The rule for not replying to GDPR requests (e.g. sent by registered letter) holds within a month: the maximum fine for this is 4% of last years total revenue or 20 mio €, whichever is the larger number.

For US companies use their (typically Dublin) European HQs.

Yes but the Irish privacy authority is just a front for US interests. Because the country makes so much money from big tech tax avoidance.

> the maximum fine for this is 4% of last years total revenue or 20 mio €, whichever is the larger number.

The maximum fine wasn't even achieved by Facebook, after years and many blatant GDPR cases. Do you really think someone is getting a fine for not replying to a subject access request in due time? If so I have a very good bridge to sell you, and that bridge has more probability to exist than Amazon getting any kind of GDPR fine for not acknowledging a SAR.