Controller and Processor
I think many are missing the point ICANN are the controller in this case, and tucows (and their subsiduary) the processor.
ICANN contracts tucows to run the .de registry
ICANN contract requires they collect the said information
Tucows as processor must perform the duties they are requested by the Controller.
What ICANN does with that information, is not Tucows responsibility, however dodgy and against the law it is.
It is the responisbility or the registrant to gain Consent from the technical and admin contacts to publish this information.
I agree ICANN need hauled over the coals for the privacy implications in Whois, but this case isnt about WHOIS and GDPR, its about contracts.