Dear Merchant,

We are updating our Privacy Statement to support our business and ensure compliance with applicable privacy laws and regulations. Our new statement will take effect on the 14th of January 2021. On this date all Adyen Merchants will receive a Customer Area notification and the Privacy Statement will be published on our website (

A few updates to highlight:

  • In light of ongoing developments in the privacy and payments world and following merchant demand, we have accepted a Data Controller role where Adyen provides Acquiring services to you as our Merchant, in accordance with the GDPR.
  • We continue to improve and expand our products and services and therefore included a section around Adyen issued cards.
  • To comply with (privacy) laws and regulations around the globe, we have added a section for Brazil residents to comply with the Lei Geral de Proteção de Dados Pessoais (LGPD). Additionally, we have also updated our policy to comply with our obligations under the Dutch Financial Supervision Act (Wft) and the Dutch Money Laundering and Terrorist Financing Prevention Act (Wwft).

A bit of information on the Acquiring services and Adyen’s controller role

When we provide you with Acquiring services, we process some of your customer’s personal data as a Data Controller. Acquiring services meaning payment services resulting in a transfer of funds through Adyen, which entails the authorizing, recording, clearing and settling of transactions in accordance with the Scheme Rules.

For these purposes we may collect the following data fields:

  • the card number (which we encrypt in accordance with PCI DSS standards);
  • the expiry date (month and year) of the credit card;
  • bank account details (typically excluding the name), including IBAN and SWIFT/BIC;
  • the amount of the transaction and the currency in which the transaction is done;
  • the date, time and location of the transaction; and
  • the merchant category and merchant ID.

For all other services (and processing activities) provided to you, Adyen retains its role as a Data Processor and the existing Data Processing Agreement remains as is.

What does this mean for you as our Merchant?

There is no direct impact for you as a result of this, however, we do of course want to draw your attention to these changes and notify you of this role. Your existing Data Processing Agreement, which captures Adyen’s role as a Data Processor, and yours as a Data Controller, continues to apply. No amendment of the DPA is necessary.

Who does this apply to?

This applies to our Merchants who are subject to the GDPR:

  • not located in the European Union (EU) but are offering their services to shoppers in the EU;
  • located in the EU and offering their services to shoppers in the EU; and/or
  • located in the EU and offering their services to shoppers outside of the EU.

If there are any questions, please reach out to your Account Manager or get in touch. Please read more about the full Privacy Statement in Annex 1.


Annex 1

Are you looking for test card numbers?

Would you like to contact support?