The Netherlands’ Data Protection Authority has published its GDPR fining policy which divides breaches into four categories according to their severity. The overlapping categories are:
1. up to 200,000 euros
2. 120,000 to 500,000 euros
3. 300,000 to 750,000 euros
4. 450,000 to 1 million euros.
A higher fine than 1 million euros is, of course, possible if the circumstances so require. It remains to be seen what the other DPAs will do, as the European Data Protection Board aims at consistency.
The fining structure is described here in Dutch.