Comment by SpicyLemonZest

I understand why the author thought that way, but showing up with private data that the company is obligated to protect complicates things quite a lot more.

I've dealt with security issues a number of times over my career, and I'm genuinely unsure what my legal obligations would be in response to an email like this. He says the company has committed "multiple GDPR violations"; is there something I need to say in response to preserve any defenses the company may have or minimize the fines? What must I do to ensure that he does eventually delete the customer data? If I work with him before the data is deleted, or engage in joint debugging that gives him the opportunity to exfiltrate additional data, is there a risk that I could be liable for failing to protect the data from him?

There's really no option when getting an email like this other than immediately escalating to your lawyers and having them handle all further communication.