Companies that collect, store and process data in Europe are likely subject to the General Data Protection Regulation. This 2018 law protects European residents’ data privacy. Companies who violate the GDPR are subject to hefty fines, up to €20 million or four percent of the company’s global revenue, whichever is higher.

To comply with the GDPR, businesses need a GDPR-compliant privacy policy. Read on to learn more about the GDPR countries affected by this law.


Countries Affected by the GDPR

The GDPR applies to all member-states of the European Union (EU) and the United Kingdom. Additionally, it applies to any company doing business in those countries. Article 3 states that if the organization offers goods or services to EU residents, or the company monitors their online behavior, the GDPR applies—no matter where the company is located. Whether a company is headquartered in California or Calcutta, if they collect data from the EU, they must comply with the GDPR.

According to Defensorum:

The law states that ‘any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.’ Even if only a branch or subsidiary of the main organisation is located within the EU, the entire organisation is required to be GDPR-compliant.”

The GDPR sets a high standard for privacy—more stringent than most American regulations. Therefore, it’s crucial for companies to conduct a data audit to see if their business practices are affected by the GDPR.

List of GDPR Countries

The following EU countries have adopted the GDPR:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • The Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom*

* The United Kingdom is an outlier. Although the UK has left the EU as of January 2020, the GDPR was adopted before its departure and is considered good UK law.

List of Non-GDPR Countries

These countries are in Europe, but have not adopted the regulation:

  • Albania
  • Belarus
  • Bosnia and Herzegovina
  • Croatia
  • Kosovo
  • Moldovia
  • Montenegro
  • North Macedonia
  • Russia
  • Serbia
  • Turkey
  • Ukraine

If any organization in these countries collects data in the EU member states, they are bound by the GDPR.

What to Know About GDPR Countries

As we see from the examples above—and from current events—the EU is a fluid entity. Countries may enter or exit the EU at will. It’s incumbent upon each company or organization to keep up with the current geopolitical climate, and make adjustments as necessary.

For example, the conflict in Ukraine spurred their leadership to apply to join the EU. If and when their entry is approved, their residents will be immediately covered by the GDPR—so companies must be ready to pivot with changes to the law.

Exceptions and Considerations

There are two exceptions to the GDPR. First, it doesn’t apply to “purely personal or household activity”—only “professional or commercial activity.” Individuals do not need to worry about encrypting their address books or other privacy considerations (although that may be wise anyway).

The second exception is for small to medium-sized companies. If an organization has less than 250 people, it is not exempt from the entire regulation. However, the record-keeping obligations are far less stringent.

There are two things for businesses to consider when creating their GDPR privacy policy. First, offering goods and services to EU residents means that a company is subject to the GDPR. Businesses should create their GDPR policy before an individual living in the EU becomes a customer.

Generally, the GDPR enforcement authorities will consider whether a sale is an occasional instance, or if a business is targeting EU residents. If a business is targeting EU customers, such as taking out advertisements in EU countries, they need to have a policy in place.

The second consideration is when a business unintentionally collects EU data—despite not having any connection to the countries included in the GDPR. For instance, consider a local business in California that only sells goods and services to in-state residents. What happens if someone from Italy stumbles upon their website and accepts their tracking cookies? Technically, they’ve just collected data from an EU resident. Will they be fined if they don’t have a GDPR policy? While it’s not likely, it’s possible.

Discover SixFifty Solutions

Whether you intend to expand your business empire worldwide, or you simply want to prepare for growth, having a GDPR policy in place is a good idea. With SixFifty’s privacy toolset, it’s easier than ever to create a comprehensive policy. We make GDPR compliance simple, so you can focus on your specific talents.

If you’re ready to get started or have further questions, schedule a demo with SixFifty today!