The admin. We have documented, partially, how to do that on our customer portal. As it is complicated and different for each app, we expect admins to contact our support team for help if needed.
For future releases we’re working on making export and import easier, as well as make deletion work more fine-grained. For example, right now, deleting a user doesn’t delete his/her comments on files from other users. It is documented how to do that, but not easy and we’d like to have options for system admins for that in the future.
But that is still many months away, until then our support team is ready to help customers with this.
In general, I question whether running open source software without a support contract is GDPR compliant. You’re supposed to ensure optimal security, for example. In our case, we provide customers with security information ahead of patch releases and other services. If you run a commercial Nextcloud server and it is breached and you have no support contract, I guess your users could try to sue you for not keeping their data safe.
For individuals there is no problem of course. And providers which just serve up a VM or docker image for each customer can simply let them download the entire thing.
Then again, maybe it is fine - the GDPR is complicated and I am not a lawyer. Ask a real lawyer if you have legal GDPR questions!