...
All collaborations will have to manage "(1)", the access personal data. This is the personal data, also known as personally identifiable information (PII), that comes from the authentication sources, is contained in the collaboration membership management service, and that is collected as part of access control to services, accounting, and security logging. In most cases it will contain (semi) public information like the name of the user, institutional email address, and the internet addresses hence the user originates. In a federated AAI, usually long-term credentials like passwords are only present in the authentication sources (home organisation, or the user's wallet), but more ephemeral credentials like ID tokens and structured JWTs may also carry information about the user. This PDK article, and the REFEDS Data Protection Code of Conduct ('DPCoCo') deal with this type of access personal data (only).
When you are based in, collaborate with, or process data of live people in the European Union and the EEA, as well as in jurisdictions with similar statutes, you are required to project this data. You must follow 'Privacy by design, privacy by default', protect this data at rest and in transit, and have an identified reason for handling the personal data in the first place. The General Data Protection Regulation (GDPR) and any national implementation legislation describes what you should do, and what you cannot do. Even if you are not subject to GDPR, organisational policy may be in place (for quite some intergovernmental organisations), or your collaboration may want to collaborate with users in a 'GDPR country' ... and you will be affected by GDPR anyway.
...