PayPal and Data Protection – What Website Operators Need to Know

If a website operator uses PayPal as a payment service provider, it processes payment data (account, amount, recipient, buyer data) for the purpose of payment processing, fraud prevention and compliance on the basis of contract performance and legal obligation. PayPal (Europe) S.à r.l. et Cie, S.C.A. acts not only as a processor but also as an independent controller for payment data, which decisively shapes the data protection classification.

This guide is aimed at website operators who offer PayPal checkout solutions, payment buttons or PayPal payment as a payment method and therefore need a GDPR-compliant privacy policy.

A. Purpose and Function of PayPal

PayPal is a globally leading online payment service provider for e-commerce transactions. A website operator typically integrates PayPal via a PayPal button ("Checkout Button"), a payment widget or an API on its website.

In the checkout process, the buyer is redirected to PayPal or sees an embedded PayPal form. The buyer enters their PayPal login data, payment instrument and shipping address. PayPal processes this data, checks the ability to pay, checks for fraud signals and carries out the payment. After successful payment, the website operator receives a payment confirmation (IPN = Instant Payment Notification or webhook callback).

The PayPal connection takes place via a merchant integration – the website operator becomes a partner of PayPal (merchant) and signs the PayPal terms of contract as well as the privacy policy.

B. Mandatory Disclosures in the Privacy Policy on PayPal

The GDPR requires that a privacy policy contains the following information for each recipient or category of recipients: purposes (Art. 13(1)(c)), legal bases (Art. 13(1)(a)), legitimate interests (Art. 13(1)(d), if relevant), categories of recipients (Art. 13(1)(e)), third-country transfers (Art. 13(1)(f)) and retention period (Art. 13(2)(a)).

Perspective on PayPal integration: Many website operators add a mere text template such as "PayPal collects and processes payment data" for PayPal. This contradicts Art. 12(1) GDPR, which requires that privacy policies be drafted in "clear and plain language". Tool-specific text templates are often too short, too vague or not adapted to the website operator's specific integration configuration.

Better: Classify PayPal in your topic-oriented data protection sections:

• "Payment processing" – here you describe which payment service providers you use, which data flows and why
• "Contract execution" – legal basis Art. 6(1)(b) GDPR
• "Security and fraud prevention" – legal basis Art. 6(1)(f) GDPR (legitimate interests)
• "Privacy policies of third-party providers" – reference to PayPal's own Privacy Policy

C. Provider of PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A.

Legal name: PayPal (Europe) S.à r.l. et Cie, S.C.A.

Address: 22–24 Boulevard Royal, L-2449 Luxembourg, Luxembourg

Country of seat: Luxembourg (European Union / EEA)

Legal form: Limited Liability Company / Commandite simple

Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

DPF status: PayPal (Europe) S.à r.l. et Cie, S.C.A. is an EU company and is not subject to the Data Privacy Framework (DPF). The DPF only applies to US companies. However, PayPal makes use of Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) for third-country transfers to PayPal group companies in the USA. Check on a case-by-case basis which third-country transfers are relevant for your setup.

Data Processing Agreement (DPA): PayPal offers a Data Protection Addendum (see https://www.paypal.com/us/legalhub/paypal/data-protection). This defines PayPal as independent controller for payment data and not as a pure processor. As a result, PayPal acts for payment data independently of the website operator's privacy policy.

D. Data Processing by PayPal – Workflow

E. Data Collected when Using PayPal

When integrating PayPal as a payment service provider, the website operator (as joint controller with PayPal) and PayPal itself process the following data types:

Data collected during payment processing:

• Name and e-mail address of the buyer
• Billing address and delivery address
• Telephone number
• Amount, currency, transaction reference
• Amount and item description (transmitted by the website operator to PayPal)
• IP address of the buyer
• Device and browser information (user agent, operating system, screen resolution)
• Payment method type (credit card, account details, PayPal balance)
• Date of birth (if required by the website operator or PayPal)

This data can be classified into the following standardised data class types:

• Web server log data: IP address, date/time, browser/OS, technical metadata
• User account data: E-mail address, name, billing and delivery addresses, password (one-way encrypted at PayPal)
• Rough location data: IP-based location at city/municipality level
• Device data: Device type, operating system, screen resolution, browser
• Browser information: Browser name, version, installed plug-ins
• Conversion events: Product purchase, amount, transaction time, success/failure
• Technical telemetry data: Load times at checkout, error rates, session duration

F. Purposes of Use when Using PayPal

When processing payments with PayPal, data is processed for the following purposes:

Main purposes:

• Function provision: Enabling the checkout process, displaying the PayPal button and the payment form
• Contract performance: Payment processing, confirmation of transactions, accounting vis-à-vis buyer and merchant
• Security and abuse protection: Fraud detection through scoring, identity verification, AML compliance (anti-money laundering), checks against sanctions lists
• General product improvement: Improvement of payment processing speed, error analysis at checkout, user-friendliness
• Compliance: Compliance with AO (German Fiscal Code), HGB (German Commercial Code), GwG (German Money Laundering Act), AIFMD and other financial regulations
• Legal enforcement: Dispute resolution, chargeback protection, evidence of transactions
• Communication: Confirmation of payment, invoices, customer support in case of payment problems

G. Legal Bases for PayPal

Step 1: Categorisation of PayPal PayPal is a payment service provider that the website operator engages as independent controller and partial processor. The role distribution is mixed:

• The website operator is controller for the decision to use PayPal
• PayPal is controller for the payment processing and fraud prevention
• In the payment flow, PayPal also acts as processor for data transmitted by the website operator (e.g. item description)

Step 2: Applicable legal bases

1. Contract performance (Art. 6(1)(b) GDPR):

   • Necessary for the performance of a purchase contract between buyer and website operator
   • Payment processing, accounting, shipping confirmation
   • This is the primary legal basis

2. Legal obligation (Art. 6(1)(c) GDPR):

   • GwG (Money Laundering Act): KYC check of the buyer at PayPal
   • AO (Fiscal Code): 6-year storage of invoice documents
   • HGB (Commercial Code): Accounting obligations
   • AIFMD (Financial Markets Directive): If PayPal also manages financial products

3. Legitimate interests (Art. 6(1)(f) GDPR):

   • Fraud prevention and security of payments
   • Protection of the website operator against chargeback claims
   • Prevention of money laundering and terrorist financing
   • Improvement of payment processing speed
   • Comparison: The interests of the website operator and PayPal outweigh the interests of the data subjects, since without fraud prevention e-commerce would be impossible

4. Consent (Art. 6(1)(a) GDPR):

   • Not required, since contracts and legal obligations are sufficient
   • Optional: If the website operator plans marketing via PayPal data (e.g. customer lists), consent or another reason is necessary

Particularity – § 25 TDDDG (Telemedia Act): If the website operator has a PayPal button or a tracking pixel on the website that also loads outside the checkout process (e.g. for conversion tracking), an opt-in consent is required under § 25 TDDDG. This applies to cookies and tracking technologies, not to the payment processing itself.

H. Special Features and Notes on PayPal

1. PayPal is independent controller PayPal does not only process payment data on the instructions of the website operator, but makes its own decisions on security scores, fraud prevention and retention. This means that PayPal's own privacy policy (https://www.paypal.com/de/webapps/mpp/ua/privacy-full) is directly applicable to the buyer, regardless of your privacy policy.

2. Dual data protection regime The buyer has rights against both controllers:

• Vis-à-vis the website operator: Access, rectification, erasure of the website data
• Vis-à-vis PayPal: Access, rectification, erasure of the payment and security data

You should point out in your privacy policy that PayPal accepts data subject rights.

3. Data Processing Agreement (DPA) PayPal offers a Data Protection Addendum (https://www.paypal.com/us/legalhub/paypal/data-protection). This describes:

• The role of the website operator as joint controller
• The handling of sub-processors
• The use of Standard Contractual Clauses (SCC) for third-country transfers
• The obligation to cooperate on data protection requests

You should have signed this DPA if you use PayPal.

4. Third-country transfers and transfer mechanisms PayPal transfers data to the USA. Pursuant to Art. 13(1)(f) GDPR, you must disclose this:

• Data Privacy Framework (DPF): PayPal Inc. (USA) is DPF-certified (check this at https://www.dataprivacyframework.gov/s/participant-search)
• Standard Contractual Clauses (SCC): As fallback and for further transfers
• Binding Corporate Rules (BCR): PayPal is subject to its own BCR for intra-group transfers

You should disclose in your privacy policy: "Payment data is partly transferred to the USA. PayPal is certified under the Data Privacy Framework and uses Standard Contractual Clauses."

5. § 25 TDDDG and PayPal tracking If the PayPal button tracks not only at checkout but also for conversion tracking ("PayPal Pixel"), opt-in consent is necessary (§ 25(1) TDDDG). This is independent of the payment processing.

I. FAQ on PayPal

J. Conclusion and Recommendation on PayPal

PayPal is indispensable as a payment service provider for e-commerce, but places significant data protection requirements on the website operator: dual responsibility, third-country transfers to the USA, 6-year retention for compliance, and various legal bases depending on the processing phase.

Tool-specific text templates ("PayPal processes payment data") are often too short and do not meet the requirement of Art. 12(1) GDPR ("clear and plain language").

Recommendation: Use a topic-oriented structure of your privacy policy:

• Section "Payment processing" with brief description of all payment providers
• Section "Security and fraud prevention" for the purpose
• Section "Third-country transfers" with reference to DPF and SCC
• Annex with recipient lists and sub-processors

This is significantly better than tool-specific boxes for readability and GDPR compliance.