Yeah, as an American, I'm jealous of many aspects of GDPR. I really appreciate you blogging / tooting about experiences protecting your rights under GDPR. I wish we had 1/10th of the consumer privacy protections you have.

How does security research like this work out in practice, in the EU?

I read a lot of vulnerability writeups like this and don't recall seeing any where the author is European and gets a better outcome. Are security researchers actually compensated for this type of work in the EU?

The GDPR (in art 32) only requires that "the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". I expect it's quite common for a company to get hacked even if they meet that level. I think the parent comment was imagining that any leak is automatically fined, regardless of whether the company had met some security requirement.

Does GDPR mandate a payout to the researcher after disclosure?

The GPDR makes it so small companies need to hire expensive lawyers to be compliant (and you still don't know for sure, based on the laws)

How about fining individual developers with poor coding practices?

No it actually doesn't. It just needs someone in the company executive to not have their head up their ass, and read the law, which is fairly straightforward.

Also, it needs your company's business model to not be selling user data. That's why American companies find it hard to comply with.

It does not mean this.