According to the GDPR, personal data may only be transferred outside the EU (to so-called third countries) if an adequate level of data protection exists in the destination country (Art. 44 GDPR). Correspondingly, data without personal reference may be transferred to the USA without restriction.
No personal data is transferred during the server-side conversion upload from etracker Analytics to Google Ads. Conversions are assigned to the corresponding ads and campaigns using the Google Click ID. The Click ID is used exclusively to track the success of the campaign and enables the assignment of conversions to the corresponding Google Ads advertisements. Remarketing in the sense of allocation to individual users and their specific targeting is therefore excluded. The use of imported conversion data for target group segments is not possible. The processor therefore has no way of identifying the user behind the Click ID. Thus, it is not possible for the website operator to identify data subjects on the basis of the Google Click ID.
In this sense, the conversion data uploaded to Google Ads does not relate to a natural person and the Click ID is not an online identifier in the sense of https://gdpr-info.eu/recitals/no-30/.
A combination of conversion data with user data for Google’s own purposes alone, which remain hidden to the advertising company, cannot be fundamentally ruled out. This is because every click that comes via an advertisement is evaluated by Google with an individual Google Click ID (GCLID). Google could theoretically merge the conversion with the other tracking data for the respective user if Google carries out a matching of generated click IDs and user IDs. However, the fact that “target group segments” and “remarketing” are excluded by means of GCLID and requires the transfer of other identifiers or the implementation of Google tags, for example, see https://support.google.com/google-ads/answer/9199250?hl=de, speaks against this.
Although Google does not explicitly exclude merging, for example, documents has published in which uploading by means of Click ID is explicitly advertised as meeting strict data protection requirements, see: https://www.thinkwithgoogle.com/_qs/documents/4066/comdirect_Offline_Conversion_Tracking_07.pdf. Therefore, we consider it as responsible to see this as a credible confirmation that a purely Google-internal identification by means of the Google Click ID does not take place.