> with fingerprinting everything happens server-side (as I understand).

It happens client-side. Browser headers sent through for requests aren't enough for fingerprinting.

sure but anyway the data collection is not that important, it is actually the data storage and data deletion parts that are going to make or break a GDPR case.

on edit: better clarify, I mean if you are fingerprinting, but not storing in such a way that you can actually identify someone (although not sure why you would use fingerprinting then) then I don't think there is a case.