GDPR Countries 2025

GDPR Countries 2025

If you've ever wondered, "What are the GDPR countries?", you're not alone.

The General Data Protection Regulation (GDPR) is one of the most influential data protection laws in the world.

Enforced across the European Union (EU) and the European Economic Area (EEA), any organization that processes personal data of EU/EEA citizens must comply with the GDPR, regardless of where the company is located.

In this post, I'll give you a list of countries that fall under the GDPR's jurisdiction. I'll also explain which countries are considered safe for data transfers under GDPR (GDPR Adequate countries) and provide guidance on how to transfer data to non-GDPR countries in compliance with the GDPR.

Whether you're a business owner or tech developer, understanding the global impact of GDPR is essential in today's data-driven world.

GDPR countries flags

GDPR countries 2025

The GDPR applies to all countries in the EU and EEA, covering a total of 30 countries. Below is the official list of GDPR countries for 2025.

List of GDPR countries 2025 (EU)

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden

GDPR countries outside EU 2025 (EEA)

Under the EEA agreement, EEA countries are subject to the GDPR but do not have a vote on GDPR-related matters, as they are not EU members.

  1. Iceland
  2. Liechtenstein
  3. Norway
GDPR countries map

Transfer of data between GDPR countries

If your customers are located in any of the GDPR countries, you must comply with the 7 core GDPR principles to ensure the protection of their personal data.

This includes obtaining explicit consent before collecting or processing their personal data and implementing robust GDPR cybersecurity measures to safeguard it.

Within GDPR-compliant countries, personal data is considered protected, meaning you can transfer data freely within the EU without additional safeguards.

Transfer of data from GDPR countries and non-GDPR countries

Under the GDPR, if you want to transfer data from a GDPR country to a non-GDPR country, you must ensure that the receiving country has adequate data protection standards in place, as required by the GDPR.

As for today, in 2025, the European Commission has recognized 15 countries as providing adequate level of data protection. These countries are called GDPR adequate countries and allow for safe data transfers under GDPR regulations.

Therefore, you can transfer personal data freely between the EU and these 15 GDPR adequate countries without needing additional safeguards, because these countries have been deemed by the European Commission to provide data protection standards that are comparable to those required by the GDPR.

If you transfer data to a country that is not a GDPR-adequate country, you must implement additional safeguards (e.g., clauses, corporate rules) to ensure the data is protected in accordance with GDPR standards.

GDPR Adequate countries 2025

GDPR partially adequate countries 2025

GDPR completely adequate countries 2025

US American flag
UK flag

What if all your customers live outside of the GDPR countries?

If you are only serving customers living outside of the EU and EEA, the GDPR doesn't apply to you.

However, it's crucial to consult with a lawyer, as other data privacy laws may still apply. Some of these laws are as strict as the GDPR, while others may be less stringent but still require compliance.

Examples of countries with GDPR equivalent rules

United Kingdom

After the Brexit, the United Kingdom isn't part of the European Union anymore. However, at the end of the exit transition period, the UK did adopt the UK Data Protection Act 2018 (or UK-GDPR) that mirrors the European GDPR, although separate from it.

Therefore, as of today, the UK applies the exact same data privacy rules as the GDPR.

Switzerland

Switzerland adopted the Federal Act on Data Protection (FADP), which aligns closely with GDPR principles.

GDPR US equivalent

The US seems to favor a market-driven approach that prioritizes access to services, innovation and economic growth. As a result, it is still working to find the right balance between fostering these goals and ensuring adequate consumer protection and privacy rights.

However, that doesn't mean that there are no privacy laws in the US. It's important to consult with an attorney to make sure you're complying with all relevant laws.

Below, I'll outline just a few examples of data privacy laws in the US.

Example #1 - Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA establishes national standards for the protection of sensitive patient health information.

That means that if your business operates in the healthcare industry (e.g., healthcare startup, insurer, healthcare provider), you must take proper measures to safeguard their data and ensure their confidentiality and security.

Similar to the GDPR, you must train your staff on data privacy practices, implement strong cybersecurity measures, and set clear procedures for sharing data.

Example #2 - California

California also has its own data privacy laws, with the California Consumer Privacy Act CCPA) being the most prominent.

The CCPA provides certain rights to consumers regarding their personal information, including the right to know what personal information is being collected, the right to request that information be deleted, and the right to opt-out of the sale of their data (unlike the GDPR which requires an opt-in consent). It also requires businesses to have clear privacy notices.

Example #3 - New York

The New York Privacy Act (NYPA) has been proposed but hasn't been enacted into law yet.

If passed, it would include privacy protections similar to those in the GDPR.

Stay tuned for more information! As a New York attorney, I will surely keep a close eye on that.

Conclusion

The GDPR applies to businesses that process the personal data of customers in the EU and EEA. Within these regions, data can be transferred freely.

The European Commission has also recognized 15 countries as providing an adequate level of data protection, enabling smooth data transfers between these areas.

Outside of these regions, however, you are responsible for ensuring that data protection standards are met.

That said, the GDPR isnn't the only data protection regulation in place. Many countries, including the US, are being more aware of the importance of data protection, especially as the tech industry continues to evolve. Laws in this area are constantly changing, so it's essential to consult with a lawyer to ensure you're compliant with all relevant data protection regulations.

Disclaimer: This article is written by Valine Mayer-Trinh, a New York attorney with an LLM degree from Cornell and master’s degrees in business and financial law from top French law schools.

While I strive to provide accurate and up-to-date legal information, this article is for general informational purposes only and does not constitute legal advice. This is a platform for me to express my thoughts and reading this article does not create an attorney-client relationship.

Although I have extensive education in French law, please note that I am only licensed to practice in New York, not Europe. The legal landscape is complex, new regulations may emerge, and the application of existing laws can vary depending on specific circumstances. Therefore, I strongly encourage you to consult with an expert and qualified attorney to address your specific legal concerns.

Newsletter

Get more insights straight to your inbox







person subscribing by pressing on a blue technology button featuring a justice scale