GDPR Countries 2024

As of May 25, 2018, the General Data Protection Regulation (GDPR) is in effect across the European Union. The GDPR replaces the 1995 Data Protection Directive and sets out strict new rules about how personal data must be collected, processed and stored by organizations operating in the EU and UK.

The GDPR applies to any organization that processes the personal data of EU/UK citizens, regardless of where the organization is located. This means that even if your organization is based outside of the EU/UK, you will still need to comply with the GDPR if you process the personal data of EU/UK citizens.

GDPR Countries 2024

The GDPR has been implemented in the following EU countries:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • The Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom*

* The United Kingdom is an outlier.

Although the UK has departed from the EU as of January 2021, the GDPR was enacted before its withdrawal and is therefore considered a valid UK law.

List of Non-GDPR European Countries

The countries listed here are in Europe but have not implemented the GDPR regulation:

  • Albania
  • Belarus
  • Bosnia and Herzegovina
  • Kosovo
  • Moldovia
  • Montenegro
  • North Macedonia
  • Russia
  • Serbia
  • Turkey
  • Ukraine

Any organization in these countries that collects data in EU/UK member states is subject to the GDPR, even though they haven’t implemented the GDPR regulation.

List of Countries with data protection laws similar to GDPR

There are a number of countries outside of the EU that have implemented similar data protection laws, including:


The Middle East




South America

North America

So if your organization processes the personal data of EU/UK citizens, you will need to be compliant with the GDPR. But what if you process the personal data of citizens of countries outside the EU? In this case, you will need to comply with the data protection laws of those countries.

What You Need to Know About GDPR Countries

The EU is a changing entity, as seen by the previous examples—and current events. Nations may join or leave the EU at any time. It’s up to each business or organization to stay up with the latest geopolitical situation and make changes as needed.

For example, the Ukraine conflict motivated their leadership to seek membership in the European Union. If and when their entrance to the EU is permitted, residents will be immediately safeguarded by the GDPR, so businesses must be prepared to change with the law.

This is also the case for the recent decision of the United Kingdom to leave the European Union. Businesses based in the UK must begin preparing for a possible shift in data rules.

In a nutshell, the EU is always in motion, and firms must be ready to change their compliance strategies as new members join or existing members leave. Companies can maintain their GDPR and other EU data regulations compliance by staying up to date on the latest political changes.

Exceptions and Considerations

The GDPR has two exceptions. The first is that it does not apply to “purely personal or household activities,” only “professional or commercial activity.” Individuals are not required to encrypt their address books or other privacy concerns (although this may be a good idea anyhow).

The second exception is for small and medium-sized businesses. If a company has fewer than 250 people, it is not exempt from the entire regulation. The record-keeping obligations, on the other hand, are considerably less demanding.

When it comes to creating their GDPR privacy policy, organisations must consider two things. The first thing, offering goods and services to EU/UK residents means that an organisation is subject to the GDPR. Businesses should develop their GDPR policy before a resident of the European Union becomes a customer.

The GDPR enforcement authorities will consider whether a sale is an isolated occurrence or if the company is targeting EU/UK residents. If a firm seeks to market its products or services in Europe, it must have a policy in place.

The second issue is when a firm collects EU/UK data without realizing it. Consider a small business in California that just sells goods and services to people in the state. What happens if an Italian visits their website and accepts their tracking cookies? Technically, they’ve acquired data from an EU citizen. Will they be fined if they don’t have a GDPR policy in place? While it’s unlikely, it’s conceivable.

Discover GDPR Advisor’s Solutions

No matter what your business goals are, it’s a good idea to have a GDPR policy in place. With GDPR Advisor, compliance is simple and easy, so you can focus on what you do best.

Our privacy toolset makes it easy to create a comprehensive GDPR policy, so you can be confident that you’re meeting all the necessary requirements. Whether you’re looking to expand your business empire or simply prepare for growth, GDPR Advisor can help you get the job done quickly and efficiently.

Contact us today to learn more about how we can help your organisation achieve compliance with GDPR.