It's a breach of GDPR if he has accessed your systems to get the information for his own purposes - that's not the reason the information was recorded. If he is getting in touch with pupils who have given him their contact details, shouldn't be an issue.
The Information Commissioner's Office would be your first port of call.