It is always possible. Even if you do not need any permissions to access the AndroidID, nobody forces you, the app seller, to use it.

I have worked as an enterprise integratation architect in highly regulated environments. Sometimes you reuse interfaces that give you tons of info you are not supposed to have access to. You sign contracts that you will never look at this (dump it at the interface layer). This is acceptible in compliance.

Chances that in this case the app does not hover up all it can? 0%

▲

d1sxeyes 10 hours ago | parent [-]

It’s not about “the app”. The app can have two or two million datapoints locally.

What matters in terms of processing is how much of it gets sent to LALIGA (or their provider).

On a separate note, I am surprised you think you can just promise not to look at something. You can’t, it’s not “acceptable in compliance”, and I’m not even sure what that means—there’s no body that certifies GDPR compliance.

▲

PeterStuer 9 hours ago | parent [-]

It is acceptible. I have sat many times through compliance meetings and negotiations. I would think compliance officers of very large enterprises know their game.

	▲	d1sxeyes 8 hours ago \| parent [-]
		You might think that. But there’s plenty of evidence suggesting you would be wrong. The biggest fines under GDPR have been for Meta, Amazon, TikTok, Uber, LinkedIn. Even outside of tech you don’t have to look too far down the list to find H&M, British Airways, Marriott Hotels, Vodafone… https://www.enforcementtracker.com This example specifically refers to failure to adequately secure systems against unauthorised use: https://www.enforcementtracker.com/ETid-2306 This one is even closer to what you’re saying—Vodafone didn’t do enough to monitor third parties working for them: https://www.enforcementtracker.com/ETid-2646