The "you won't get big fines if you try your best" thing isn't in the law. I believe you that it is probably true, but it relies on the reasonableness of all current and future regulators. I don't like that.
The law only says regulators should think about your intentions when assessing penalties (among many other factors).
Is there anything stopping a regulator from deciding an unintentional violation is "only" a company-destroying 5M euro fine instead of the full 10M? In fact, couldn't it still be a 10M fine? Or should I expect to be let off with a warning? Seems like I'm depending on the good will of the regulators of every single EU member state...
I do not think it's impossible to write a law that says fines for minor and unintentional violations are limited by statue.
That's what makes me nervous about interpretation of GDPR. The EU has 28 member states. Let's say each one of them has a 90% probability of their regulators being reasonable at any given time. Does that mean the chances of the regulators on the whole being reasonable are 0.9^28? (In other words, about 5%?)
As an outsider, I would love to hear that that's not how it works. Do the member states have any checks on each other's enforcement?
