I don’t know the answer to this:
What does GDPR say about notes generated internally on customers?
If Company X has a database of customer data including both name & address details (which the customer can demand to see) and purchase history (which the customer can demand to see) and notes which includes an opinion “Customer Y is a total wanker, always moaning, don’t give them free stuff, they’re just trying it on”, and Customer Y demands to see their data under the GDPR, do you have to give them the notes?