Lemmy may be developed partially by EU funding, but that doesn’t mean they’re necessarily following EU laws.
For what it’s worth, complying with the GDPR and other privacy laws is on the corporate instance owners, not on the Lemmy devs. It’s up to the instance devs to make sure things like data encryption and deletion requests are set up correctly.
That said, there are exemptions for personal use. Things become a little muddy when you get to the “personal server but donations” territory, but companies and people have very different obligations when it comes to privacy.
Lemmy needs better tooling for privacy compliance, though. As an instance admin, the only way to generate full takeouts is to go through the database manually. The export button helps a lot, but doesn’t contain all user data.
“Maybe check if the website you signed up with is following the law” is a ridiculous take. They may be overestimating their privacy rights (especially when it comes to small servers run by individuals) but that’s not how the law works.