Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mollie is a Dutch licensed Electronic Money Institution and one of the largest EU based payment processors, serving merchants in the Netherlands, Belgium, Germany, France, the UK and beyond. Its infrastructure is hosted entirely in the EU. The hosted checkout pages set only strictly necessary cookies for fraud prevention and session management.
Mollie is a Dutch licensed Electronic Money Institution founded in 2004 in Amsterdam. It is one of the largest EU based payment service providers, supporting credit and debit cards, iDEAL, Bancontact, SEPA Direct Debit, Apple Pay, Google Pay, Klarna, PayPal and many local methods. Merchants integrate Mollie via the API or via plugins for Shopify, WooCommerce, Magento, PrestaShop and similar platforms.
Mollie processes payment data submitted by the customer (card number, account details, billing address, IP), order metadata sent by the merchant and risk signals required for fraud prevention and SCA. On the Mollie hosted checkout, only strictly necessary first party cookies are set: a session cookie, a CSRF token and a small risk score cookie. No advertising or analytics cookies are deployed.
For the cookies set during the checkout, the strict necessity exemption of Art. 5(3) ePrivacy applies, so no consent banner is required to render the Mollie payment page. Payment data is processed under contract performance (Art. 6(1)(b) GDPR) and AML / PSD2 record keeping is processed under legal obligation (Art. 6(1)(c)). The merchant must still mention Mollie as a processor in its privacy policy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Mollie hosts its payment infrastructure within the European Union. There is no transfer to the United States in the standard flow. Card scheme communication with Visa, Mastercard or international wallets may technically traverse non EEA networks, but this happens under Mollie''s own controllership and is governed by the card scheme rules and PSD2.
Sign the Mollie Data Processing Agreement available from your dashboard. Add Mollie to the list of processors in your privacy notice with EU hosting and PSD2 context. Configure SCA correctly so PSD2 obligations are met. Use the hosted checkout where possible to limit your PCI DSS scope. Define a retention period for order metadata aligned with your AML and tax obligations.
Websites using Mollie must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard online payment use of Mollie. It may become relevant for very large transaction volumes combined with extensive fraud profiling or biometric SCA flows.
Sample consent text
Payments on this site are processed by Mollie (Mollie B.V., Netherlands), a licensed EU payment provider. Your payment data is handled by Mollie under PSD2 and the GDPR. See our privacy policy for details.
Third-party domains contacted
www.mollie.comapi.mollie.compay.mollie.comjs.mollie.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mollie_session | first_party | Session | Maintains the customer session on the Mollie hosted checkout while a payment is in progress. |
| mollie_csrf | first_party | Session | CSRF protection token used to validate the payment form submission. |
| _mol_risk | first_party | 30 minutes | Strictly necessary risk score cookie used by Mollie for fraud prevention during the transaction. |
Mollie uses cookies for user preferences — inform visitors with a consent banner.
Only strictly necessary first party cookies are set on the Mollie hosted checkout: a session cookie, a CSRF protection token and a small risk score cookie used for fraud prevention during the transaction. No advertising or analytics cookies are set by Mollie itself.
No banner is required to display the Mollie hosted checkout because the cookies in question are strictly necessary under Art. 5(3) ePrivacy. Consent only becomes relevant if you embed additional Mollie components such as marketing pixels on your own pages, which Mollie does not require by default.
Contract performance (Art. 6(1)(b) GDPR) for processing payment data necessary to complete the transaction. Legal obligation (Art. 6(1)(c)) for AML, PSD2 and tax record keeping. Strictly necessary cookies on the Mollie checkout rely on Art. 5(3) ePrivacy.
For standard online payments, no. Mollie hosts its infrastructure within the EU and operates as a Dutch licensed Electronic Money Institution. Card scheme communication with Visa, Mastercard or international wallets may technically traverse non EEA networks, but this happens under Mollie's controllership and the card scheme rules.
Standard online payment use of Mollie does not normally require a DPIA. A DPIA may become relevant for very large transaction volumes combined with extensive fraud profiling or biometric SCA flows.
Sign the Mollie DPA in your dashboard. Mention Mollie as a processor in your privacy notice with the EU hosting and PSD2 context. Use the hosted checkout to limit your PCI DSS scope. Configure SCA correctly. Define a retention period for order metadata aligned with your AML and tax obligations.
Other EU licensed payment providers include Adyen (Netherlands), Stripe (Ireland based EU entity), PayPlug (France), Worldline (France) and Klarna (Sweden). The privacy outcome is broadly similar provided the EU entity and EU hosting are used.
For most setups no update to the cookie banner is needed because the Mollie hosted checkout sets only strictly necessary cookies under Art. 5(3) ePrivacy. Update your privacy notice to mention Mollie as a payment processor, the EU hosting and the legal basis. If you embed any optional Mollie marketing components, list those cookies in your declaration.