Hi,
This topic is confusing me as well and I can’t answer you your questions.
I just tried to find some answers on german websites and I read one clear statement, which I found interesting:
If you are a private person and provide a web service which is hosted by some web hoster (a company) then this company is a third party processing the user’s data. And you need to request an information about the data processing (storage, usage and all that stuff) from this web hosting company at least.
If you as well have to inform your users, where and what data is actually stored and how it is processed … I don’t know.
Especially if it makes any difference when you host the server yourself (within your own walls).
With the tools Nextcloud provides you should definitely be on the safe side: