EU member states have the right to impose sanctions for breaches of data protection rules. These should apply to infringements for which no fines are provided in the General Data Protection Regulation. Penalties must be effective, proportionate and dissuasive.
In Germany, the Federal Data Protection Act regulates the criminal provisions for data protection violations. Anyone who, for example, transmits data of many data subjects not generally accessible to others without authorization and does so commercially can face imprisonment or a fine.
See also Fines
Article 84 GDPR (Penalties)
1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
2. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
Source: Regulation (EU) 2016/679 (see also recitals 146 and 147)
Section 42 BDSG (Penal provisions)
(1) The following actions done deliberately and without authorization with regard to the personal data of a large number of people which are not publicly accessible shall be punishable with imprisonment of up to three years or a fine:
1. transferring the data to a third party or
2. otherwise making them accessible
for commercial purposes.
(2) The following actions done with regard to personal data which are not publicly accessible shall be punishable with imprisonment of up to two years or a fine:
1. processing without authorization, or
2. fraudulently acquiring
and doing so in return for payment or with the intention of enriching oneself or someone else or harming someone.
(3) Such offences shall be prosecuted only if a complaint is filed. The data subject, the controller, the Federal Commissioner and the supervisory authority shall be entitled to file complaints.
(4) A notification pursuant to Article 33 of Regulation (EU) 2016/679 or a communication pursuant to Article 34 (1) of Regulation (EU) 2016/679 may be used in criminal proceedings against the person required to provide a notification or a communication or relatives as referred to in Section 52 (1) of the Code of Criminal Procedure only with the consent of the person required to provide a notification or a communication.