Is an advertiser permitted to use a person’s data as transaction ID?

Daisycon maintains the principle of privacy by design. In short, this means that we save as little (personal) data as possible. One of the outcomes of this is that we do not want advertisers to pass on personal data to us without any clear necessity.

In a few cases, an advertiser can decide to use for example an unencrypted email address as transaction ID. This is to identify the transaction at a later time. Daisycon strongly advises advertisers against doing this and to use an pseudonymised parameter as a transaction ID instead. Should an advertiser choose to use a personal data (which only occurs as an exception), both Daisycon and advertiser still comply with the GDPR. The transaction ID is not shared with third parties (even with the publisher). The standard processor agreement that Daisycon concludes with its advertisers, includes among other things, a confidentiality clause and Daisycon secures the data adequately. There is a legitimate interest in using the personal data, as the advertiser cannot otherwise perform performance-based marketing. The risk to the consumer’s privacy is extremely limited.