According to the EU General Data Protection Regulation (GDPR) and the UK GDPR there are certain situations in which parties are obligated to enter into a Data Processing Agreement. This situation occurs when one of the parties (the so-called processor) processes data on behalf of and upon strict instructions of the other party (the so-called controller).
Mollie is of the opinion that the processing of data in the context of the User Agreement with our merchants does not qualify as a controller-processor relationship. When it comes to the processing of data, Mollie and the merchant are not acting upon instructions from each other, but are both independent controllers responsible for the personal data they process. This means that both parties have to comply with the requirements for controllers as laid down in the (EU or UK) GDPR. This point of view is further explained in our Privacy Statement under section 2, which you can read here.
If you’d like to read more about the position of the controller and processor, please contact the Information Commissioner's Office (ICO) for more information.