The law is written such that they could do all that to a small family business that forgot to delete their Apache logs, which isn't good and leaves room for abuse even if they pinkie swear it's only meant for big violations.

Well, not for public bodies at least: “ Administrative fines cannot be imposed on public organisations, such as the government or state-owned companies, municipalities and parishes” [1]

But luckily this sort of thing never happens in the public sector. Except for when it does: https://yle.fi/a/74-20094950

[1] https://tietosuoja.fi/en/corrective-powers

> So they're saying this is not the case?

Yes it was. The company was fined 20M EUR on standard GDPR-basis and went bankrupt (but unlikely due to the fine alone). Please re-read the above discussion.