- Andorra
- Austria
- Belarus
- Belgium
- Bermuda
- Bosnia And Herzegovina
- British Virgin Islands
- Bulgaria
- Cayman Islands
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Iceland
- Ireland
- Italy
- Jersey
- Latvia
- Lithuania
- Luxembourg
- Netherlands
- North Macedonia
- Malta
- Monaco
- Montenegro
- Norway
- Poland
- Portugal
- Romania
- Serbia
- Slovakia
- Slovenia
- Spain
- Sweden
- Switzerland
- Ukraine
- United Kingdom

GDPR is applicable to Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
Apart from GDPR each member states have specific law.

Austria

Belarus
- Law on Protection of Personal Data of May 7, 2021
- Draft of ‘Personal Data Protection Law’ as on 14 May 2021.
- Law on Information Protection No. 455-Z (Information Protection Law)
- Law on Population Register No. 418-Z (Population Register Law).
- Law on Advertising of May 10, 2007 No. 225-Z (the “Advertising Law”)
- Law on Mass Media of July 17, 2008 No. 427 Z (Mass Media Law).

Belgium
- The ‘Data Protection Act’ of July 30, 2018
- Act of 3 December 2017 on the creation of the Belgian Data Protection Authority
- Act of 8 August 1983 organizing a National Registry for natural persons as amended by The Belgian law of 25 November 2018
- Belgian Economic Law Code of 28 February 2013
- Belgian Act of 3 August 2012 laying down various provisions as regards the processing of personal data carried out by the Federal Public Service Finance within the framework of its missions (as amended by the Act of 5 September 2018)
- Belgian Act of 21 March 2007 regarding the installation of surveillance camera, as amended by the Act of 21 March 2018
- Act of 5 September 2018 establishing the information security committee and amending various acts regarding the implementation of Regulation (EU) 2016/679
- Act of 13 June 2005 on Electronic Communications
- Act of 13 December 2006 containing various health provisions, as amended by the Act of 5 September 2018

Bosnia And Herzegovina

British Virgin Islands
- The British Virgin Islands (BVI) has not enacted formal legislation to regulate data protection. However, it is expected that BVI will promulgate data protection legislation in the near future to adapt internationally recognized standards. *
- The British Virgin Islands has enacted new personal data protection legislation in the form of the Data Protection Act, 2021 (the DPA). While the law has been enacted, it is yet to come into force.
- BVI Proceeds of Criminal Conduct Act, 1997
- Anti-Money Laundering Regulations, 2008.
- Computer Misuse and Cyber crime Act, 2014
- The Telecommunications Act (No 10 2006) regulates the BVI telecommunications industry and provides sanctions to protect the confidentiality of personal data.


Croatia
- The act for the Implementation of GDPR came into force on 27 April 2018 repelling the Act on Personal Data Protection
- Act on Healthcare Data and Information came into force on 15 February 2019.

Czech Republic



France
- Privacy and Electronic Communications 2002/58/EC Regulations of 12 July 2002 (“ePrivacyDirective“)
- Data Protection Act n° 78-17 of 6 January 1978 as modified 12 December 2018 (“Data Protection Act“).
- Decree n° 2005-1309 of 20 October 2005 as modified 1 August 2018
- Law on Confidence in the Digital Economy, 21 June 2004 (“LCEN“)
- Decree no. 2011-219 of 25 February 2011 on the conservation and communication of data identifying any person who has contributed to the creation of online content
- Digital Republic Act no 2016-1321 of 7 October 2016



Hungary
- Act LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interests
- Act No. CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
- Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data
- Act C of 2003 on Electronic Communications

Iceland
The Data Protection Act of 2000
Act 90/2018 on Data Protection and Processing of Personal Data (“Data Protection Act”) implementing the GDPR into Icelandic law (only available in Icelandic)






North Macedonia
- Law on Personal Data Protection (Official Gazette of the Republic of Macedonia) effective February 2005, amended March 2014.
- Law on Personal Data Protection 2020 is implemented for the Macedonia’s obligation to align its national legislation with the EU regulatory framework derives from its status as an EU candidate country, whereby the implementation of the EU legislation is mandatory

Malta
- The right to privacy is considered a fundamental human right, and is protected in part by the Data Protection Act of 2001
- Chapter 586- Data Protection Act
- ACT No. XII of 2021(Amendments to the Data Protection Act)
- Subsidiary Legislation 586.07 (Processing of Personal Data (Education Sector) Regulations
- Subsidiary Legislation 586.10 (‘Processing Of Data Concerning Health for Insurance Purposes Regulations’)



Norway
- Norwegian Personal Data Act (in Norwegian only)
- EU General Data Protection Regulation Although not being a member of the EU, Norway is a member of the European Economic Area (EEA). The GDPR was incorporated into the EEA agreement and became applicable in Norway. Norway is thus bound by the GDPR in the same manner as EU Member States.

Poland
- Act of the Protection of Personal Data, passed in 1997.
- Act of 10 May 2018 on Personal Data Protection.
- Act of 14 December 2018 on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crime

Portugal
- Personal Data Protection and Telecommunication Privacy Act
- Portuguese Data Protection Act (Law no. 67/98) which transposed the Data Protection Directive 95/46/EC into law (incoming Portuguese law that will implement the GDPR and replace the Portuguese Data Protection Act)
- Regulation no. 798/2018 that foresees a list of personal data processing activities that must be subject to a Data Protection Impact Assessment (“DPIA”)
- The Portuguese Law No. 58/2019
- The Portuguese Law no 59/2019

Romania



Spain
- Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights
- Royal Decree 1720/2007, of 21 December, by which the Regulation of development of the Organic Law 15/1999, of 13 December, of protection of personal data is approved
- Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems
- Law 9/2014, of 9 May, General of Telecommunications


Ukraine
- Law of Ukraine No. 2297 VI ‘On Personal Data Protection
- Law of Ukraine ‘On Amendments to Certain Laws of Ukraine regarding Improvement of Personal Data Protection System’ No. 383-VII
- The Constitution of Ukraine
- The Civil Code of Ukraine No 435 IV
- Law of Ukraine ‘On Information’ No 2657 XII
- Law of Ukraine ‘On Protection of Information in the Information and Telecommunication Systems’ No. 80/94 VR
- Law of Ukraine ‘On Electronic Commerce’ No 675-VIII

United Kingdom
*Disclaimer: This general information is provided for reference purpose only. It is informed that laws are subject to frequent updation and each jurisdiction may have additional civil laws and policies in place. Also link to laws provided for certain countries are of unofficial english translation therefore readers are advised to cross-check/ validate the information provided from official sources.