Reviewer recruitment and GDPR compliance in OJS3

I think I have read somewhere, that this is in discussion but I haven’t found the actual discussion. It is not mentioned in the GDPR compliance post on here. The issue is: the current practice of recruiting new reviewers is not really GDPR compliant, is it? The editor takes personal information (name, email address, often also affiliation) and creates an OJS account to send the actual review invitation without asking the user for consent first. Then, there are two follow up scenarios:

A) The reviewer logs in to their account and either declines or accepts the invitation

B) The reviewer does not respond at all

For case A,
Does the reviewer, upon their first login, has to consent to the same conditions as a reader/author compared to when they take the ‘regular’ route for registration?

For case B,
An automatic deletion of the newly created reviewer account would be beneficial, either after a specific amount of time or after the respective submission for which he was recruited has moved on from the review stage. This does not only enact somehow the ‘right to be forgotten’ but also helps the editors to keep their reviewer list clean.

Has anyone come up with alternative ways to recruit a new reviewer, who does not have an OJS account yet?

See Allow journal managers to invite users to adopt a role · Issue #3022 · pkp/pkp-lib · GitHub