Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Adyen is a Dutch licensed bank and one of the largest enterprise payment platforms in the world, with European headquarters in Amsterdam. It processes payments for merchants such as Spotify, Uber, Booking.com, eBay and Microsoft. Adyen runs its primary infrastructure in the EU; the hosted checkout sets only strictly necessary first-party cookies for fraud prevention.
Adyen is a Dutch payment platform founded in 2006 in Amsterdam. It received a banking license from the European Central Bank in 2017 and is regulated as a credit institution. Adyen offers a single platform for online, in-store and in-app payments and is widely used by enterprise merchants such as Spotify, Uber, Booking.com, eBay and Microsoft. Merchants integrate Adyen via the Drop-in component, the Components SDK, hosted payment pages or the API.
Adyen processes payment data submitted by the customer (card number, account details, billing address, IP), risk signals required for fraud prevention and SCA, and metadata sent by the merchant. On the Adyen hosted checkout, only strictly necessary first party cookies are set: a session cookie, a CSRF token and a small risk score cookie. No advertising or behavioural cookies are deployed by Adyen itself.
For the cookies set on the Adyen checkout, the strict necessity exemption of Art. 5(3) ePrivacy applies, so no consent banner is required to render the Adyen payment page. Payment data is processed under contract performance (Art. 6(1)(b) GDPR) and AML / PSD2 record keeping is processed under legal obligation (Art. 6(1)(c)). The merchant must still mention Adyen as a processor in its privacy policy and sign the Adyen DPA.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For European merchants, Adyen processes data on EU infrastructure operated by Adyen N.V. and Adyen Issuer N.V. International merchants may use additional regional data centres; transfers in those configurations rely on Standard Contractual Clauses included in the Adyen Data Processing Addendum. Card scheme communication with Visa, Mastercard or international wallets remains under Adyen''s controllership and is governed by the card scheme rules and PSD2.
Sign the Adyen Data Processing Addendum from your Customer Area. Add Adyen to the list of processors in your privacy notice with the EU hosting and PSD2 context. Configure SCA and risk rules to comply with PSD2. Use the hosted checkout or Drop-in to limit your PCI DSS scope. Define a retention period for transaction metadata aligned with your AML and tax obligations.
Websites using Adyen must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard online payment use of Adyen. It may become relevant for very large merchants combining tokenisation, cross border acquiring and extensive risk profiling.
Sample consent text
Payments on this site are processed by Adyen (Adyen N.V., Netherlands), a licensed EU bank. Your payment data is handled under PSD2 and the GDPR. See our privacy policy for details.
Third-party domains contacted
www.adyen.comcheckoutshopper-live.adyen.comcheckoutshopper-test.adyen.comcheckoutanalytics-live.adyen.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| JSESSIONID | first_party | Session | Strictly necessary session cookie used to maintain the customer session on the Adyen hosted checkout while a payment is in progress. |
| CSRF-TOKEN | first_party | Session | CSRF protection token used to validate the payment form submission on the Adyen hosted checkout. |
| _dvf | first_party | 30 minutes | Strictly necessary device fingerprint cookie used by Adyen for fraud prevention during the transaction. |
Adyen is an essential service, but transparency matters. Manage all your consent with FlowConsent.
On the Adyen hosted checkout only strictly necessary first party cookies are set: a session cookie (JSESSIONID), a CSRF protection token (CSRF-TOKEN) and a small device fingerprint cookie (_dvf) used for fraud prevention during the transaction. Adyen does not set advertising or behavioural cookies.
No banner is required to display the Adyen hosted checkout because the cookies in question are strictly necessary under Art. 5(3) ePrivacy. The merchant does need consent for any optional Adyen marketing component or third party tracker added on its own pages.
Contract performance (Art. 6(1)(b) GDPR) for the data necessary to complete the transaction. Legal obligation (Art. 6(1)(c)) for AML, PSD2 and tax record keeping. Strictly necessary cookies on the Adyen checkout rely on Art. 5(3) ePrivacy.
For European merchants Adyen processes data on EU infrastructure operated by Adyen N.V. and Adyen Issuer N.V. International merchants may use additional regional data centres; transfers in those configurations rely on the Standard Contractual Clauses included in the Adyen DPA.
Standard online payment use of Adyen does not normally require a DPIA. A DPIA may be relevant for very large merchants combining tokenisation, cross border acquiring and extensive risk profiling.
Sign the Adyen DPA from your Customer Area. Add Adyen to the list of processors in your privacy notice with EU hosting and PSD2 context. Configure SCA and risk rules to comply with PSD2. Use the hosted checkout or Drop-in to limit your PCI DSS scope. Define a retention period for transaction metadata aligned with your AML and tax obligations.
Other EU licensed payment providers include Mollie (Netherlands), Stripe (EU entity in Ireland), PayPlug (France), Worldline (France) and Klarna (Sweden). The privacy outcome is broadly similar provided the EU entity and EU hosting are used.
For most setups no update to the banner is needed because the Adyen hosted checkout sets only strictly necessary cookies under Art. 5(3) ePrivacy. Update your privacy notice to mention Adyen as a payment processor, the EU hosting and the legal basis. If you embed any optional Adyen Components on your own pages, add the corresponding entries.