I used to get scammers ringing my phone because I didn't buy domain privacy. Being in the EU, Do I still need to buy this service if I dont want scammers and spam ringing my phone by looking up whois?
They are two different things.
Typically, (it depends a little on the TLD), personal data is stored at two places: the registrar and the registry.
Typically, in gTLDs, there is a public whois server at the registry, and at each registrar, to get access to data. In ccTLDs instead it is often only at the registry.
In any way, a given source can send back only the data it has, or less, but not more. Of course now with the GDPR less and less data is published publicly by default, which means you get whois results like:
Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Name.com Inc. Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: CO Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: US Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY
But it remains that:
whatever data you give to a registrar may end up at registry also, per requirements (not true yet for .COM/.NET that remains a thin registry still, but that exception will disappear soon)
if you use some proxy/privacy service then the registrar will send that data (and not yours) to the registry: so even the registry will not know the "real data", and can technically not show anything else than the proxy/privacy service details. The registrar and its whois, can display what it wants.
They are caveats in both direction: