I don't see that GDPR applies here. Perhaps German law says otherwise. I see no legitimate reason we must keep this private, when we have an obligation to minimize the monetary damages she is causing. According to Recital 50...."which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes".
Also, "Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller."
like(2)