Why is there a correlation between software being open source and a legal framework?
Anybody is free to develop software, open or closed. GDPR just means a data-controller (the business/organisation responsible for the personal data processed) needs specific agreements with its data-processors (business providing a service to the data-controller), among other things information security related.
If a EU business chooses to:
- Use Joplin personal with third party sync, the service provider offering sync must be procured with proper data-processing-agreements (DPA).
- Use Joplin Cloud, Laurents business provides the sync service and storage. Business must have a DPA with Laurent.
- Use a hoster for their 'private Joplin Cloud' with Joplin Server same thing.
- Use Joplin Server on premise, all other things GDPR apply for that business, but there doesnt need to be a DPA.
So there is no legal obligation to develop things left or right.
But if Joplin is going B2B with EU customers, then these checks will show up.
I encounter many 'handy apps' that become unprocurable, maybe no business to sign a DPA, or they themselves use subprocessors without proper DPA's.
Compared with Linux. You cant procure it from Linus Torvalds. But lots of businesses offer hosting etc.