It feels like you perhaps didn't understand my comment. I'm not saying that LALIGA couldn't identify you if they wanted. They certainly could (and probably do).
What I'm saying is that it is possible to build a system where the app dispatches some kind of event to a server which does not have any identifying information associated with it.
It is always possible. Even if you do not need any permissions to access the AndroidID, nobody forces you, the app seller, to use it.
I have worked as an enterprise integratation architect in highly regulated environments. Sometimes you reuse interfaces that give you tons of info you are not supposed to have access to. You sign contracts that you will never look at this (dump it at the interface layer). This is acceptible in compliance.
Chances that in this case the app does not hover up all it can? 0%
It’s not about “the app”. The app can have two or two million datapoints locally.
What matters in terms of processing is how much of it gets sent to LALIGA (or their provider).
On a separate note, I am surprised you think you can just promise not to look at something. You can’t, it’s not “acceptable in compliance”, and I’m not even sure what that means—there’s no body that certifies GDPR compliance.
It is acceptible. I have sat many times through compliance meetings and negotiations. I would think compliance officers of very large enterprises know their game.
What I'm saying is that it is possible to build a system where the app dispatches some kind of event to a server which does not have any identifying information associated with it.