800k email records and passwords in plain text when breached. I don't know how big Knuddels are, so I don't know if that fine sounds lenient, right or high. Yet as it's a large breach it seems fitting of no warning first, considering the scale of negligence, mitigated by their "exemplary cooperation" afterwards.

Which goes to show why the regulators get the discretion to decide appropriate action from warning only to maximum fine. Without context and aggravating and mitigating factors we can't know, which was my point. If a penalty is disproportionate there's well worn appeal tracks.

Other comments seem to point to the small case in OP comment being some guy running a list to harass people, which seems like a huge aggravating factor to me. Maybe he got one warning, maybe in context he didn't deserve even that.

Why are multiple requests needed? You do shit, you get a request to stop it, you don't do it, you get hit with a fine. How many requests do you expect the authorities to send? 5? 10? 100? If I get summoned to court and don't follow it I get a fine. How is this any different?

Sure, but offences between July and September 2018, and convicted Feb 2019 only against the small sub selection in July.

There's potential time for quite a few ignored warnings before prosecution, but I don't know and can't find out from here if or if not.

They almost certainly got complaints from the users on that list. You tend to get pretty swift response from that.

Very likely that they just ignored it.