GDPR Countries: Where the Rules Apply and Why It Matters
ON THIS PAGE
- What Are GDPR countries?
- Why Businesses Must Pay Attention to GDPR Countries
- GDPR Countries 2025
- Is the United Kingdom a GDPR Country?
- List of Non-GDPR European Countries
- GDPR Adequacy Countries in 2025
- How GDPR Applies to Companies Outside the EU
- Does GDPR Apply to My Business?
- Key Differences Between National GDPR Implementations
- Top 5 GDPR Countries With the Strictest GDPR Enforcement
- List of Non-European Countries With Data Protection Laws Similar to GDPR
- Final Takeaway
- Frequently Asked Questions
General Data Protection Regulation (GDPR) is designed to protect Personal Information of individuals residing in the European Union (EU).
If you have customers in any EU country, you must comply with the GDPR.
Read this blog to understand which countries are covered by the GDPR, how GDPR applies to companies outside the EU, and differences between national GDPR implementations.
What Are GDPR countries?
The term GDPR countries refers to countries of the European Union (EU) and the European Economic Area (EEA) members states where the GDPR is enforced or influences local law.
In general, a GDPR country is a country where businesses and governments are obliged to follow the strict data protection requirements, set by the GDPR.
It also includes non-EU countries that have adopted GDPR adequacy decision- strict data privacy laws that align with GDPR.
The GDPR has an extraterritorial scope: the law applies to any organization that processes the personal data of EU citizens, regardless of where the organization is located. This means that even if your organization is based outside of the EU, you will still need to comply with the GDPR if you collect or process the personal data of EU citizens.
Thus, businesses that have customers from or target the European market, independently of the businesses’ location, must know the GDPR countries and the requirements of the law.
Knowing GDPR countries could help businesses to achieve GDPR compliance and avoid the risks of huge penalties for non-compliance.
Why Businesses Must Pay Attention to GDPR Countries
For businesses, GDPR is not a recommendation— it’s a legal requirement, strictly enforced by the law. All GDPR countries have their national Data Protection Authorities (DPAs), that enforce the GDPR.
In addition, GDPR is more than just a European regulation— it’s a global benchmark.
When operating in GDPR countries or handling data from citizens of GDPR countries and non-complying with the GDPR, businesses could face significant consequences. Non-compliance with the GDPR could lead to:
- Hefty fines
- Reputation damage
- Operational risks
Fines for non-compliance with the GDPR
GDPR is strictly enforced with huge fines.
Penalties for non-compliance with the GDPR are huge and scaled depending on the severity of non-compliance. Fines for serious violations can reach up to €20 million or 4% of global annual turnover.
The biggest GDPR fines were issued to Big Tech companies and reached millions of euros. For example, Meta was fined €1.2 Billion (2023), Amazon – €746 Million (2021), TikTok – €530 Million (2025).
Note that GDPR applies to all types of companies, independently of their size. Even small businesses or individuals could be fined for non-compliance with the GDPR. Actually, most fines are issued against small or medium companies or even individuals. The GDPR Enforcement Tracker tracks all publicly reported GDPR fines and enforcement actions across GDPR countries. It shows that small businesses were fined recently from €500 - €2000 to €20,000 for violations of the GDPR requirements.
Individuals must also pay attention to GDPR countries, since they also could be fined.
For example, a in August 2025, a Police Officer was fined £200 for insufficient legal basis for data processing.
Reputation damage
Nowadays individuals are concerned much about their data privacy and individual rights. One single data breach could ruin customer trust. Reputation damage could lead to loss of customers, that could be even more costly that fines for GDPR non-compliance.
Operational risks
When a business expands into GDPR countries without a solid compliance strategy, the operational risks can go far beyond fines.
Violating the GDPR requirements could lead to the following operational risks:
- Data transfer disruptions
If a company violates GDPR rules, regulators of GDPR countries can suspend data transfers between the EU and your company’s international offices, preventing customer data from being processed by a main office-based team. - Legal issues
Non-compliance with the GDPR could lead to investigations, legal injunctions, or bans on processing data. Companies may be forced to pause services until compliance gaps are fixed. - Service interruptions
Regulators can restrict or prohibit processing of personal data in the GDPR countries. - Loss of business partnerships
Many EU companies require GDPR compliance from their partners and vendors. EU companies could not do business with companies that are lacking GDPR compliance strategy. In the case of investigations or other legal issues, EU companies could stop cooperating with such companies, violating the GDPR rules. - Increased regulatory scrutiny
Once flagged, companies often end up on regulators’ focus for years, facing more audits and stricter oversight.
Understanding which countries are bound by GDPR helps businesses plan international business operations without operational risks or legal surprises.
GDPR Countries 2025
The GDPR is a data protection and privacy regulation that applies to the countries in the EU and the EEA. GDPR countries include all EU countries and EEA member states.
European Union (EU) member states covered by GDPR
At present, there are 27 EU countries, covered by the GDPR, which are listed below:
- Austria
- Belgium
- Bulgaria
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
EEA countries covered by GDPR
GDPR applies to the European Economic Area (EEA), which includes all EU countries listed above plus these additional countries:
- Iceland
- Liechtenstein
- Norway
Switzerland, while closely associated through bilateral legal and trade agreements, is not an EU or EEA member. Switzerland is not a GDPR country in the strict sense, because GDPR doesn’t apply there.
Switzerland has its own data protection law: the Federal Act on Data Protection (FADP), which was recently revised (effective September 2023) and closely aligns with GDPR principles. Thus, the FADP is very similar to the GDPR, setting similar requirements for personal data privacy. Swiss companies dealing with the EU often adopt GDPR compliance.
Is the United Kingdom a GDPR Country?
Before Brexit, the GDPR applied also to the UK. Brexit took effect on January 31, 2020, and the UK (England, Scotland, Wales, Northern Ireland and the Channel Isles) officially left the EU.
Following Brexit, a transition period took effect until January 1, 2021, during which the UK continued to adhere to EU laws, including the GDPR.
After January 1, 2021, the UK implemented its own data protection legislation called the UK GDPR. The UK GDPR largely mirrors the EU GDPR in terms of principles, user rights, and level of protection for individuals’ personal data. Businesses operating in the UK are required to comply with the UK GDPR for processing personal data.
While the UK GDPR mirrors the EU regulation, there are some differences, such as the role of the UK’s Information Commissioner’s Office (ICO).
The EU currently recognizes the UK under an adequacy decision, so businesses could transfer data of European citizens to the UK without any extra legal safeguards.
Thus, the UK is not a GDPR country in a strict sense, because GDPR doesn’t apply there. However, its own data protection law (UK GDPR) largely mirrors the EU GDPR principles and standards.
List of Non-GDPR European Countries
There are countries in Europe that do not belong to the EU or the EEA. These European countries have not implemented the GDPR regulation:
- Albania
- Belarus
- Bosnia and Herzegovina
- Kosovo
- Moldovia
- Montenegro
- North Macedonia
- Russia
- Serbia
- Turkey
- Ukraine
Note that any organization in these countries that collects data in EU or EEA member states is subject to the GDPR, even though they haven’t implemented the GDPR regulation.
GDPR Adequacy Countries in 2025
Under GDPR, adequate data protection must be ensured for both data storage and transfer internationally between countries.
The EU grants so-called adequacy decisions to countries whose data protection laws are considered strong enough to allow free data flows between the EU and these countries.
EU companies can transfer personal data of EU citizens to these countries without any additional contracts like the Standard Contractual Clause (SCC).
The list includes countries having full or partial adequacy decisions, and the date when adequacy decision was granted:
- Andorra (October 19, 2010)
- Argentina (June 3, 2003).
- Canada (partial adequacy decision, December 20, 2001)
- Faroe Islands (December 8, 2010)
- Guernsey (November 21, 2003)
- Isle of Man (April 28, 2010)
- Israel (January 31, 2011)
- Japan (January 23, 2019)
- Jersey (November 21, 2003)
- New Zealand (December 19, 2012)
- Republic of Korea (South Korea) (17 December 2021)
- Switzerland (July 26, 2000)
- United Kingdom (June 28, 2021)
- Uruguay (August 21, 2012)
Canada has only a partial adequacy decision. EU companies can transfer personal data to Canada only for organizations covered by PIPEDA.
United Kingdom received adequacy in 2021 (after Brexit). Data can flow freely between the EU/EEA and the UK without extra safeguards. This decision has a time limit for four years and should end in June 2025, after which the EU will review whether the UK still offers an adequate level of protection.
So as of 2025, the UK does have adequacy, but businesses should follow the news regarding the review later this year. If the EU decides not to renew, companies may need to rely on Standard Contractual Clauses or other mechanisms for EU–UK data transfers.
Adequacy decisions are reviewed periodically. A country can be withdrawn from the list if a country’s laws drift away from GDPR standards.
Adequacy decisions simplify data transfers for businesses that do not need extra legal safeguards. For countries without adequacy decisions, businesses must rely on other transfer mechanisms, such as Standard Contractual Clauses or Binding Corporate Rules.
How GDPR Applies to Companies Outside the EU
One of GDPR’s most significant features of the GDPR is its extraterritorial scope. This means that even if a company is based outside of the EU, you still need to comply with the GDPR if a company:
- Collects personal data of EU residents.
- Offers goods or services to EU residents.
- Monitors EU users’ online behavior.
For example, if a company is based in the U.S., India, or China, and offers goods or services to EU residents, it must comply with the GDPR.
Due to its extraterritorial scope, GDPR has become a global compliance priority. Thus, companies outside the EU, not just European countries, must meet the GDPR requirements.
Does GDPR Apply to My Business?
As mentioned previously, GDPR has an extraterritorial scope, meaning that the law applies to any business, even located outside of the GDPR countries.
However, there are some exceptions for individuals and small and medium-sized businesses for GDPR compliance:
- First, the GDPR applies only for “professional or commercial activity”. The law does not apply to “purely personal or household activities.” So, individuals are not required to adjust their data management practices when collecting data on their address books or encrypt data when sending it internationally for personal practices.
- The second exception is for small and medium-sized enterprises (SMEs) that have fewer than 250 employees. Such businesses are not exempt from the GDPR requirements. However, the record-keeping obligations are considerably less challenging for SME.
In any case, the GDPR mandates creating a Privacy Policy for any type of business. Businesses must prepare their privacy policies before offering goods or services to citizens of GDPR countries. Even if a business don’t target GDPR county’s citizen, but the website could be accessed by a GDPR county’s citizen, the website must have a Privacy Policy in place.
CookieScript Privacy Policy Generator can help you to create a professional and GDPR-compliant Privacy Policy for any type of business.
Key Differences Between National GDPR Implementations
While GDPR sets a common legal framework, its enforcement is handled by decentralized national Data Protection Authorities (DPAs).
GDPR enforcement slightly differs across EU Member States: there are cultural and procedural differences. National DPAs may prioritize different types of data protection cases based on national concerns or public attention.
Key differences include:
- Age of user consent
In some countries, the minimal age when a user can give digital consent independently from their parents or legal guardians is 16, while in other countries it is 13. - Employee data rules
Germany has stricter protections with rigorous standards than other countries. - Focus
National DPAs have a different focus, based on types of data violations, sector, or company’s size.
For example, Spain has issued the biggest number of GDPR fines in the EU has issued the biggest number of GDPR fines in the EU, although the fines are often smaller in value. Ireland had issued the biggest fines for GDPR violations since many Big Tech companies have their headquarters there. - Regulatory culture
Some authorities are more active in enforcement than others. For example, France is known for strict and proactive GDPR enforcement. It was one of the first countries to impose huge fines on Big Tech companies. Other countries start GDPR enforcement only when they receive complaints.
Top 5 GDPR Countries With the Strictest GDPR Enforcement
Even though GDPR sets uniform standards in all countries, its enforcement in different GDPR countries is slightly different.
Let’s see wo are the top 5 GDPR countries with the strictest GDPR enforcement. Understanding the top GDPR enforcers could help businesses see enforcement trends and prioritize their resources accordingly.
1. Spain
Spain has issued the biggest number of GDPR fines in the EU, although the fines are often smaller in value. As of October 2025, Spain has issued 1,025 fines with a total of € 121,434,050. The Spanish Data Protection Agency (AEPD) has issued over one thousand fines for unlawful data transfers, inadequate consent, and cookie misuse violations.
The largest fine issued by the Spanish DPA was 10 million euros on Google LLC for unlawful data transfers and preventing data subjects from exercising their rights.
The lowest fine issued by the Spanish DPA was 120 euros for non-informing inadequately data subjects about their data management.
However, the total sum of fines issued by the Spanish DPA for GDPR non-compliance is not the highest.
2. Italy
Italy is the country, that issued the second highest total number of fines. As of October 2025, Italy has issued 443 fines with a total of €276,926,200.
The Italian DPA mainly focuses on GDPR requirements such as legal basis of processing, data protection principles, and the right implementation and use of cookie banners.
The highest fine issued by the Italian authority was 79.1 million euros. Enel Energia SpA was fined for insufficient technical and organizational measures to ensure information security.
3. Ireland
Ireland is the leading GDPR country by total sum of fines. As of October 2025, the sum of fines, issued by Ireland, overcame €4 Billion (at 35 fines). Although the total number of fines is not so high, the huge total sum of fines comes from several record-beating fines. This is because tech giants like Meta, Google, and Amazon have their headquarters in Ireland.
The highest fine imposed by the Ireland DPA so far amounts to 1.2 billion euros upon Meta (2023) for the insufficient legal basis of data processing.
4. France
France has issued the second largest total sum of fines. As of October 2025, the sum of fines, issued by France, was €849,665,200 (at 73 fines).
France was also one of the first countries to impose huge fines on Big Tech companies. CNIL, the French DPA, is known for strict and proactive enforcement.
5. Luxembourg
Luxembourg is the country number three that issued the largest total sum of fines. As of October 2025, Luxembourg’s DPA issued fines for a total sum of €746,491,300 (at 34 fines).
The largest fine imposed by the Luxembourg DPA was 746 million euros was 746 million euros, issued on Amazon for non-compliance with data processing principles.
CNPD, the Luxembourg DPA, concentrates on the principles of GDPR, the appointment of Data Protection Officers (DPOs), and issues related to non-compliance with requirement to provide information (privacy notices).
With CookieScript Cookie Scanner, you can automatically scan your website for cookies and add them to your site’s list of cookies.
List of Non-European Countries With Data Protection Laws Similar to GDPR
The impact of GDPR is so profound that many Non-European countries have enacted privacy regulations with strict privacy standards like the GDPR.
As of 2025, non-European countries with data protection laws similar to GDPR include:
North America
The United States does not have one single, comprehensive federal data privacy law. Instead, it has state-level data privacy laws that have some differences. Some of the U.S. data privacy laws (Utah’s UCPA, Virginia’s VCDPA, and Iowa’s ICDPA) are more business-oriented, while others are more user-rights–focused and closer to GDPR.
More business-oriented data privacy laws include Utah’s UCPA, Virginia’s VCDPA, and Iowa’s ICDPA.
More user-rights–focused data privacy laws include California’s CCPA/ CPRA, Colorado’s CPA, and Connecticut’s CTDPA.
South America
- Argentina (Personal Data Protection Law PDPL)
- Brazil (General Data Protection Law LGPD)
- Uruguay (Act on the Protection of Personal Data and Habeas Data Action)
Asia
- Japan (Act on the Protection of Personal Information APPI)
- South Korea (Personal Information Protection Act)
- Singapore (Personal Data Protection Act PDPA)
- India (Digital Personal Data Protection Act DPDPA)
- Thailand (Personal Data Protection Act PDPA)
- Vietnam (Personal Data Protection Law PDPL)
The Middle East
- Turkey (KVKK)
- Saudi Arabia (SAPDP)
- Israel (Data Security Regulations)
- Bahrain (Personal Data Protection Law)
- Qatar (Law No. 13)
Africa
- South Africa (POPIA)
- Kenya (Data Protection Act)
- Mauritius (Data Protection Act)
- Nigeria (Data Protection Regulation)
- Uganda (Data Protection and Privacy Act, 2019)
Oceania
- Australia (Privacy Act of 1988)
- New Zealand (Privacy Act of 2020)
Final Takeaway
GDPR countries go far beyond the EU. For businesses, keeping track of these jurisdictions and their unique requirements is essential to achieving GDPR compliance, reducing legal risk, and building customer trust.
Since there are many data privacy laws globally with their unique requirements, which are regularly changing, keeping track of these requirements could be an issue, especially for small or medium-sized businesses. A simple and reliable solution to achieve GDPR compliance for GDPR countries is to use a Consent Management Platform (CMP).
CookieScript CMP is one of the best CMPs on the market that offers a wide range of functionalities, automation tools, and good pricing.
It's also a Google-certified CMP with a golden tier:
One of the most required features for GDPR compliance is geo-targeting. It allows to deliver the right consent banner based on the user’s location, enabling compliance with privacy laws of many GDPR countries. The CookieScript geo-targeting feature is available for 250 countries and 50 US states.
Note that in 2025, CookieScript received the fourth badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year!
Frequently Asked Questions
Which countries are covered by GDPR?
The GDPR covers 27 European Union member states and 3 EEA members- Norway, Iceland, Liechtenstein. Switzerland and the UK are not GDPR countries in the strict sense, however, they have their own data protection laws. Use CookieScript CMP to comply with the GDPR.
Why do some countries enforce GDPR more strictly than others?
GDPR is enforced by national Data Protection Authorities (DPAs) of the EEA countries. Each DPA has different volumes of data processing activities, staffing, cultural and procedural differences, and national concerns, thus, GDPR countries enforce the law slightly differently. Use CookieScript CMP to comply with the GDPR in all GDPR countries.
Is GDPR only valid in Europe?
No. Though GDPR regulates data management in the EU and EEA, it is valid beyond Europe. The GDPR has an extraterritorial scope, meaning that the law applies to any organization that offers their products or services to EU residents or processes the personal data of EU citizens, regardless of where the organization is located. Use CookieScript CMP to comply with the GDPR and other privacy laws globally.
Is the United Kingdom a GDPR country?
After Brexit, the UK is not a GDPR country in a strict sense, because GDPR doesn’t directly apply there. However, its own data protection law (UK GDPR) largely mirrors the EU GDPR principles and standards. Use CookieScript CMP to comply with the GDPR and the UK GDPR.
What are GDPR adequacy countries?
GDPR adequacy countries are countries who received so-called adequacy decisions from the EU. Such countries have data protection laws considered to be strong enough to allow free data flow between the EU and these countries. They include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israe , Japan, Jersey, New Zealand, Republic of Korea, Switzerland, UK, and Uruguay.
Does GDPR apply to me?
The law does not apply to “purely personal or household activities,” so, individuals are not required to adjust their data management practices under the GDPR . However, GDPR applies to GDPR countries in the EU and the EEA, and also outside Europe. The GDPR has an extraterritorial scope, meaning that the law applies to any organization that offers their products or services to EU residents or processes the personal data of EU citizens, regardless of where the organization is located.
Is GDPR the same in all EU countries?
While GDPR provides a consistent framework, there are slight differences between EU Member States. National Data Protection Authorities (DPAs) DPAs may prioritize different types of data protection cases based on their culture, national concerns or public attention. The GEO-targeting functionality of CookieScript detects the user location and allows you to deliver the right Cookie Banner to comply with different privacy laws.