Within the EU there's actually a standardised return address for unsolicited invoice and financial mail coming from <no-reply@domain.com>:
gdpr@domain.com
Don't arse around with customer "support". If they're sending emails that contain PII (or indeed "manage your account" links) without verifying account control to a third party (you) then just forward it to the compliance department and let them give their developers a shoeing.
If you feel particularly malicious you could also "help" by reporting the data breach to the national regulator. In the case of PayPal, the Financial Conduct Authority could also be fun.