Yeah, data can be legally collected even under GDPR of course. The real can of worms opens up IF the previous user data is retained after factory resetting the console for resale - if the console still contains any data in any form that can be connected to the previous owner.GDPR is not a bullet that all data is not allowed to be collected. This is a common misconception.
Some data that can't be connected to a user can be saved for up to X amount of days from last usage. We know Nintendo collect less for Europeans but they still collect data. You can ask Nintendo for what they got on you with the help of GDPR.
Part of my work is checking and prepping used consoles for resale and we got finally a coutious green flag after I presented that we can completely wipe certain older consoles and the practises for doing that. If Switches retain even some of the previous user info, that means we have to put them into data safe recycling, even in working condition