That's the maximal fine (that was never used as far as I know, at least on a large company). In this case the fine is understandably much smaller, since the privacy incident is not critical, and Facebook reported the problem to the authorities on its own.

Thats the maximal fine I think, the judges can set the amount depending on the severity of the violation.