According to the General Data Protection Regulation (GDPR) there are certain situations in which parties are obligated to enter into a data processing agreement. However, this situation only occurs when these parties process data on instruction of another party.
Mollie is of the opinion that the processing of data in context of the contract with our merchants does not fall under this requirement. When it comes to the processing of data Mollie and the merchant are not acting on instruction of each other.
The data Mollie receives is processed under our own responsibility. Therefore Mollie is not considered a processor, but a controller as mentioned in the GDPR. This point of view is also explained in our Privacy Statement under 9, which you can read here.
This means that you are responsible for the safe and correct processing of the personal data you receive and you have to draft your own Privacy Statement. Therefore it’s not necessary to enter into a data processing agreement with Mollie.
If you’d like to read more about the position of the controller and processor, please contact your national privacy authority for additional information.