Facebook may face a fine of €100,000 ($138,845 U.S.) after a student claimed that the social network has retained data he thought he had deleted from his profile. Austrian law student Max Schrems asked Facebook for a copy of the data the company holds on him in June after attending a lecture by a Facebook executive while on an exchange program in California. The company sent him a CD containing around 1,200 pages of messages and information he claimed he had deleted from his profile.

Among the information were rejected friend requests, details of people he had unfriended and chat logs. All of the photos he had detagged himself from were listed in the documents, along with the names of everyone he has poked, the events he has attended and much more.

The data was broken down into 57 different categories, such as his Likes, log-in information (including the dates and times of when he logged on and the IP addresses of the computers he used to access Facebook) and emails.

Schrems told The Guardian that:

I discovered Facebook had kept highly personal messages I had written and then deleted, which, were they to become public, could be highly damaging to my reputation.

I’m not saying there was anything criminal or forbidden there, but let’s just say that, as someone wanting to work in law, there was stuff which could make it pretty impossible for me to get a job. … Information is power, and information about people is power over people. It’s frightening that all this data is being held by Facebook.

Of course, they are not misusing it at the moment, but the biggest concern is what happens when there is a privacy breach, either from hackers or from someone inside the firm?

Schrems set up a campaign website called Europe vs. Facebook and opted to log 22 seperate complaints with the data protection commissioner in Ireland, which will carry out its first audit of the social network next week. European Facebook users fall under the administration of the Facebook office in Ireland.

The data commissioner’s office said it will be investigating Schrems’ claims as part of the audit. If Facebook is prosecuted and the company or any of its employees are found guilty of breaching data protection rules, Facebook may be fined up to €100,000.

Facebook said that any user is entitled to receive a copy of their personal archive from the social network. In a statement, a Facebook spokesman said:

Facebook provided Mr Schrems with all of the information required in response to his request. It included requests for information on a range of other things that are not personal information, including Facebook’s proprietary fraud protection measures, and ‘any other analytical procedure that Facebook runs’. This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided.

We reported last month that the Irish data commissioner is investigating Facebook over concerns related to how it handles European users’ data. A report on the audit is expected by the end of the year.

It’s not the first time that Facebook has come under fire over issues related to privacy. On Monday, we reported that several people who had filed lawsuits against Facebook are attempting to consolidate 11 privacy class action suits against the social network. Their claims relate to the allegation that Facebook was tracking users’ Web browsing activity even after they had logged out. The social network has since resolved the tracking cookie issue.

The social network was investigated by data protection officials in June over its facial recognition system. George Jepsen, attorney general of Connecticut, also raised concerns about the system before Facebook made it a little easier for you to opt-out of the Tag Suggestions feature that the uses the system.

The social network has also faced criticism in Germany. Politicians argued for parties that are organized on Facebook to be banned if they cause a threat to law and order, before the company was threatened with legal action by a data protection official over the facial recognition system. State institutions in Schleswig-Holstein were told to remove their Facebook pages and delete the Like button from their websites to stop them from sending data to Facebook. Following these concerns, Facebook agreed a voluntary code of conduct with Germany last month.