Under the EU and UK General Data Protection Regulation (GDPR), so-called controllers and processors need to conclude an agreement where the processor processes personal data on behalf of the controller. “Processing on behalf” means that that party (the processor) only processes the data upon instructions of the controller, who determines for what purpose(s) which personal data is processed.
Why do I need to agree with the Data Processing Agreement?
The Data Processing Agreement (DPA) [see below] lays down the GDPR obligations and responsibilities of both you and Mollie for the processing of personal data of your customers for invoice purposes. For the purposes of Mollie Invoice, you, the Mollie customer, act as a controller and Mollie as a processor. You determine which data you process of your customers (i.e. the payers) for invoices. Mollie only provides you with the possibility to create and send invoices, but does not have any own purposes for collecting or using the personal data of your customers with regard to the invoices. You cannot choose not to conclude the DPA, because it is a legal requirement.
What is the scope of the Data Processing Agreement?
The scope of the DPA is limited to the Invoice product only. Mollie acts as a controller to the extent that Mollie processes personal data involved in payment transactions to:
- Execute the User Agreement;
- Monitor, prevent and detect fraudulent payment transactions;
- Comply with legal or regulatory obligations applicable to the processing and retention of payment data to which Mollie is subject, including applicable anti- money laundering screening and compliance with know-your-customer obligations; and
- Improve Mollie’s products and services.