An old client of mine, an actual mom and pop operation in Germany was harassed and was almost ran out of business by a law-firm who went around, the moment GDPR dropped, trying to find targets to sue.
They received a letter threatening a lawsuit due to the fact that they had a newsletter sign up form without double opt-in feature on their site and some explicit legal documentation missing. Other than that it was a really simple presentational site made in Wordpress. Our business relationship ended years ago but I received a mail from them years ago asking for help in putting those things in because they were afraid of having to deal with legal stuff over such small bs. I obviously did.
Now I don't know German law, as I'm not German, but it felt like they were really afraid that it could happen.
AFAIK, no independent lawyer can sue you for violating the GDPR. Only the German regulatory body could sue them.