What Countries Does GDPR Apply To? A Complete Guide
May 12, 2025
The General Data Protection Regulation (GDPR) is a cornerstone of data privacy laws, impacting businesses and individuals worldwide. If you're wondering, “What countries does GDPR apply to?” or “Is [your country] a GDPR country?”, this guide provides a clear, comprehensive answer. Whether you're a business owner ensuring compliance or an individual curious about your data rights, understanding the list of GDPR countries and its global reach is essential.
What Is GDPR?
The GDPR, enacted by the European Union (EU) on May 25, 2018, sets strict rules for protecting personal data. It applies to organizations processing data of individuals in specific regions, regardless of where the organization is based. Knowing which countries follow GDPR is critical for compliance, as violations can lead to fines of up to 4% of annual global revenue or €20 million, whichever is higher.
Which Countries Does GDPR Apply To?
The GDPR primarily applies to the following regions:
1. European Union (EU) Countries
The GDPR is binding across all 27 EU countries:
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
These nations form the core of GDPR countries, where businesses and organizations must comply with GDPR rules for processing personal data.
2. European Economic Area (EEA) Countries
The European Economic Area (EEA) extends GDPR coverage to three non-EU countries:
Iceland
Liechtenstein
Norway
These countries, while not EU members, adopt GDPR through the EEA agreement, making them GDPR-compliant countries.
3. The United Kingdom
Post-Brexit, the UK is no longer an EU member but has incorporated GDPR into its national law as the UK GDPR. If you're asking, “Is the UK a GDPR country?”, the answer is yes—businesses processing UK residents' data must comply with UK GDPR, which mirrors the EU GDPR.
4. Non-EU Countries Processing EU/EEA/UK Data
The GDPR has extraterritorial reach, meaning it applies to organizations outside the EU, EEA, or UK if they:
Offer goods or services to individuals in the EU, EEA, or UK (e.g., an e-commerce site targeting German customers).
Monitor behavior of individuals in these regions (e.g., tracking EU users via cookies or analytics).
For example:
Is GDPR applicable in the USA? Yes, if a US company collects data from EU or UK residents, it must comply with GDPR. A US-based retailer selling to French customers or a tech firm tracking UK users’ browsing habits falls under GDPR rules.
Similarly, companies in Canada, Australia, or Japan must follow GDPR when handling EU/EEA/UK data.
Which Countries Do Not Follow GDPR?
While GDPR has a broad reach, it does not apply in the following cases:
1. Countries Outside EU/EEA/UK
Countries like the United States, China, India, Brazil, or Russia are non-GDPR countries unless they process EU/EEA/UK residents’ data. For instance:
A Brazilian company serving only local customers is exempt from GDPR.
An Indian app collecting data solely from Indian users does not need to follow GDPR.
2. Non-EU European Countries
Some European countries outside the EU/EEA, such as Switzerland, Turkey, or Ukraine, are not automatically GDPR countries. However, they may still need to comply if they target EU/EEA/UK markets. For example:
Switzerland aligns with GDPR through its own data protection laws but isn’t directly under GDPR unless processing EU data.
Is Russia a GDPR country? No, unless a Russian company serves EU customers.
3. Personal or Household Activities
GDPR does not apply to personal, non-commercial data processing, such as managing a private address book or sharing photos with friends.
GDPR and Data Transfers: Adequacy Decisions
The EU allows data transfers to certain GDPR fully compliant countries deemed to have “adequate” data protection laws. As of 2025, these include:
Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, UK, Uruguay, and the US (under the EU-US Data Privacy Framework).
While data can flow freely to these countries, organizations processing EU/EEA/UK data must still comply with GDPR’s core principles, such as transparency and data minimization.
Why Does GDPR Matter Globally?
Even if your country isn’t on the list of GDPR countries, GDPR’s global impact is undeniable. Here’s why:
Fines and Enforcement: Non-compliance can lead to hefty penalties, as seen in cases like Meta’s €1.2 billion fine for illegal data transfers.
Consumer Trust: GDPR compliance signals to customers that you prioritize data privacy, a growing concern in the US and beyond.
Global Standards: Countries like Brazil (LGPD) and India (DPDP Act) have adopted GDPR-inspired laws, making compliance a competitive advantage.
For businesses in non-GDPR countries like the USA, implementing GDPR-compliant practices (e.g., clear privacy policies, consent mechanisms) is a proactive step to avoid legal risks when serving EU/EEA/UK customers.
FAQs About GDPR Countries
Is the USA a GDPR country?
No, the USA is not a GDPR country, but US companies must comply with GDPR if they process data of EU, EEA, or UK residents. The EU-US Data Privacy Framework facilitates data transfers but doesn’t exempt US firms from GDPR obligations.
Does GDPR apply to Canada?
Canada is not a GDPR country, but it has an adequacy decision, meaning data transfers from the EU are permitted. Canadian businesses targeting EU/EEA/UK customers must follow GDPR.
Which countries are exempt from GDPR?
Countries that do not process EU/EEA/UK residents’ data, such as China or India (for local customers only), are exempt. Personal or household activities are also exempt.
Is GDPR applicable in Australia?
Australia is not a GDPR country, but Australian companies serving EU/EEA/UK residents must comply with GDPR.
Conclusion
Understanding what countries GDPR applies to is crucial for businesses and individuals navigating data privacy. The GDPR covers the 27 EU countries, three EEA nations, the UK, and any organization worldwide processing EU/EEA/UK data. Non-GDPR countries like the USA or Canada may still need to comply if they target these regions. By staying informed about GDPR compliance countries and their requirements, you can protect your business and build trust with customers.
For tailored advice on GDPR compliance, consult a data protection expert or visit the European Data Protection Board for official guidance.