The main focus of GDPR is to encourage organisations to have good hygiene data protection practices. The emphasis is on the legal liability of data controllers and processors where Article 83 and 84 advocate administrative fines. I believe Germany has taken extraordinary steps where personal liabilities (eg. imprisonment) may implicate DPOs too and discourage anyone willing to step forward to assist their organisation in compliance.

I have seen punishments like imprisonment for the listed illicit activities in other laws such as Computer Misuse Act, Cybersecurity Law. 

Hi Yves,

In Denmark we are still debating if public authorities should be able to receive administrative fine. Very depressing....

/Michael

It's not in the EU, but here in Singapore the Personal Data Protection Act(PDPA) has got some teeth in the form of a catch all on inspection:

General Offences and Penalties

It is an offence under section 51(3)(b) and (c) of the PDPA to:

• obstruct or impede the PDPC, its inspectors or other authorised officers in the exercise of their powers or performance of their duties under the PDPA; or
• knowingly or recklessly make a false statement to the PDPC, or knowingly mislead or attempts to mislead the PDPC, in the course of the performance of the duties or powers of the PDPC under the PDPA.

An organisation or person that commits an offence under section 51(3)(b) or (c) of the PDPA is liable to:

• in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
• in any other case, to a fine not exceeding $100,000.

Also as you might expect there are some pretty far reaching powers of investigation:

https://www.pdpc.gov.sg/organisations/enforcement-matters/personal-data-protection-breaches