Let me say that the vast majority of DPAs in EU member states are currently not equipped with the duty to apply sanctions. The near future is exactly the opposite. There is a provision in the GDPR saying that member states may, at the end, decide that the DPA brings a controller before the court. This could be the system in perhaps one or two member states. But your ombudsman approach seems to be much less effective.
On June 13th, 2017. See this statement in context.