Encrypted folder with different access rights for different users

With the GDPR (General Data Protection Regulation of EU) comes the necessity for many companies to store certain personal data (CVs, certificates, passport copies, etc.) centrally and encrypted. The data is available e.g. as Word or PDF files, in our case altogether 2000-3000 files distributed on 10 -15 directories.

The filing must take place encrypted, to prevent also IT administrators from access, and centrally, so that the information or deletion request of affected persons can be followed.

That means that only a few people must be able to see/delete all data in the encrypted folder, whilst others only have access to their data stored in subfolders.

How can these requirements be fulfilled with a system, if possible with on-board means from Windows Server or a simple software?

According to my research EFS or Bitlocker are not usable, because either the rights can only be set to single files or no different rights within a container are provided.

I am very grateful for suggestions.