It’s not about “the app”. The app can have two or two million datapoints locally.

What matters in terms of processing is how much of it gets sent to LALIGA (or their provider).

On a separate note, I am surprised you think you can just promise not to look at something. You can’t, it’s not “acceptable in compliance”, and I’m not even sure what that means—there’s no body that certifies GDPR compliance.

▲

PeterStuer 9 hours ago | parent [-]

It is acceptible. I have sat many times through compliance meetings and negotiations. I would think compliance officers of very large enterprises know their game.

	▲	d1sxeyes 8 hours ago \| parent [-]
		You might think that. But there’s plenty of evidence suggesting you would be wrong. The biggest fines under GDPR have been for Meta, Amazon, TikTok, Uber, LinkedIn. Even outside of tech you don’t have to look too far down the list to find H&M, British Airways, Marriott Hotels, Vodafone… https://www.enforcementtracker.com This example specifically refers to failure to adequately secure systems against unauthorised use: https://www.enforcementtracker.com/ETid-2306 This one is even closer to what you’re saying—Vodafone didn’t do enough to monitor third parties working for them: https://www.enforcementtracker.com/ETid-2646