Interesting thing, thanks for pointing it out [user avatar="https://cravatar.eu/helmavatar/StealWonders/74.png" name="StealWonders"]5363448[/user] . I've done some reading on this - of course I have no legal background, but as far as I can see this is the situation:
The only time we are responsible is if we collect payments ourselves, run the website ourselves, or collect personal information in some other way by ourselves. The first two I have touched on before - PayPal handles our payments, Enjin handles the website.
The only issue I could see coming up is "collect personal information in some other way" - the two facets to this are IPs and UUIDs, which various server plugins will collect. UUIDs can be discarded - they are not personal information, are owned by Microsoft not the players.
IPs however, are categorised as PII under EU law, and so theoretically must be deleted should a player request it since we are based in the UK. However, this is not actually the reality. I'll need to contact Tim to confirm this, but IP logs are not stored permanently either - and as long as this is less than 30 days, there is no issue (EU law would require us to comply with a deletion request within 30 days, and as they would be deleted within that time anyway, this is a non-issue). Further to this, if a banned user requests their IP be deleted, this can be contested under security grounds.
Lastly, enforcement. The EU almost certainly won't go round trying to enforce things such as this. IPs are already kept anonymous by the server, so really there is little issue.