Simple: the fail2ban jails need the logs to keep the bots away, that prevent a proper operation. Thus it is technically necessary. And this is explicitly allowed as part of the GDPR.

On the other hand, nobody can help a clueless web dev.