The GDPR doesn't just apply to legal persons (companies), it also applies to natural persons (individuals). If a Lemmy server is hosted in the EEA (EU+Norway, Lichtenstein, Iceland) and Switzerland it should have to comply with EU data protection laws.
For this Lemmy would need to implement deletion. As the feature does not exist the admin would likely have some initial legal protection (grounds of impossibility), but I'm not sure how much, in particular if there are repeated requests. That would probably lead to Lemmy being deemed illegal in the EEA and switzerland (32 countries)
Concerning federation, if Lemmy implements deletion and a federated server does not respect the deletion, that server is liable, not the original Lemmy server.