That is not how the EU works, in the US i would be very afraid reading that, in the EU nothing will happen if you do not violate in a spectacular way, and that, after many warnings. They are after companies tracking you across real estate and selling relevant data from their vast silos to companies that can market stuff to you. They tried many ways already to prevent this kind of practice in some countries but loopholes were found so this is the hammer. As a small company, if you answer and act on actual user complaints, you have no worries no matter what the language. It is not in their interest to go for small offences. And if your story is reasonable, like OP, they will just let it go.
What this gives the EU is the hammer to hit persistent abusers of user data. They want you to be careful with user data and not treat it like you own it; you do not. It is not yours to sell or share or publicize.
Edit; note as well that every country has a compliance office; if they know you are in complaince as in you are ‘good people’ (best effort, no giant holes etc; just best practice in our field which you should do anyway) they will not bother you with every (or any) user complaint after that. I have good experiences with this with far grave (and potentially criminally punishable) matters in a few EU countries.
What this gives the EU is the hammer to hit persistent abusers of user data. They want you to be careful with user data and not treat it like you own it; you do not. It is not yours to sell or share or publicize.
Edit; note as well that every country has a compliance office; if they know you are in complaince as in you are ‘good people’ (best effort, no giant holes etc; just best practice in our field which you should do anyway) they will not bother you with every (or any) user complaint after that. I have good experiences with this with far grave (and potentially criminally punishable) matters in a few EU countries.