Expert report accuses PayPal of serious data protection violations

A recent report by the Netzwerk Datenschutzexpertise network concludes that the payment service provider PayPal is allegedly in significant breach of key provisions of the General Data Protection Regulation and the Payment Services Supervision Act. The analysis focuses in particular on the processing of transaction data for advertising purposes, the design of consents and the scope and transparency of data transfer to third parties.

According to the experts, PayPal uses its users’ payment and purchase data for its advertising business, which has been expanded since 2025, including for the display of targeted advertising on external websites and in mobile applications. This use represents a change of purpose that is not legally permissible in the opinion of the authors. Payment service providers may only use personal data to carry out the actual payment services unless separate, explicit consent has been given. It is precisely this requirement that the experts do not consider to be fulfilled.

The design of the consent mechanisms is viewed particularly critically. Consent for the use of data for advertising purposes is already preset when the account is created. This contradicts the principle of data protection through data protection-friendly default settings enshrined in the GDPR. In addition, users are not sufficiently informed about the scope and significance of these consents, which means that, in the opinion of the experts, there is no informed and effective consent.

Another focus of the expert opinion concerns the transfer of personal data to third parties. In its privacy policy, PayPal refers to an extensive list of several hundred potential recipients in numerous countries, including credit agencies, marketing companies and large US technology groups. It is not clear to users which specific data is transmitted to which recipients. In addition, this information is only available in English and is hidden behind what the experts consider to be misleading names.

Furthermore, the report criticizes deficits in the fulfillment of information obligations. Information on the purposes of data processing, legal bases, intra-group data flows and automated decision-making processes is incomplete or unclear. Intra-group data exchange is also described as non-transparent. According to the authors, PayPal also fails to recognize its joint responsibility under data protection law with participating merchants and banks.

The experts also criticize the planned storage period for personal data. A blanket retention period of up to ten years after the end of the contract exceeds what is legally permissible. In addition, they see open questions regarding the transfer of data to third countries and doubt that the internal data protection rules used within the group meet the requirements of the GDPR.

PayPal has stated that it is currently reviewing the report. The company emphasizes that compliance with European data protection requirements is of central importance for the development and operation of its products. A substantive statement on the specific allegations is not yet available.

Conclusion

The report paints a comprehensively critical picture of PayPal’s data protection practices and accuses the company of systematic violations of European data protection and supervisory law. If the allegations are confirmed, this could have significant regulatory and legal consequences. At the same time, the case highlights the growing importance of data protection control in the area of conflict between payment transactions, the advertising business and international data processing.