Nothing in GDPR gives you legal basis for that (the penalties under GDPR are paid to the state). But there isn't anything that prevents you to sue them either, so you just need to find another legal basis (like, to prove a damage) and convince the civil court. Civil courts have famously low standard (preponderance of evidence), so it doesn't sound easy, but it doesn't sound hard either.
In general case I think it might be hard to sue a company for any fixed amount of money due: it is hard to measure this, and companies are likely to low-ball the figure anyway.
Yet Meta has given a convenient, fixed number here, so perhaps such a lawsuit has a chance to succeed.
An administrative fine to a company because of GDPR violations allows the data subject to use the ruling as a basis for damages in a civil case. Further, emotional damages are allowed, also. And CJEU has reaffirmed there's no "minimum threshold" for damages. A user could claim 1 euro of damages. And there's momentum to make class action-esque "collective redress" a reality, which would be a mechanism with all the pros with class action in U.S., but with much less cons. Imagine 400 million users claiming 100 euros in damages. That's some change to spare for the company.