> we have GDPR in order to punish intentional bad behavior, not to prosecute incompetence

Nope. It is to protect users.

Users are harmed by both intentional bad behaviour and incompetence. This is the same principle as strict liability for product faults.

If incompetence is an acceptable excuse, every company interested in this tactics will become remarkably "incompetent".

GDPR is intentionally set up to punish incompetence: GDPR 5 1 f: Personal data shall be [...] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

Nothing in there limits responsibility, damages or punishments to intentional behaviour. Incompetence, be it organisational or individual, is not excluded. And a company can be punished for not implementing appropriate controls for individual incompetence or malice towards personal data.

> we have GDPR in order to punish intentional bad behavior, not to prosecute incompetence

That was exclude any data breaches though, wouldn't it? Because they are always incompetence rather than intentional bad behaviour on the part of the breached companies.

Data breach will not disappear thanks to GDPR. GDPR tell you that you must, if possible, notify in case of data breach.

Correct but incomplete: GDPR also tells you to use appropriate measures to prevent breaches. And of course if there was a breach, your measures were not appropriate so you need to change them.