GDPR countries: What countries are covered by GDPR?

Flags of GDPR countries in the European Union on display

General Data Protection Regulation (GDPR) is designed to protect the fundamental rights and freedoms of individuals residing in the EU in relation to the processing of their personal data. It was designed to address the rapidly evolving digital landscape and the need for stronger data protection laws.

GDPR applies to the processing of personal data of EU residents by any organizations (including U.S. and Canadian organizations), regardless of where data processing occurs.

High level: What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs the processing of personal data within the European Union (EU) and the European Economic Area (EEA). Its main goal is to protect individuals’ privacy rights and provide them with control over their personal data.

Data controllers play a crucial role under GDPR. They are entities or organizations that determine the purposes and means of processing personal data. This includes businesses, governmental bodies, and non-profit organizations. As data controllers, they have specific responsibilities and obligations outlined in GDPR.

European Union (EU) member states covered by GDPR

The General Data Protection Regulation (GDPR) is a data protection and privacy regulation that applies to the European Union (EU). The EU countries covered by GDPR include:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden

EEA countries also covered by GDPR

GDPR applies to the European Economic Area (EEA), which includes all EU countries listed above plus:

  • Iceland
  • Liechtenstein
  • Norway

What about the United Kingdom?

On January 31, 2020, the UK (i.e., England, Scotland, Wales, Northern Ireland and the Channel Isles) officially left the European Union, a process known as Brexit. Following Brexit, a transition period took place during which the UK continued to adhere to EU laws and regulations, including GDPR. However, as of January 1, 2021, the transition period ended, and the UK implemented its own data protection legislation called the UK GDPR.

The UK GDPR largely mirrors the EU GDPR in terms of principles and rights. It incorporates GDPR’s standards for data protection and provides a similar level of protection for individuals’ personal data. Organizations operating in the UK are required to comply with the UK GDPR for processing personal data within the UK.

However, it’s important to note that the EU GDPR still applies to organizations within the UK that process personal data of individuals located in the EU. This means that if a UK-based organization handles personal data of individuals in the EU, they must comply with both the UK GDPR and the EU GDPR simultaneously.

European countries currently *not* in the EU market

As of June 2023, the following European countries are not EU members. They have not adopted the regulation:

  • Albania
  • Belarus
  • Bosnia and Herzegovina
  • Croatia
  • Kosovo
  • Moldovia
  • Montenegro
  • North Macedonia
  • Russia
  • Serbia
  • Turkey
  • Ukraine

Note: Some of these countries (e.g. Ukraine) are in the process of applying for EU membership. If they join the EU, their residents will immediately be covered by GDPR.


Stylized image of a map of Europe to represent GDPR legitimate interest
RECOMMENDED FOR YOU
What is Legitimate Interest?

Understanding what defines Personally Identifiable Data will help you evaluate whether GDPR applies to your business.

icon-arrow-long

Not in GDPR countries? It doesn’t mean you’re off the hook…

The applicability of the General Data Protection Regulation (GDPR) is not determined solely by a company’s physical location. GDPR applies to organizations that process the personal data of EU data subjects, i.e., individuals within the European Union (EU) or European Economic Area (EEA), regardless of where the company is based.

Even if a company is located outside of the EU or EEA, it may still be subject to GDPR if it processes the personal data of individuals or organizations located within those regions. This can occur when a company offers goods or services to individuals in the EU/EEA or monitors their behavior, such as through online tracking or profiling. Thoropass, for example, complies with GDPR since many customers are based out of the EMEA region.

Think of GDPR as applying to EU data subjects rather than just countries

GDPR takes a territorial approach, focusing on the processing of personal data of individuals within the covered regions rather than the location of the company. This broadens the scope of GDPR compliance to include organizations outside the EU/EEA that interact with individuals within those regions.

Such organizations must be GDPR compliant, which includes obtaining lawful bases for processing personal data, ensuring data subject rights, implementing appropriate security measures, conducting data protection impact assessments (DPIAs), and complying with data breach notification obligations, among other provisions.

It is essential for companies to understand their obligations under GDPR and ensure compliance, irrespective of their physical location if they process personal data of individuals within the EU/EEA.

If you’re not sure where to start, book a chat with an expert today!

Other FAQs about the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a uniform set of data protection rules that apply to all EU Member States, sparing companies and organizations from having to navigate multiple laws. While GDPR provides a consistent framework, EU Member States can specify certain areas of its application, such as employment rules, the public health sector, and reconciling freedom of expression with data protection.

GDPR also introduces the “one-stop-shop” mechanism, facilitating cooperation between Data Protection Authorities (DPAs) in cases involving cross-border data processing. Suppose a company or organization processes data in multiple countries. In that case, the DPA of the EU Member State, where it has its main establishment, serves as the lead authority unless another establishment decides the purposes and means of processing personal data and has the power to implement those decisions.

In situations where data processing is necessary to fulfill an obligation under the national law of an EU Member State, the competent DPA is solely the DPA of that specific Member State.

(More information from the European Commission)

No, the United States is not a GDPR country. The General Data Protection Regulation (GDPR) is a data protection and privacy regulation that applies to the European Union (EU) and the European Economic Area (EEA). It was designed to protect the personal data of individuals within these regions and establish a uniform set of data protection rules.

While GDPR does not directly apply to the United States, it may still impact U.S.-based organizations that handle the personal data of individuals within the EU/EEA. GDPR has extraterritorial reach, meaning that if a U.S. company offers goods or services to individuals in the EU/EEA or monitors their behavior, it may be subject to GDPR’s requirements.

To comply with GDPR, U.S.-based organizations may need to implement measures such as obtaining appropriate consent for data processing, ensuring data security, respecting individuals’ rights, and complying with data breach notification obligations, among other provisions. Many organizations have taken steps to align their practices with GDPR to facilitate international data transfers and maintain good data protection practices.

It’s important to note that the United States has its own data protection laws at the federal and state levels, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA), which regulate specific sectors or aspects of data protection. However, these laws are separate from GDPR and have their own scope and requirements.

The General Data Protection Regulation (GDPR) does not apply to certain situations or entities. Here are some instances where GDPR may not apply:

Non-EU/EEA countries

GDPR does not apply to businesses that do not operate within the European Union (EU). It specifically covers companies within the EU, as well as those outside the EU that have establishments or employees within the EU. However, companies that have no connection to the EU, either in their operations or client base, are not subject to GDPR’s requirements.

Government and law enforcement activities

GDPR does not apply to personal data processing carried out for purely governmental or law enforcement purposes. National security activities, defense, and public safety fall outside the scope of GDPR.

Individual use for purely personal activities

GDPR primarily applies to data processing activities carried out by organizations or entities in a professional or commercial capacity. It generally does not cover personal or household activities conducted by individuals for personal purposes.

The General Data Protection Regulation (GDPR) and US data protection laws have different approaches and frameworks, making it challenging to directly compare their level of strictness. However, there are notable differences between the two.

Scope

GDPR has extraterritorial reach, meaning it applies to organizations worldwide that process the personal data of individuals within the EU/EEA, even if those organizations are located outside the EU/EEA. US data protection laws, on the other hand, typically have a more limited scope, focusing on specific sectors or aspects of data protection within the US jurisdiction.

GDPR places a strong emphasis on obtaining clear and informed consent from individuals for data processing. It grants individuals robust rights over their personal data, including the right to access, rectify, erase, and restrict the processing of their data, as well as the right to data portability. While the US has privacy laws such as the California Consumer Privacy Act (CCPA) and sector-specific laws like HIPAA, the approach to consent and individual rights may vary.

Enforcement and penalties

GDPR enforcement authorities have introduced substantial penalties for non-compliance, with fines that can reach up to 4% of a company’s global annual revenue or €20 million, whichever is higher. US data protection laws often involve enforcement by various federal and state agencies, with penalties varying depending on the specific law violated.

Sector-specific regulations

The US has sector-specific data protection laws governing areas such as healthcare (HIPAA), financial services (Gramm-Leach-Bliley Act), and children’s privacy (Children’s Online Privacy Protection Act). These laws may have specific requirements and safeguards applicable to their respective sectors.

Overall, while GDPR is known for its broad scope, rigorous consent requirements, and strong individual rights, the US data protection landscape is characterized by a mix of federal and state laws with sector-specific regulations. 


Share this post with your network:

LinkedIn