An official watchdog in Germany says a popular talking doll poses a real threat to the public — claiming the smart technology in the My Friend Cayla figure can gather personal data.

The warning — issued by Germany’s Federal Network Agency, which governs telecommunications – follows legal concerns raised by Stefan Hessel, a student from the University of Saarland in western Germany, BBC reports.

Hessel told German website Netzpolitik.org that a Bluetooth-enabled device could connect to Cayla’s speaker and microphone system with a radius of 33 feet – and anyone who wanted to spy on someone playing with the doll could do so “through several walls.”

The doll essentially acts as a “concealed transmitting device,” which is illegal under German telecommunications laws, according to a Federal Network Agency spokesperson.

“It doesn’t matter what that object is – it could be an ashtray or fire alarm,” he told Sueddeutsche Zeitung, a daily newspaper published in Munich.

The toy had already been the subject of consumer complaints in the European Union and the United States, where privacy advocates filed a complaint with the Federal Trade Commission in December. The doll and another toy called i-Que robot posed an “imminent and immediate threat to the safety and security of children,” the Electronic Privacy Information Center and other privacy watchdogs claimed, according to PCMag.com.

Messages seeking comment from FTC officials and Genesis Toys, which manufactures the doll, were not immediately returned on Friday.

The company, according to its website, claims it maintains “tight controls” over the data collected from users, retaining it in secure databases with limited and controlled access. But it stopped short of promising “absolute security” of user data, including names, email addresses, zip or postal codes and birth dates.

“We will undertake internal reviews of our data collection, storage and processing practices and security measures, including appropriate encryption and physical security measures to guard against unauthorized access to systems where we store personal information,” the company’s website reads. “Please remember however that unfortunately no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security.”