Source repositories in many (most?) companies include the full names of the employees who authored every particular commit. This is PII. GDPR refers to all personal information you're handling, not excluding information of your employees.

The simple logical answer to that is that it is clearly impossible to blacklist.

The more specific answer is:

git config --global user.name "Your Name Comes Here"

git config --global user.email you@yourdomain.example.com

Also, looking up, you can undo a rebase with reflog, so even editing commits with an interactive rebase may not be enough to purge a git repo of identifiable information that people have entered.

I presume email addresses are PII?

Yes they are.