GDPR Countries 2025
Status
Has similar law
Implemented
Not implemented
Status
17 countries
9 countries
28 countries
Country | Status↑ | Similar Data Protection Laws | |
|---|---|---|---|
 | Nigeria | Has similar law | Data Protection Regulation |
 | Brazil | Has similar law | General Data Protection Law (LGPD) |
 | Japan | Has similar law | Act on the Protection of Personal Information |
 | Turkey | Has similar law | Law on Protection of Personal Data No. 6698 |
 | South Africa | Has similar law | Protection of Personal Information (POPI) Act |
 | Kenya | Has similar law | Data Protection Act |
 | South Korea | Has similar law | Personal Information Protection Act |
 | Uganda | Has similar law | Data Protection and Privacy Act, 2019 |
 | Argentina | Has similar law | Personal Data Protection Act No 25,326 |
 | Canada | Has similar law | Personal Information Protection and Electronic Documents Act (PIPEDA) |
 | Israel | Has similar law | Data Security Regulations |
 | Switzerland | Has similar law | Personal Data Protection Law |
 | New Zealand | Has similar law | Privacy Act |
 | Uruguay | Has similar law | Act on the Protection of Personal Data and Habeas Data Action |
 | Qatar | Has similar law | Law No. 13 |
 | Bahrain | Has similar law | Personal Data Protection Law |
 | Mauritius | Has similar law | Data Protection Act |
 | Germany | Implemented | |
 | United Kingdom | Implemented | |
 | France | Implemented | |
 | Italy | Implemented | |
 | Spain | Implemented | |
 | Poland | Implemented | |
 | Romania | Implemented | |
 | Netherlands | Implemented | |
 | Belgium | Implemented | |
 | Sweden | Implemented | |
 | Czechia | Implemented | |
 | Portugal | Implemented | |
 | Greece | Implemented | |
 | Hungary | Implemented | |
 | Austria | Implemented | |
 | Bulgaria | Implemented | |
 | Denmark | Implemented | |
 | Finland | Implemented | |
 | Slovakia | Implemented | |
 | Ireland | Implemented | |
 | Croatia | Implemented | |
 | Lithuania | Implemented | |
 | Slovenia | Implemented | |
 | Latvia | Implemented | |
 | Cyprus | Implemented | |
 | Estonia | Implemented | |
 | Luxembourg | Implemented | |
 | Malta | Implemented | |
 | Russia | Not implemented | |
 | Ukraine | Not implemented | |
 | Belarus | Not implemented | |
 | Serbia | Not implemented | |
 | Bosnia and Herzegovina | Not implemented | |
 | Moldova | Not implemented | |
 | Albania | Not implemented | |
 | North Macedonia | Not implemented | |
 | Montenegro | Not implemented |
- GDPR is an acronym standing for General Data Protection Regulation.
- GDPR is binding throughout all of Europe regardless of whether or not a specific country has implemented it. Any European organization that collects data in EU/UK member states is subject to the GDPR even if the organization’s home country has chosen to not implement GDPR.
The General Data Protection and Regulation (GDPR) is an EU regulation on data protection and privacy in the European Union, the European Economic Area, and the United Kingdom. The law regulates how organizations protect the personal data of people residing in its protected areas. The purpose of the GDPR is to give individuals control over their personal data and simplify the regulatory environment for international business. The GDPR was adopted on April 14, 2016, and became enforceable starting May 25, 2018.
Under the GDPR, business processes that handle personal data must provide specific safeguards to protect that data. Data controllers must design information systems with high levels of privacy so subjects cannot be identified through publicly available datasets. No personal data may be processed unless done under one of six lawful specified bases: consent, contract, public task, vital interest, legitimate interest, or legal requirement. Data controllers must also clearly disclose data collection to the user, declare the lawful purpose and basis for processing, and state how long the data will be held and if it will be shared with any third parties. Additionally, businesses that experience a data breach must report the breach to national supervisory authorities within 72 hours if the breach could negatively impact user privacy.
While the GDPR is written to protect those countries in the EU and EEA, institutions and organizations outside of those areas must also follow its provisions and are not exempt from facing the consequences of non-compliance with GDPR. Non-EU organizations need to implement, staff, and run systems to continue offering their services to the EU market. Any transaction between a consumer physically located in a GDPR country at the time of the transaction and an organization located anywhere in the world is subject to the terms of GDPR. This is true even if, for example, the consumer is a Japanese tourist visiting France and the organization with which they interacted is based in North America.
