They basically claim that the customer (the one who signs the contract, not the Zoom user) who hosts the meeting is responsible for GDPR compliance by defining the right account settings. So if you are invited on a call you basically have no rights.