I can just imagine how the incompetent men who are often completely oblivious to legal matters and technology that go by the title of 'elder' would mess this up:
At some point they need to share your ADD, so they scan it and mail it to other elders.
Now several elders have your personal identifiable data of the highest class on their PC. A PC that is often also used by their family members. A PC that may or may not have decent virus and hacker protection - it's a private PC, not a corporate one maintained by a proper IT dept. A PC that at one point may be thrown out or given away without being wiped properly by its clueless owner. God knows where your private data is kept or ends up.
At least the sending of email is done through jw so the data isn't also in several people's hotmail accounts (assuming the elders follow orders on this).
Regardless, all this is very much contrary to European law on personal data (GDPR).
For example, organizations should be able to tell you which data they keep of you, why, where, how, of how long. They must delete your data (or most of it) when you request so.
Guess what? Watchtower and your local congregation probably don't know what all those elders did with your files. They can't tell you, and are this in violation of GDPR. They also wouldn't be able to make sure all those elders removed your files when you did such a request. Another violation. And so on and so on.
Watchtower is very much screwed under GDPR. To adhere to it, they must properly arrange their affairs down to the lowest level of their officials. But when they do that, they lose the opportunity of limited liability and plausible deniability that they now often abuse when they argue that COs, congregations and elders are no part of Watchtower.