy

Under Art. 13 and 14 GDPR (General Data Protection Regulation), website operators must transparently inform their users about which data is processed and for what purpose. A mere mention of "Mollie is used for payments" is not sufficient.

GDPR requirements:

Your privacy policy should contain the following points regarding Mollie:

1. Provider name and registered office: Mollie B.V., Amsterdam (Netherlands)
2. Type of data processed: What payment, customer and technical data is collected?
3. Processing purposes: Payment processing, fraud detection, regulatory compliance
4. Legal basis: Which article of the GDPR legitimizes the processing? (typically Art. 6(1)(b) – contract performance)
5. Retention period: How long does Mollie store the data?
6. Recipients: Which third parties (banks, payment networks, etc.) receive the data?
7. Mollie as controller: Clarification that Mollie is an independent controller and has its own data protection guidelines

Common error: Many website operators use pre-formulated text blocks that they have not checked themselves. This can lead to legal inconsistencies. Better: research the data, then write precise wording yourself or have it reviewed with professional help.

C. Provider – Mollie B.V.

Company information:

• Name: Mollie B.V.
• Registered office: Keizersgracht 126, 1015 CW Amsterdam, Netherlands
• Registration: KvK (Dutch Trade Register) No. 30204462
• Regulation: DNB (De Nederlandsche Bank), electronic money institution (WFTEG license, relation number F0038)
• Status: Payment service provider under the Payment Services Directive (PSD2), based in the EU/EEA

Data protection contact:

Mollie publishes its privacy policy at https://www.mollie.com/de/privacy.

Legal basis:

Mollie is subject to the German GDPR, since it communicates with users in Germany and is active in the EU. No third-country transfer within the meaning of GDPR Art. 44–49 (Mollie is based in the EEA-Schengen zone). An adequacy decision is not required.

D. Data Processing – Process

The processing of payment data by Mollie follows a typical sequence that can be presented chronologically in your privacy policy:

E. Data Collected

Mollie collects and processes the following data categories:

Web server log data

• IP address of the customer at the time of the checkout call
• HTTP referrer (from which page the user came)
• Timestamp and duration of the session

End-device data

• Device type (desktop, tablet, smartphone)
• Operating system and its version
• Device identifier (if available)

Browser information

• Browser type and version
• User agent string
• Installed browser extensions (optional, for fraud detection)

Coarse location data

• Derived from the IP address (country, region, city)
• Where applicable, GPS data (if the customer has released them)

Payment account data

• Name of the buyer
• Email address
• Billing address
• Delivery address (if different)
• Phone number
• Payment data: IBAN/account number (for direct debit) or credit card number (is tokenized and not stored), card holder, expiry date
• Customer number/customer account (if available)

Transaction data

• Order number / transaction ID
• Purchase amount and currency
• Purchased products / services (where applicable, cart contents)
• Payment method
• Payment status (successful, pending, failed, charged back)

Fraud detection and risk analysis

• Comparison with known fraud reports
• Behavior analyses (e.g. deviations in location, device changes, frequency of transactions)
• Machine learning scores for risk assessment

Important note: Credit card data (card number, CVV) is not permanently stored either by Mollie or by the website operator. Immediately after authorization, it is replaced by a token – a secure, non-decodable reference. This enables Mollie to process future payments without re-entry (e.g. for subscriptions) without storing the card data.

F. Purposes of Use

Mollie processes the payment data for the following purposes:

Contract performance

• Processing transactions between buyer and seller
• Generating and sending payment confirmations
• Creating invoices (where applicable, via integrated billing functions)

Security and abuse protection

• Fraud detection and fraud prevention (duplicate detection, velocity checking, device fingerprinting)
• Checking for suspicious payment patterns
• Chargeback prevention
• 3D-Secure authentication for credit card payments

Regulatory compliance

• Anti-money laundering (AML) and know-your-customer (KYC) under the 5th EU Anti-Money Laundering Directive
• Implementation of the German Anti-Money Laundering Act (GwG) and the Anti-Money Laundering and Counter-Terrorist Financing Regulation (GwV)
• PSD2 compliance (Payment Services Directive 2)
• Reporting to financial authorities, central banks and other regulatory bodies

Fulfillment of retention obligations

• Retention of transaction data for 6 years (Commercial Code, tax law)
• Archiving for audit and review purposes

Legal enforcement and dispute resolution

• Processing of payment disputes
• Chargeback procedures
• Assertion of damages claims
• Cooperation with law enforcement authorities (e.g. in case of suspected criminal offences)

Technical optimization and service improvement

• Monitoring of platform availability
• Performance analyses
• A/B tests for checkout optimization (anonymized)

G. Legal Bases

The processing of payment data by Mollie is legitimized by several legal bases of the GDPR:

Art. 6(1)(b) GDPR – Contract performance

• This is the main legal basis for the payment itself. The contract between buyer and seller requires payment processing, which Mollie performs.
• Includes: Transaction data, payment data, billing address, delivery address

Art. 6(1)(c) GDPR – Legal obligation

• As a payment service provider, Mollie is subject to legal obligations (GwG, PSD2, GDPR compliance, tax retention).
• Includes: AML/KYC screening, fraud reporting to authorities, storage for compliance

Art. 6(1)(f) GDPR – Legitimate interest

• For fraud detection and risk analysis, since this is in the interest of the payment provider (protection against losses) and the buyer (protection against identity theft).
• Balancing: The security interest overrides the data protection interest of the buyer

Consent (Art. 7 GDPR) – NOT required

• Payment processing by Mollie does not require explicit cookie consent for the core function (PCI-DSS and secure payment processing are systemic requirements).
• However: Other tracking functions (e.g. Google Analytics, remarketing) require consent.

H. Special Features and Notes

Mollie as independent controller

Mollie is not the website operator's processor (such as an email marketing service provider). Instead, Mollie is an independent controller for payment processing under Art. 4 No. 7 GDPR. This means:

• Mollie itself makes decisions about the purpose and means of data processing (fraud detection, compliance, data storage)
• Mollie is itself responsible for compliance with the GDPR (own data protection officer, own audit process)
• The website operator and Mollie are equal controllers (joint controllers within the meaning of Art. 26 GDPR)

Privacy notice in the checkout

In your privacy notice, you should specify:

"To process your payment, we work with Mollie B.V. (Amsterdam, Netherlands). Mollie is an independent controller and is subject to its own data protection guidelines (see https://www.mollie.com/de/privacy). Your payment data is transmitted directly to Mollie and not stored on our system."

Name other payment providers separately

If you integrate several payment providers (e.g. PayPal, Stripe, Klarna), you should create separate sections in the privacy policy for each. PayPal, Klarna and others are also independent controllers with their own data protection guidelines.

Data Processing Agreement (DPA)

According to Mollie support documentation, a formal DPA with Mollie is not available, since Mollie does not function as a processor in the classic sense. However, Mollie states its data protection obligations in the Terms of Service and the Privacy Policy. Safeguarding is nevertheless advisable – engage a data protection officer or lawyer to clarify whether your specific Mollie integration requires a further agreement.

Regulation and supervision

• Mollie is licensed by the Dutch Central Bank (DNB) as an electronic money institution (WFTEG)
• Subject to the EU Payment Services Directive (PSD2) and German Anti-Money Laundering Act (GwG)
• Supervised by DNB and, where applicable, BaFin (Federal Financial Supervisory Authority) with regard to German customers

I. Frequently Asked Questions about Mollie Checkout and Data Protection

J. Conclusion

Mollie Checkout is a modern, regulated payment service provider that processes payments securely and in a GDPR-compliant manner. Website operators are obliged to disclose this processing transparently in their privacy policy.

Central points for your documentation:

1. Name Mollie B.V. as an independent controller, not as a processor
2. List the specific data collected (not vague but specific)
3. Justify the legal basis (Art. 6(1)(b) for contract performance, where applicable (c) and (f) for compliance and security)
4. Indicate the retention period (6 years for transaction data under commercial law)
5. Link to Mollie's privacy policy
6. Clarify that credit card data is not stored on your system

Common problem: Many website operators use blanket text blocks for all payment providers. This leads to substantive errors and can result in warnings. Better: research the exact practice of the provider, consult a data protection officer and formulate precise, provider-specific information.