Hi @Oliver and thank you for your investigation on that.
In fact I think we could do without consultancy on this if we take the time to read carefully all the documents. I would be happy to work with you on that if you want to team up 
I think I wanted to be reassured that what I understood was correct and our plan make sense, and I didnāt want to work alone on that, but if we can pair that would be great. The person I know is a contact from OuiShare who is very involved in Open Source advocacy and also data protection and is starting an activity to support data management compliance processes for companies. But of course, if we can avoid to spend money on this itās better.
Would be great to list both the duties of the processor and the controller and compare to what OFN and hubs actually do and what needs to be changed. Like build a plan 
This can be useful then for OFN to publish some guidance on that for other food hubs on what is their responsability regarding their customer data, and what is the OFN responsability and we have set up or are setting up to be compliant.
And maybe in that process if there are really crucial points we can always ask some advice on our way.
I had started in C in this discussion to list some things but I can go again through all that and we can open a common spreadsheet on the drive for instance.
I just found this link wich seems pretty useful : https://gdpr-info.eu/art-24-gdpr/
About the register, actually when re-reading the article 30 I think you are right, we donāt seem to be in the scope. If we are in the scope in France we are supposed to make the register available for the CNIL, but anyway you are right we donāt need to send it. Youāre right that there is no issue in itself with uploading data in a spreadsheet, and that things need to be kept proportional. But for instance if you upload that file on drive and donāt control carefully access to the drive, I guess this is not so much of a good practice regarding the ādata securityā. So that can be interesting I guess for both processors and controllers to think about what they do with the data, where they are stored, is it secured, who has access, etc. And keep that in a kind of āregisterā I guess anyway makes sense and just prove that we have reflected on that.
Article 37, on data protection officer : āIn cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.ā So it seems to depend on every country. On the French CNIL website they say it is āencouragedā for all.
Iām leaving on Sunday for Australia, not sure Iāll have time to work on that before but if you open a document Iām happy to work with you on that if you want.
Cheers !