Does GDPR apply to Russia?

Asked by: Madelynn Johnston  |  Last update: March 1, 2026
Score: 4.6/5 (48 votes)

No, the General Data Protection Regulation (GDPR) does not directly apply within Russia, as Russia is not an EU member; however, it applies to any company (even in Russia) processing data of people in the EU, and Russian companies handling EU citizen data must comply with both GDPR and Russia's local Personal Data Law (PDL), leading to a "double burden" where GDPR principles often supplement Russian regulations for international firms, according to CookieScript, TermsFeed, CookieYes, Consentmo, Gorodissky, cms.law, valen-legal.com, DataGuidance, Ius Laboris, and Denuo Legal, Thoropass, DataGuidance, and DLA Piper.

Does Russia follow the GDPR?

Even if the General Data Protection Regulation – GDPR – only applies in EU countries, Russia is also affected by this new law.

Which countries are not GDPR compliant?

The following European countries have not adopted the GDPR:

  • Albania.
  • Belarus.
  • Bosnia and Herzegovina.
  • Croatia.
  • Kosovo.
  • Moldova.
  • Montenegro.
  • North Macedonia.

What countries does the GDPR apply to?

GDPR covers 27 member countries of the European Union and all the countries in the European Economic Area (the EEA). The EAA ropes in other countries beyond the EU member states, including Iceland, Norway, and Liechtenstein.

Who does the GDPR not apply to?

Some of the key exemptions from GDPR compliance include personal or household activities, government agencies and law enforcement, and the processing of personal data by Member States.

What Countries Does GDPR Apply To? - TheEmailToolbox.com

45 related questions found

Does GDPR apply to Ukraine?

Countries like Albania, Belarus, Bosnia and Herzegovina, Croatia, Kosovo, Moldovia, Montenegro, North Macedonia, Russia, Serbia, Turkey, and Ukraine are part of Europe, but they are not governed by the GDPR. However, if any of their companies process data in the EU, they are bound to comply with GDPR regulations.

Who is exempt from GDPR?

Some of the most common exemptions include businesses that do not process personal data of living persons, businesses that have no connection with the European Union, derogations for businesses with less than 250 employees, or data processing primarily for personal/household activities.

Do the USA have GDPR?

GDPR's extraterritorial reach means that U.S. businesses are not exempt from its requirements. If your company processes personal data of EU citizens—whether through offering goods or services, employing EU residents, or monitoring EU citizens' online behavior—your organization is subject to GDPR.

Is the GDPR only for Europe?

The GDPR does apply outside Europe

The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

Is Switzerland covered by the GDPR?

Switzerland is not an EU member, so the GDPR does not apply within the country, hence the need for its own such law. While both laws aim to protect personal data and privacy, there are key differences between them that businesses must be aware of, particularly if they do business in the EU and in Switzerland.

Which country has imposed the biggest GDPR fine?

1. Meta GDPR fine- €1.2 billion. In May 2023, in a groundbreaking decision in the past five years of GDPR enforcement, the Irish Data Protection Commission (DPC) imposed a historic fine of €1.2 billion on US tech giant Meta.

What are the 6 legal bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

Which countries have no data?

Some countries do not regularly report data due to conflict, lack of statistical capacity, or other reasons (e.g. Somalia, North Korea, and some Caribbean and Pacific island economies).

Is using a VPN illegal in Russia?

The new version of Russia's law “On advertising” prohibits promoting VPNs that allow users to bypass the blocks imposed by Russia's federal censor, Roskomnadzor. Violating the ban is a misdemeanor offense, with fines up to 80,000 rubles ($990) for individuals and up to 500,000 rubles ($6,200) for organizations.

What is the data privacy law in Russia?

The Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, constitutes the backbone of Russian privacy laws and requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access".

Which countries do not follow GDPR?

List of Non-GDPR European Countries

  • Albania.
  • Belarus.
  • Bosnia and Herzegovina.
  • Kosovo.
  • Moldovia.
  • Montenegro.
  • North Macedonia.
  • Russia.

Does GDPR apply to US military bases?

GDPR affects any person who is physically in the EU. If for example, like many Service Credit Union members, you are a member of the U.S. Military or Department of Defense living in Europe, GDPR applies to you anytime you are in an EU country, whether you are on or off base.

Is Turkey a GDPR country?

Non-GDPR countries in Europe

These are the non-EU member states to which GDPR is not directly applicable yet such as Albania, Russia, Turkey, Georgia, Serbia, Ukraine, Belarus, Bosnia, Kosovo, Moldova, North Macedonia, and Montenegro.

What are the 7 rules of GDPR?

The 7 principles of GDPR (General Data Protection Regulation) are: Lawfulness, Fairness & Transparency (process data legally, fairly, openly); Purpose Limitation (use data only for specified, legitimate reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct and up-to-date); Storage Limitation (don't keep data longer than needed); Integrity & Confidentiality (secure the data); and Accountability (demonstrate compliance).
 

What is the closest law to GDPR in the USA?

The US equivalent of the GDPR is the CCPA or California Consumer Privacy Act. It was inspired by the GDPR, and both laws protect the personal data of consumers.

What is the difference between GDPR and CCPA?

GDPR requires companies to have legal basis before processing data about residents. CCPA does not. GDPR applies to all businesses that meet the legal basis requirement mentioned above. CCPA applies only to businesses with an annual gross revenue of more than $25 million.

Is the US adequate under GDPR?

The General Court's judgment in case T-553/23, Philippe Latombe v European Commission, confirms that “the United States ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country,” the Court's press release states.

Which country has the best data protection laws?

Data privacy laws by country

  • Ireland. The island nation got an early start on legislating data privacy starting with the Data Protection Act in 1988 and built on that legal framework with the ePrivacy Regulations of 2011. ...
  • Denmark. ...
  • Norway. ...
  • Canada. ...
  • Portugal. ...
  • France. ...
  • Brazil. ...
  • Switzerland.

Is Switzerland part of the GDPR?

Switzerland is not in the EU and has not introduced EU regulations on general data protection (GDPR). The GDPR is also applicable if companies are based in Switzerland and offer services in the EU.

What are the 10 key requirements of GDPR?

  • 10 key GDPR requirements. ...
  • Lawful, fair, and transparent processing. ...
  • Purpose, data, and storage limitation. ...
  • Data accuracy and security. ...
  • Data Protection Impact Assessments (DPIAs) ...
  • Privacy by design and default. ...
  • Controller–Processor contracts (Article 28) ...
  • Data subject rights enablement.