When it comes to mobile carriers it's common for them to lease the name off each other as to appear the same even though it's different companies. The T-Mobile from Germany may be a totally different (though equally shitty) company than the T-Mobile we're talking about here.
For GDPR, it does not matter where a company is headquartered. GDPR applies to EU citizens (users, customers). That's why big companies often comply with GDPR for EU citizens but completely ignore it for people outside. It would be interesting to see if that's the case for T-Mobile. If the leak exposes GDPR violations, fines will most likely follow.
