GDPR is intentionally set up to punish incompetence: GDPR 5 1 f: Personal data shall be [...] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."
Nothing in there limits responsibility, damages or punishments to intentional behaviour. Incompetence, be it organisational or individual, is not excluded. And a company can be punished for not implementing appropriate controls for individual incompetence or malice towards personal data.
Nothing in there limits responsibility, damages or punishments to intentional behaviour. Incompetence, be it organisational or individual, is not excluded. And a company can be punished for not implementing appropriate controls for individual incompetence or malice towards personal data.