They are "legit" in the sense they were wanting to study GDPR replies, but their method looked like a spam/phishing attempt.

https://electronicprivacy.eu/?lang=en is if you want to read their "clarification".