MR> Great! Why haven't you asked him if the GDPR applies to Fidonet and MR> what the risks involved are? The input from an expert would be really MR> helpful.
I think you are asking too much. Lawyers aren't future tellers. Earlier this week, I discussed the matter with my sister in law. She is a lawyer and she does the administration for a couple of small non profit organisations.
She confirmed that the "AVG" as it is called here surely applies to Fidonet, but that is about all she could tell. It all depends on how this all is going to work out in practise and the fact is that nobody knows. You can ask for a risk assesment, but the fact is that not enough data is available. Most likely there will be court rulings and court rulings are unpredictable.
At least that is the situation in The Netherlands. You may call it playing Russian roulette, but other than what I wrote about the location field in the nodelist, there is not much that I can do at the moment other than see how this evolves.
Dutch saying: "De soep wordt nooit zo heet gegeten als ze wordt opgediend."