It's fine to present a pdf, as long as it's legible and the code can be scanned.
> Het E-ticket dat wordt geladen op een mobiele telefoon, tablet of laptop is alleen geldig als vervoerbewijs als het duidelijk leesbaar weergegeven kan worden op de mobiele telefoon, tablet of laptop.
Without getting into the question of whether this study involved human subject research, I find a lot of the anxiety and paranoia unwarranted.
Companies to which these laws apply should already have a process in place to deal with subject access requests. Complying with relevant laws is just part of doing business.
All the other site owners could have figured out with a bit of googling that the laws don't apply to them—there is plenty of guidance available.
I can only speak for the GDPR here, but had the requests been real and valid, the worst outcome would have been a regulator telling you to comply with it. Data protection authorities are more interested in helping companies get into compliance than punishing small businesses for minor infractions. If you look at past decisions, it usually takes serious and/or systematic violations to get fined.
https://support.apple.com/en-us/HT210060