According to clause 9.2 of the Adyen Terms and Conditions, the Merchant has been appointed as Controller, and Adyen as Processor of the Personal Data – this includes Transaction Data.
The basic set of Transaction Data collected (in transactions that are processed by Adyen for the Merchant), includes some or all of the following types of Personal Data about shoppers:
- First and last name (this could be as provided by the shopper, as registered with the payment method or as present on the card)
- Unique identifier (PAN or other unique identifier such as an email address) registered with the payment method, which may uniquely identify the shopper
- IP address
For some payment methods, and types of contracts – for example physical goods deliveries, and potentially configured by the Merchant – the Personal Data may include:
- Billing address
- Delivery address
- Telephone number
- Email address
When travel-related data is collected – normally for flight or lodging bookings, and potentially configured by the Merchant – the Personal Data may further include:
- First and last name
- Date of birth
- Flight details
When additional data is collected – in selected retail or e-commerce situations, and as configured by the Merchant – the Personal Data may further include:
- Payment device technical information
- Shopping cart information
Additionally, there are optional custom fields available to merchants which may be used for such purposes as identifying the product or services being purchased. All data is either provided by the Merchant or the collection is defined by the Merchant.
Execution of a Subject Erasure Request (SER)
Due to obligations under the Dutch Civil Code, items 1 and 2 will be retained within Adyen for at least 7 years after the fiscal year of the transaction.
Adyen will remove items 1-13 for identified transactions, if they exist, from the Customer Area available to the Merchant under the following conditions:
A. The Merchant has indicated that the shopper does not have a recurrent contract. Note: if the shopper has a recurrent contract, Adyen will be unable to fulfil a SER until the Merchant terminates that recurrent contract.
B. The Personal Data will be replaced with **REDACTED** within the Adyen Customer Area upon request of the Merchant.
C. During the maximum chargeback period, the Personal Data may be provided to the Merchant (again) as part of the defense process to support merchant’s fraud and risk controls.
D. Items 1-13 may be retained within Adyen to support obligations under the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act for at least 5 years after the end of the business relationship with the Merchant, as part of Adyen’s legal obligations in relation to servicing the Merchant. In the unlikely situation that Adyen determines a transaction and the related data to be in scope of this legal obligation, Adyen may be compelled by law not to disclose this fact to the Merchant or the data subject.
E. Adyen will remove remaining data from within its own systems at the earliest reasonable moment after the maximum chargeback period and the end of the payments-related regulatory and legal compliance periods.