I might be completely wrong here, but I don't believe that the GDPR requires that the user themselves can delete the information. I imagine that as long as instance owners / admins delete user data upon the user's request to do so, that they'd be operating within GDPR standards.
But again, I probably don't know enough about GDPR to be commenting on it :P
I've yet to play it, but I've only heard good things! Looking to purchase it next time it goes on sale