If Debian has not been publicly registered in Europe, Debian is a de facto entity in Europe. However, the text also addresses the issue of exporting personal data outside the EU and obliges all data controllers (including with registered offices outside the EU) who process data of EU residents to observe and comply to the obligations foreseen.
The sharing of public personal data is possible if the user is informed and consenting.
Debian simply has to indicate a contact for revoking the sharing of personal data. If Debian refuses to comply, the responsibility will automatically fall on whoever manages the mailing list (art. 5).
Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds within 30 days, including noncompliance with Article 6(1) (lawfulness) that includes a case (f) if the legitimate interests of the controller are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data
Regarding art 5 you will find several posts that argue it:
<<The new regulations introduce the Accountability Principle concept which requires firms to show how they are complying with the principles of the legislation. In effect this means keeping records of decisions taken with regards to customer data. This principle not only affects the collection of new data, but data already being held.
Article 5 of the legislation requires that all currently held personal data be:
• Collected for a specific purpose and that purpose is made clear to all those whose data you hold.
• Data must not be used for any other purpose than for which you have sought permission.
• You should only hold as much data as you need to complete the task for which you are holding the data. (Any other data should be deleted.)
• All data must be accurate and kept up to date at all times. Inaccuracies must be rectified immediately and any rectifications shared with third parties to whom you have sold the data.
• You should only keep data for as long as is necessary to complete the task for which you have sought permission.
• Data should be securely stored and protected against unauthorised access.>>
From
https://www.catalyst2.com/blog/mailing-list-currently-held-data-gdpr-compliant/