GDPR Countries List 2026: Where GDPR Applies (And Where It Still Affects You)

Data is the new currency. It travels across boundaries, so do business operations and the compliance frameworks that follow. 

GDPR, one of the strictest data regulations, enforces data protection rights of users in the EU/EEA region, or in compliance terms, GDPR countries.

GDPR applies to any organization processing data from the European region, irrespective of establishment location. Understanding the geographical application of GDPR, the countries it protects, and its extraterritorial scope helps businesses design their compliance readiness.

Moreover, data from the European Data Protection Board (EDPB) 2025 Annual Report highlights that 90% of all GDPR fine revenue was against non-EU companies (primarily global giants from China and the USA, such as TikTok, Google, and SHEIN).

To help you stay compliant with the GDPR’s territorial scope, this article covers:

• GDPR Countries Overview
• The complete list of GDPR countries and territories
• How GDPR applies across regions: the three-layer model
• How GDPR's extraterritorial scope affects businesses worldwide
• Special cases like the UK, Switzerland, and adequacy countries
• Real-world scenarios showing when GDPR applies to your business

Get your free GDPR compliance assessment and protect your business from costly violations as high as €20 million.

GDPR Countries Overview: How Coverage Is Structured

Before jumping into the full list of GDPR countries, it’s important to understand how GDPR applies across different regions. The term “GDPR countries” is often used broadly, but in practice, GDPR coverage is structured across distinct categories based on legal applicability and data transfer rules.

This distinction helps you quickly assess your compliance exposure, whether you operate within Europe, transfer data internationally, or serve EU/EEA users from outside the region.

GDPR Coverage at a Glance

This three-part structure is the foundation of GDPR’s global reach. While only 30 countries have GDPR as directly applicable law, its extraterritorial scope means businesses worldwide may still fall under its requirements.

To understand this in detail, let’s start with the complete list of countries where GDPR applies directly.

2026 Updated List of GDPR Countries: EU, EEA Members & Adequacy Countries

It’s important to understand that “GDPR countries” is not a single, uniform category. Instead, it includes three distinct groups, each with different implications for compliance, enforcement, and data transfers.

Category 1: Members of the EU

Category 2: The EEA Extension: Three Additional Countries

In addition to these 27 countries, these 3 countries that come under the European Economic Area are also subject to GDPR regulations under the EU agreement:

1. Norway
2. Iceland
3. Liechtenstein 

Norway: The Norwegian Data Protection Authority (Datatilsynet) enforces GDPR with the same stringency as EU member states. Thus, any businesses providing services to Norwegian users must adhere to GDPR.

Iceland: In Iceland, Icelandic data protection law mirrors EU standards. The IDPA (Persónuvernd) supervises compliance for both domestic and international organizations processing Icelandic residents' data.

Liechtenstein: Though one of Europe's smallest countries, Liechtenstein maintains full GDPR compliance as part of its EEA membership.

Category 3: The List of GDPR Adequacy Countries

GDPR adequacy decision countries are countries outside the EU and EEA, which the European Commission has approved as having data protection laws similar to GDPR. 

This approval means businesses can transfer personal data from the EU to these countries without needing extra legal steps or safeguards.

This stamp of approval (a.k.a whitelist) reduces the need for complex measures such as Standard Contractual Clauses (SCCs).

In total, 16 such countries across various continents come under the whitelist category:

Key considerations:

• Canada: Adequacy is limited. It applies only to private-sector organizations regulated under PIPEDA (Personal Information Protection and Electronic Documents Act).
• US Data Privacy Framework: Coverage is not automatic. Only organizations that have formally certified under the framework are included.
• UK Adequacy: The UK currently has adequacy status, but it is time-bound and subject to periodic review and renewal.

Other implications of adequacy decision on compliance is discussed here!

GDPR Applies Equally, but Enforcement Varies

Though the GDPR is enforced equally across all the member states (27+3), the enforcement is handled by each country differently. Data Protection Authorities of each country are responsible for adequate enforcement with their set priorities, resources, and interpretation approaches. 

Consider the following examples to understand the enforcement variation across various member states:

• Ireland's DPC (Data Protection Commission) oversees many US tech giants (Meta, Google, Apple) due to their European headquarters location
• France's CNIL (Commission nationale de l'informatique et des libertés) has been particularly aggressive with cookie consent enforcement
• Spain's AEPD (Spanish Data Protection Authority) leads in the total number of fines issued
• Luxembourg's CNPD (National Commission for Data Protection, Luxembourg) issued the largest single fine in GDPR history (€746 million to Amazon)

The variation in GDPR enforcement depends on factors such as

• Priorities and resources of enforcement agencies
• Presence of MNCs
• Volume of data processing activities
• Efficacy of Data Protection Authorities (DPA)

Understanding The Three Layer Model of GDPR Application?

The phrase “GDPR countries” refers to three categories that determine how and when the regulations apply. These three layers include all 27 EU countries and EEA (European Economic Area) countries.

Completing GDPR requirements across member states and economic area states also helps to remain compliance-ready for the adequacy decision countries as well. The three-layered applicability of GDPR will help you understand the co-dependency of GDPR and adequacy countries.

Layer 1: Direct Application (EU + EEA Countries)

The first and foremost layer of GDPR covers all 27 EU countries and 3 EEA countries, as covered in the above list. Since these territories come under the GDPR law of the land, organizations and individuals in these countries must comply with the regulations for all personal data processing activities, regardless of where data subjects are located.

This brings the total to 30 countries where GDPR is directly applicable law.

Layer 2: Indirect Application (Extraterritorial Scope)

The indirect application layer of GDPR creates confusion for many organizations. This is where many businesses face heavy penalties. Article 3(2) of GDPR covers the extraterritorial scope of GDPR to any organization across the globe that:

1. Offers goods or services to individuals in the EU/EEA (even if free)
2. Monitors the behavior of individuals in the EU/EEA

The indirect application of GDPR does not require you to have an office, employees, or physical presence in Europe. This means that a company based entirely in the USA, targeting European customers through targeted ads, will have to comply with GDPR.

Consider the following scenario to understand GDPR extraterritorial applicability,

A USA SaaS company with no European office but accepting customers from Germany via their website must comply with GDPR when processing German users' personal data. The company's location (data processor or data controller) is irrelevant; what matters is the data subject's location.

Layer 3: GDPR-Like Countries (Inspired Regulations)

While not technically "GDPR countries," dozens of nations have implemented privacy laws heavily influenced by GDPR's framework. These countries created their own regulations that mirror GDPR's core principles:

• Brazil - Lei Geral de Proteção de Dados (LGPD)
• California, USA - California Consumer Privacy Act (CCPA/CPRA)
• South Africa - Protection of Personal Information Act (POPIA)
• Japan - Act on the Protection of Personal Information (APPI)
• India - Digital Personal Data Protection Act (DPDPA)

While these laws aren't GDPR, they demonstrate the regulation's global influence in shaping modern privacy standards.

Now, not all countries fit neatly into the EU/EEA region, GDPR adequacy, or “GDPR-like” categories; some operate in a regulatory gray zone, referred to as GDPR edge cases, that requires closer attention.

Key GDPR Edge Cases: UK Post-Brexit Compliance and Switzerland Alignment 

These edge cases are where compliance becomes more nuanced for businesses operating across borders. They often involve parallel legal frameworks, evolving adequacy decisions, or dual compliance obligations that can directly impact data transfer strategies.

(Case 1) United Kingdom: Post-Brexit GDPR Scenario

The UK presents a unique case in the GDPR world. After the Brexit referendum, the UK implemented its own data protection legislation called UK GDPR. This domestic legislation, however, mirrors the EU GDPR in several aspects. There are only a few key differences between the frameworks as explained below.

UK GDPR vs EU GDPR: Key Differences

Practical Implications for Data Transfers

After Brexit, sending personal data between the EU and the UK became more complicated and could require extra legal steps. However, in June 2021, the EU decided that the UK’s data protection laws are still strong enough and granted an adequacy decision. Because of this, businesses can continue transferring data from the EU to the UK without extra safeguards.

However, this approval isn’t permanent. The EU will keep reviewing the UK, and if its data protection rules change too much, this permission could be withdrawn.

What Does It Mean in the Business World?

A French company storing EU customer data (from France, Germany, or any EU country) on UK-based servers can do so without extra safeguards due to the EU’s adequacy decision for the UK.

However, if that company also operates in the UK or serves UK customers, it may need to comply with both EU GDPR and UK GDPR at the same time.

(Case 2) Switzerland: Not GDPR, But Aligned

Another excellent example to have a look at is Switzerland. Though Switzerland is not covered by the EU GDPR, it has its own data protection framework (FADP) in place.

Federal Act on Data Protection (FADP): Switzerland's revised FADP (effective September 2023) modernized Swiss data protection law to align more closely with GDPR, including:

• Similar definitions of personal data
• Comparable data subject rights
• Data protection impact assessments
• Breach notification requirements
• Penalties (though lower than GDPR)

What Does it Mean for Businesses?

The EU's adequacy decision for Switzerland means EU businesses can transfer personal data to Swiss organizations without additional safeguards. This makes Switzerland an attractive location for data centers and processing operations serving European markets.

However, Swiss law does have differences; for instance, the definition of "personal data" is narrower, and there's no explicit "right to be forgotten" equivalent.

Apart from these two country cases, there are other countries that are not covered by the GDPR but have their own domestic regulations.

European Countries NOT Covered by GDPR

Several nations in the broader European region are neither EU nor EEA members, meaning GDPR doesn't apply to them as domestic law.

Non-GDPR European Countries Include:

• Turkey - Has its own Law on Protection of Personal Data (KVKK)
• Russia - Federal Law on Personal Data
• Serbia - Law on Personal Data Protection
• Ukraine - Law on Personal Data Protection
• Albania - Law on Personal Data Protection
• Bosnia and Herzegovina - Data Protection Law
• North Macedonia - Law on Personal Data Protection
• Moldova - Law on Personal Data Protection
• Belarus - Law on Personal Information
• Kosovo - Law on Protection of Personal Data
• Montenegro - Law on Personal Data Protection
• Georgia - Law on Personal Data Protection

The Important Catch: When Non-GDPR Countries Still Need Compliance

Here's what trips up many businesses: even though these countries don't have GDPR as national law, any organization in these countries must comply with GDPR if they process personal data of EU/EEA residents.

Example: A Ukrainian software development company contracted by a German corporation to process German customer data must comply with GDPR, even though Ukraine isn't a GDPR country. The determining factor is the data subject's location, not the processor's location.

EU Candidacy and Future Implications

Several non-GDPR European countries are official EU candidates, meaning they may eventually join the EU and adopt GDPR:

• Ukraine (candidate status granted June 2022)
• Moldova (candidate status granted June 2022)
• Albania (candidate since 2014)
• North Macedonia (candidate since 2005)
• Serbia (candidate since 2012)
• Montenegro (candidate since 2010)
• Bosnia and Herzegovina (candidate since 2022)
• Turkey (candidate since 1999, negotiations stalled)

Organizations doing business with these countries should monitor their EU accession progress, as joining the EU would trigger immediate GDPR compliance requirements.

Understanding the Extraterritorial Scope of GDPR with Two-Prong Test

As we have already discussed, the location of data subjects matters more than that of data processors and controllers. Here’s a litmus test that you can try on your business to identify whether you need to remain compliant with GDPR laws or not.

The Two-Prong Test for Extraterritorial Application

GDPR applies to your organization if either of these conditions is true:

1. Offering Goods or Services to EU/EEA Data Subjects

This doesn't require payment or physical goods. Even free services trigger GDPR if targeted at EU residents.

Indicators of "offering" include:

• Website available in EU languages
• Accepting payment in euros
• Mentioning EU countries or cities in marketing
• SEO targeting EU keywords
• Using .eu domain or country-specific EU domains
• Offering EU-specific promotions or products
• Displaying EU shipping options

Example: A U.S. e-commerce store that ships to France and displays prices in euros is "offering goods" to EU residents. Hence GDPR applies, even if the company has no European employees or servers.

2. Monitoring Behavior of EU/EEA Data Subjects

GDPR applies not just when you target EU users directly, but also when you track or analyze their behavior online, even passively.

The key factor is observing and using user activity data to influence decisions, such as personalization, advertising, or performance optimization.

Common monitoring activities:

• Behavioral advertising based on browsing history
• Tracking users across websites with cookies
• Location tracking via mobile apps
• Personalized content based on user behavior
• Predictive analytics on user patterns
• A/B testing with EU users

Example: A social media platform headquartered in the USA that uses cookies to track EU users' browsing behavior across partner websites is "monitoring behavior." Hence, it must comply with the GDPR regulations.

Real-World Compliance Scenarios

Let's examine specific situations to understand the extra-territorial scope of GDPR:

Scenario 1: SaaS Company in the USA Serving EU Customers

Company: Cloud-based project management software based in Kansas, USA. 

Situation: 30% of paying customers are from EU countries, primarily Germany and France

Does GDPR Apply? Yes

The company is offering services to EU residents. They must:

• Implement GDPR-compliant privacy policies
• Provide data subject rights (access, deletion, portability)
• Appoint an EU representative (if processing at scale)
• Report data breaches within 72 hours
• Maintain records of processing activities

Note that these are only key compliance requirements, not all. To understand what all requirements apply to your business, get in touch with our DPO experts.

Scenario 2: E-Commerce Store Shipping to Germany

Company: Online retailer based in Australia 

Situation: Ships products internationally, including to Germany; website has a German language option.

Does GDPR Apply? Yes

Even though it's an Australian company, they're actively targeting EU markets. Therefore, key compliance requirements they will have to consider are:

• Cookie consent banner for EU visitors
• GDPR-compliant privacy policy
• Right to access and delete customer data
• Secure data processing and storage
• Data processing agreements with any third-party processors

Scenario 3: Mobile App with EU Downloads

Company: Fitness tracking app developed in Canada 

Situation: Available globally on app stores; 15% of downloads from EU countries 

Does GDPR Apply? Yes

The app is available to EU residents, and fitness data is highly sensitive personal information. Therefore, they must consider the following key requirements:

• Explicit consent for data processing
• Privacy policy accessible before download
• In-app data management tools
• Encryption for health data
• Data minimization principles

Scenario 4: Pure Domestic Business with No EU Presence

Company: Local restaurant in Tokyo, Japan 

Situation: Only serves local customers; no online orders; no website tracking 

Does GDPR Apply? No

Unless EU tourists specifically book through an online system that processes their personal data, this purely domestic operation isn't subject to GDPR.

Does Company Size Matter for GDPR Obligations?

A common misconception is "We're too small for GDPR to matter."

But the truth is, GDPR applies to all businesses irrespective of their company size. However, there are a few requirements that are conditional and have thresholds.

Observe the following table.

While record-keeping requirements are lighter for small businesses, the core GDPR compliance obligations, such as consent, transparency, and data subject rights, still apply universally.

But compliance doesn’t stop at internal processes. Once your data moves beyond borders, a new layer of GDPR complexity comes into play.

This is where GDPR shifts from internal governance to international data strategy. To manage this complexity, GDPR introduces a mechanism to simplify global data flows.

GDPR Adequacy Countries: Strategic Importance for Data Transfers

Understanding adequacy decisions is critical for international business operations. This is one area where you can gain a significant competitive advantage through strategic planning.

What is an Adequacy Decision?

Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data that is comparable to that of EU law.

In practical terms, adequacy means:

• No additional safeguards needed for data transfers from the EU to that country
• Simpler compliance for businesses operating across jurisdictions
• Faster data flows without contractual delays
• Mutual recognition of data protection standards

Countries with GDPR Adequacy Decisions (The "Safe List")

The European Commission grants "adequacy decisions" to countries whose data protection laws are deemed equivalent to GDPR. This status allows free data flow from the EU to these countries without additional safeguards.

Currently Recognized Adequacy Countries (as of 2026):

Currently, there are only 15 countries that are recognized under the EU’s adequacy decision.

What Adequacy Means in Practice:

For businesses, adequacy decisions simplify international operations. A French company can transfer customer data to a Canadian processor without Standard Contractual Clauses or other transfer mechanisms. Here, the adequacy decision provides the legal basis.

However, adequacy is not permanent. The EU continuously reviews these decisions and can revoke them if standards slip (as happened with the previous US "Privacy Shield" framework in 2020).

Current Adequacy Landscape

The EU has been cautious in granting adequacy, with only 15 countries/territories currently recognized. Notable countries that are absent from the list are:

• China - No adequacy recognition
• India - Not yet recognized (DPDPA pending)
• Russia - No adequacy recognition
• Most of Southeast Asia - Except Japan and South Korea

What This Means for Your Business: Actionable Guidance

Now that you understand GDPR's geographic scope, here's how to apply this knowledge to your specific situation.

Case 1 - If You're IN GDPR Countries (EU/EEA)

Your Obligations: Full Compliance

As an organization established in the EU/EEA territory, GDPR applies to all your data processing activities, regardless of where your data subjects are located.

Key action items:

1. Appoint a Data Protection Officer (DPO)
2. Maintain comprehensive records of processing:
3. Implement data subject request procedures:
4. Conduct Data Protection Impact Assessments (DPIAs)
5. Report breaches within 72 hours

Resource allocation tip: Businesses outside or within the EU that have customers from or target the European market must know the GDPR countries and strict enforcers of the law to prioritize and allocate resources for compliance and minimize the risks of huge penalties.

Schedule a compliance audit to identify gaps in your current data protection practices.

Case 2 - If You're OUTSIDE But Targeting EU/EEA Markets

Your Obligations: Core GDPR Compliance + EU Representative

Non-EU businesses serving European markets must comply with GDPR's substantive requirements, though some procedural obligations differ.

Essential compliance measures:

1. Appoint an EU Representative

2. Implement geo-targeting for privacy notices
3. Establish data transfer mechanisms
4. Privacy by design and default
5. Partner with GDPR-compliant service providers

Example implementation: An American SaaS company uses:

• European CDN for faster EU service delivery
• EU-based payment processor to localize data
• Standard Contractual Clauses with US parent company
• EU representative in Ireland (major customer base)
• Automated cookie consent management via CMP

Case 3 - If You're Completely Outside EU/EEA Scope

Your Situation: GDPR Doesn't Apply (But Stay Vigilant)

If you genuinely have no EU data subjects and don't target or monitor EU markets, GDPR doesn't apply.

However, assess these risk factors:

1. Future expansion plans
2. Passive EU visitors
3. Employment considerations
4. Indirect exposure

Even if GDPR doesn't currently apply, implementing privacy best practices prepares you for:

• Future geographic expansion
• Similar regulations in your own jurisdiction
• Customer expectations (privacy is a selling point)
• Competitive advantage in the market

Get our GDPR readiness assessment to evaluate your current practices and identify improvement opportunities.

Quick Summary Table: GDPR Countries at a Glance

*Canada: Commercial organizations only under PIPEDA 

**United States: Under EU-US Data Privacy Framework (subject to legal challenges)

Frequently Asked Questions (FAQs)

What countries does GDPR apply to?

GDPR directly applies to all 27 European Union member states plus three EEA countries (Norway, Iceland, and Liechtenstein), totaling 30 countries. Additionally, GDPR's extraterritorial scope means it applies to any organization worldwide that processes personal data of individuals in these countries while offering goods or services or monitoring their behavior.

Is the US a GDPR country?

No, the United States is not a GDPR country. However, the EU granted the US an adequacy decision under the EU-US Data Privacy Framework in July 2023, allowing certain data transfers without additional safeguards. US companies processing EU residents' data must still comply with GDPR requirements, regardless of adequacy status.

Does GDPR apply outside Europe?

Ans. Yes, GDPR explicitly applies outside Europe through its extraterritorial scope (Article 3(2)). Any organization anywhere in the world must comply with GDPR if they offer goods or services to EU/EEA residents or monitors the behavior of individuals in the EU/EEA, even if the organization has no physical presence in Europe.

What are EEA countries?

Ans. The EEA consists of the 27 European Union member states, along with Norway, Liechtenstein, and Iceland, which were united by the Agreement on the European Economic Area, creating a single market. These 30 countries have adopted GDPR as directly applicable law.

Is the UK still under GDPR?

Ans. The UK is no longer under EU GDPR but has implemented its own equivalent called UK GDPR, which came into effect on January 1, 2021, after the Brexit transition period. UK GDPR largely mirrors EU GDPR in terms of principles, rights, and obligations. The EU has granted the UK an adequacy decision, facilitating data transfers between the EU and UK.

Do I need to comply with GDPR if I'm not in Europe?

Ans. If you process personal data of EU/EEA residents while offering them goods or services (even free ones) or monitoring their online behavior, then yes, you must comply with GDPR regardless of your company's location. The geographic location of the business is irrelevant; what matters is the location of the data subjects.

What countries have GDPR adequacy?

Ans. As of 2026, countries and territories with EU adequacy decisions include: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, United Kingdom, United States (under Data Privacy Framework), and Uruguay. These countries can receive personal data from the EU without additional safeguards.

Which European countries are not covered by GDPR?

Ans. European countries not covered by GDPR include: Albania, Belarus, Bosnia and Herzegovina, Georgia, Kosovo, Moldova, Montenegro, North Macedonia, Russia, Serbia, Turkey, and Ukraine. However, organizations in these countries must still comply with GDPR if they process personal data of EU/EEA residents.

Conclusion: GDPR Applies to Data Subjects, Not Your Business Location

The fundamental principle to remember: GDPR follows the data subject, not the data controller.

It doesn't matter if your servers are in Singapore, your developers are in Ukraine, and your company is registered in Delaware. If you're processing personal information from someone in France (any country from the EU or EEA), GDPR applies to you.

This location-independent approach is what sets GDPR apart from most privacy laws. It’s also why GDPR has effectively become the global benchmark for data protection. As a result, organizations worldwide have been forced to strengthen their data practices, raising the overall standard for privacy across markets.

Ready to ensure full compliance? Get your comprehensive GDPR compliance roadmap tailored to your business today.

‍