Uncertainty around the General Data Protection Regulation (GDPR) is a major pain point for businesses worldwide. Marketing teams, analysts, and decision-makers often wonder whether their business operations are subject to this regulation and what happens if they fail to comply.
The answers aren’t always obvious, and missing the mark can be costly. Fines for noncompliance can reach into the billions for the largest companies, but unnecessary compliance efforts can also drain budgets and slow growth.
That’s why it’s critical to understand exactly where the GDPR applies and how enforcement varies across countries. This guide provides a clear map of countries protected by the GDPR, insights into which are most proactive in investigating and penalizing noncompliance, plus practical guidance on whether your company needs to comply.
Key takeaways
- The GDPR applies globally to any organization that collects or processes the personal data of individuals in the EU or EEA, regardless of the organization’s location.
- While the regulation harmonizes core principles across 30 EU and EEA countries, each nation enforces the GDPR through its own national data protection authority.
- Non-EU countries, like the UK and Switzerland, have their own GDPR-inspired frameworks, requiring many businesses to navigate overlapping but distinct compliance obligations.
- Enforcement intensity varies, with regulators such as Spain’s AEPD, Ireland’s DPC, and the UK’s ICO standing out for frequent or high-value fines.
- For businesses operating internationally, tools like the Usercentrics CMP can help ensure consistent compliance across regions with evolving regulations.
Who has to comply with the GDPR?
The GDPR was designed with global reach in mind. Whether you need to achieve GDPR compliance is not based on where your company is based, but whether you collect or process the personal data of people located in the European Union (EU) or European Economic Area (EEA). That means businesses far beyond Europe still fall under its scope.
Consider these scenarios that do require GDPR compliance:
- An American online retailer with customers in Spain
- A South African fintech startup offering services to German users
- A Japanese app developer with downloads to users in France
Which countries does the GDPR apply to? A quick breakdown
The GDPR protects people in all European Union Member States, as well as the countries in the European Economic Area. That means the regulation covers a total of 30 countries:
- EU Member States (27): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden
- EEA Countries (3): Iceland, Liechtenstein, and Norway
Does the GDPR apply to non-EU countries?
The GDPR does not protect the data of people outside the countries listed above, but being outside of Europe doesn’t exempt your business from GDPR obligations. The law applies worldwide to businesses that:
- Offer products or services to individuals in the EU or EEA, or
- Track, analyze, or monitor the behavior of EU/EEA residents
That means the GDPR can apply to US businesses, as well as companies in any other country.
Note that while Switzerland isn’t covered by the GDPR, it enforces its own privacy regulation, the Federal Act on Data Protection (FADP). Like the GDPR, the FADP focuses on protecting personal data and applies to any business processing information belonging to Swiss residents. Strong trade ties with the EU/EEA and maintaining data flows were a significant consideration in the most recent update to the FADP.
Is the UK a GDPR country?
Although the UK left the European Union in 2020, it didn’t walk away from GDPR protections. Instead, it created its own version: the UK General Data Protection Regulation (UK GDPR), which works in combination with the UK’s Data Protection Act 2018 and Privacy and Electronic Communications Regulations (PECR).
The UK GDPR is nearly identical to the EU GDPR. It was built around the same principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability.
This means that businesses that already comply with the EU GDPR are generally well positioned to meet the UK’s requirements too. However, it’s important to remember that these are two separate legal frameworks, and that legislative change regarding data privacy in the UK has been rapid.
UK GDPR compliance is enforced by the Information Commissioner’s Office (ICO). Just as EU regulators have the power to issue significant GDPR fines, the ICO can and will do the same in the event of a GDPR data breach or failure to comply. The ICO can also exercise less severe corrective measures, particularly for low-risk or first-time violations.
Do GDPR countries have their own data privacy guidelines?
The GDPR is often described as a harmonized law, but every individual EU/EEA country enforces its requirements through its own national regulator, also called a data protection authority (DPA).
Regulators like Ireland’s Data Protection Commission (DPC) or the Spanish Data Protection Agency (AEPD) have the authority to issue guidance, investigate complaints, and impose penalties.
What’s more, each European country may also have its own additional data privacy law and/or consent requirements that you must follow if you do business there.
A business expanding into multiple European markets can’t rely on a single, uniform playbook. You need to track national regulations and guidelines in every country where you operate to achieve and maintain compliance. Additionally, you may face other operational compliance requirements, like tech platforms’ policies, e.g., Google’s EU user consent policy.
Which countries have the strictest GDPR enforcement?
Not all GDPR countries enforce the regulation in the same way or to the same degree. Some authorities take a more proactive approach, issuing frequent fines and setting examples with high-penalty cases, while others enforce more selectively.
This means that businesses may face varying levels of scrutiny depending on where their customers are located. It’s also important to remember that most enforcement actions don’t make headlines. But it doesn’t mean noncompliance among smaller organizations isn’t being investigated and penalized, just because there aren’t multi-million-dollar fines.
Looking at trends reported by the GDPR Enforcement Tracker, the strictest countries are those with either the most frequent fines or the largest single penalties, or both.
Below are the countries most often recognized for their tough stance on GDPR enforcement. Statistics were up to date as of October 2025.
1. Spain
Enforcement authority: Agencia Española de Protección de Datos / Spanish Data Protection Agency (AEPD)
Number of fines to date: 1,021
Total value of fines: EUR 120,770,450
The Spanish Data Protection Agency (AEPD) is the most active and stringent GDPR regulator in Europe. Their approach combines frequent enforcement with high-impact fines. The AEPD’s enforcement is consistent, targeting small businesses, global tech companies, and everyone in between.
Spain’s largest fine to date was a EUR 10 million penalty to Google for automatically sharing personal data from users’ content removal requests with the Lumen project without the users’ consent. The AEPD ruled that this violated users’ rights to control and erase their data, also noting the scale, sensitivity, and international transfer of the information.
2. Ireland
Enforcement authority: Data Protection Commission (DPC)
Number of fines to date: 35
Total value of fines: EUR 4,038,107,900
Ireland’s Data Protection Commission (DPC) takes a markedly different approach from other European regulators. With only 35 fines issued to date, the DPC enforces less frequently than some peers, but when it does, the penalties tend to be significant.
The total value of fines exceeds EUR 4 billion, making Ireland one of the most impactful jurisdictions in terms of financial consequences. This may be in part because Ireland is the EU headquarters for many global tech giants.
Rather than focusing on volume, the DPC prioritizes high-stakes cases that target major GDPR compliance violations. One example is its EUR 1.2 billion fine on Meta, the highest GDPR penalty imposed to date. The DPC imposed the fine for violating Art. 46 GDPR by transferring personal data without appropriate safeguards.
3. Italy
Enforcement authority: Garante per la protezione dei dati personali / Italian Data Protection Authority (Garante)
Number of fines to date: 438
Total value of fines: EUR 276,812,200
With 438 fines totaling over EUR 276 million, Italy’s Garante is one of Europe’s toughest GDPR regulators.
The largest fine to date was EUR 79.1 million against power company Enel Energia SpA, following systemic failures that allowed unauthorized agents to misuse customer data through telemarketing. Garante stressed that inadequate technical and organizational measures contributed to prolonged unlawful practices. The resulting significant fine demonstrates Italy’s zero-tolerance approach.
4. France
Enforcement authority: Commission nationale de l’informatique et des libertés / National Commission on Informatics and Liberty (CNIL)
Number of fines to date: 72
Total value of fines: EUR 649,565,200
France enforces the GDPR rigorously, imposing harsh penalties on companies that violate users’ privacy rights or fail to protect customer data.
A prime example is the EUR 150 million penalty issued to clothing retailer Shein. The investigation revealed multiple compliance failures: cookies were set without consent, banners were incomplete, and users could not easily refuse or withdraw consent.
This penalty highlighted the importance of giving users clear control over their data. The fine signals that even widely-used online platforms are susceptible to strict GDPR enforcement.
5. Germany
Enforcement authority: Bundesbeauftragter für Datenschutz und Informationsfreiheit / Federal Commissioner for Data Protection and Freedom of Information (BfDI) and regional data protection authorities (DPAs)
Number of fines to date: 216
Total value of fines: Over EUR 102,237,599
German regulators take GDPR compliance seriously, holding companies responsible for shortcomings that put personal data at risk.
A prime example is the BfDI’s EUR 45 million fine of telecom Vodafone GmbH. The company relied on a third-party agency for customer data processing but failed to supervise it adequately. This lapse enabled fraud and exposed customers’ personal information.
The regulator also flagged insufficient technical and organizational measures during authentication. This example demonstrates that even large, well-resourced companies cannot overlook internal controls.
6. United Kingdom
Enforcement authority: Information Commissioner’s Office (ICO)
Number of fines to date: 20
Total value of fines: EUR 82,736,525
The Information Commissioner’s Office (ICO) has issued 20 UK GDPR fines totaling over EUR 82 million. The ICO takes a measured approach that focuses on serious GDPR compliance violations rather than high-volume enforcement.
The largest penalty involved airline British Airways, which was ultimately fined GBP 20 million following a cyber incident that exposed the personal data of around 500,000 customers. The ICO found that poor data security arrangements enabled attackers to divert traffic to a fraudulent site, compromising login, payment, travel, and personal details.
7. Greece
Enforcement authority: Αρχή Διασφάλισης του Απορρήτου των Επικοινωνιών / Hellenic Data Protection Authority (HDPA)
Number of fines to date: 77
Total value of fines: EUR 34,813,540
Greece’s GDPR enforcement agency, the HDPA, has issued 77 fines totaling over EUR 34 million, demonstrating a moderate but deliberate enforcement approach.
A notable case involved the Greek Ministry of the Interior, which was fined EUR 400,000 for leaking email addresses from the voter registry of Greek expatriates. This data was then misused by a Member of the European Parliament (MEP) to send unsolicited political communications.
The decision to penalize the Ministry of the Interior highlights that even government institutions face consequences when they mishandle sensitive personal data.
8. Luxembourg
Enforcement authority: Commission Nationale pour la Protection Des Données / National Commission for Data Protection (CNPD)
Number of fines to date: 34
Total value of fines: EUR 746,491,300
Luxembourg’s National Commission for Data Protection (CNPD) has issued 34 fines totaling more than EUR 746 million, reflecting an enforcement strategy that is low volume but high impact. The CNPD targets major GDPR compliance violations, particularly among large multinational organizations, rather than issuing frequent smaller fines.
The country’s most notable case exemplifies this approach. The CNPD fined Amazon Europe Core S.à r.l. EUR 746 million for failing to process personal data in accordance with the GDPR’s requirements. Amazon challenged the penalty, but the CNPD ultimately upheld its original decision.
9. The Netherlands
Enforcement authority: Autoriteit Persoonsgegevens / Dutch Data Protection Authority (AP)
Number of fines to date: 30
Total value of fines: EUR 350,270,500
To date the AP has issued 30 fines totaling over EUR 350 million. The largest penalty was in response to a mobile app GDPR violation. Rideshare app provider Uber was fined EUR 290 million for transferring sensitive EU driver data to the US without sufficient safeguards.
The AP also found that location, payment, identity, and health data was inadequately protected for over two years.
That’s not the only fine the Dutch enforcement agency imposed on Uber. The company faced a fine of EUR 10 million just seven months earlier for failing to provide sufficient information about both the storage period of European drivers’ data and the countries outside of the EU to which the data was transferred.
10. Romania
Enforcement authority: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal / National Supervisory Authority for the Processing of Personal Data (ANSPDCP)
Number of fines to date: 247
Total value of fines: EUR 1,542,150
Romania’s ANSPDCP has issued almost 250 fines totaling just over EUR 1.5 million, reflecting a high-volume but lower-impact approach compared to other EU regulators.
The Romanian authority tends to target frequent, smaller breaches rather than imposing record-breaking fines. Their focus is on ensuring basic privacy compliance across a wide range of organizations, from banks and political parties to mobile providers and software companies.
This approach shows that even if compliance issues are smaller, Romanian businesses can’t ignore GDPR obligations. Consistent enforcement puts pressure on companies to follow proper data protection measures.
Achieve seamless GDPR compliance wherever your business is located
Different jurisdictions enforce the GDPR according to their own strategies, and national guidelines, fines, and consent expectations can vary. For companies with an audience spread across a range of countries, avoiding fines across jurisdictions can be a challenge.
Usercentrics provides a solution designed with this reality in mind. Our fully customizable consent management platform (CMP) enables you to manage consent and privacy compliance consistently across all websites, apps, and other digital touchpoints.
Geolocation features show users the right consent banner for their region, with relevant legal information and consent choices. And Usercentrics CMP automatically updates in line with evolving GDPR and other privacy requirements, so you’re always aligned with the latest rules without the need for manual updates.
With Usercentrics, you gain clarity, efficiency, and confidence in managing personal data across borders. No matter where your customers are located, Usercentrics provides a single, reliable platform to help you comply with GDPR obligations and keep your business growing safely, sustainably, and globally.