> Why does the court even have the option to completely destroy a startup like that?
Supposing 100% of the startup's revenue comes from GDPR violations and they've been doing so for, say, 5 years, then the fine should really be 500% of annual revenue. Or even multiply that by 2 or 3 for punitive purposes. It may or may not destroy the startup, depending on how well funded they are. They could be breaching privacy for reasons other than revenue.
Supposing 100% of the startup's revenue comes from GDPR violations and they've been doing so for, say, 5 years, then the fine should really be 500% of annual revenue. Or even multiply that by 2 or 3 for punitive purposes. It may or may not destroy the startup, depending on how well funded they are. They could be breaching privacy for reasons other than revenue.