Skip to content

Per-jurisdiction rights guides

Which Data Protection Law Applies to You?

A calm guide to working out which data protection law and regulator cover your personal data — based less on where you live and more on where you are when your data is collected, and who is handling it.

In short

Which data protection law applies usually depends on where you are when your data is collected and where the organisation operates — not only your nationality. If you are in the UK, the UK GDPR and the ICO generally apply; in the EU, the GDPR and your national regulator; elsewhere, your country's own law and regulator.

It is about location and the organisation, not just your passport

A common assumption is that your data protection rights follow your nationality. In practice, most modern data protection laws are framed around two things: where you are physically located when your personal data is collected or processed, and where the organisation handling it is established or offering its services. Your citizenship is rarely the deciding factor on its own.

Take the UK GDPR as an example. Its protections generally apply to people who are in the UK, and to organisations established in the UK, as well as to organisations outside the UK that offer goods or services to people in the UK or monitor their behaviour. So a visitor in the UK can be covered by UK rules, while a UK citizen abroad signing up to a local service may be covered by that other country's law instead.

This is why the same person can sit under different laws for different services. The bank in your home country, the shopping site based overseas, and the app whose company is registered in a third country may each be governed by a different framework. Working out which one applies is a per-relationship question, not a single answer for your whole life.

  • Where you are physically located when the data is collected.
  • Where the organisation is established or based.
  • Whether a non-local organisation is deliberately offering services to people in your country.

A short tour of the main frameworks and their regulators

Each region has its own law and its own independent regulator that oversees it and handles complaints. The names differ, but the underlying idea is similar: organisations must handle personal data fairly and lawfully, and individuals have rights they can exercise over their own data.

The list below is a starting orientation, not an exhaustive map. Many other countries have their own laws and authorities, and the detail of how each one applies to a specific situation can be genuinely complex. When two frameworks could apply at once, the right approach is usually to look at where you were and who collected the data, then check that regulator's guidance.

  • United Kingdom — UK GDPR and the Data Protection Act 2018, overseen by the Information Commissioner's Office (ICO).
  • European Union and EEA — the GDPR, overseen by each country's own national data protection authority.
  • Turkey — KVKK (Law No. 6698), overseen by the Kişisel Verileri Koruma Kurumu.
  • California — the CCPA as amended by the CPRA, overseen by the California Privacy Protection Agency (CPPA).
  • Canada — PIPEDA, overseen by the Office of the Privacy Commissioner of Canada (OPC).
  • Australia — the Privacy Act 1988, overseen by the Office of the Australian Information Commissioner (OAIC).
  • Brazil — the LGPD, overseen by the Autoridade Nacional de Proteção de Dados (ANPD).

Working it out in practice — and where to get it confirmed

For most everyday situations, a few simple questions get you close. Where were you when you handed over the data or used the service? Where is the organisation based, and does it clearly offer its service to people in your country? The answers usually point to one main framework, and that framework's regulator publishes guidance written for the public.

If you are unsure, or if more than one law could apply, the regulators themselves are a good first stop. Each authority has public guidance explaining who it covers and how to raise a concern. Knowing which regulator is the right one matters, because exercising a right or making a complaint generally means going to the authority for the relevant jurisdiction.

Seeing your own digital footprint in one place can make this more concrete. When you can see which organisations hold your data and roughly where they are based, it becomes easier to reason about which framework is likely to apply to each one — entirely on your own terms, with you deciding what, if anything, to do next.

This article is general information and not legal advice. Data protection jurisdiction can be genuinely complex, and the right answer depends on your specific facts. For guidance on a particular situation, consider speaking with a qualified professional or your supervisory authority, the Information Commissioner's Office (ICO).

Frequently asked questions

Does my nationality decide which data protection law applies?

Usually not on its own. Most frameworks focus on where you are when your data is collected and where the organisation operates. A UK visitor can be covered by UK rules, while a UK citizen using a local service abroad may fall under that country's law instead.

What if more than one law could apply to me?

That happens often, because different services can sit under different frameworks. For each relationship, look at where you were when the data was collected and where the organisation is based. The relevant regulator's public guidance is a good place to confirm which law applies.

Which regulator do I contact if I have a concern?

Generally the authority for the framework that applies — for example the ICO in the UK, your national DPA in the EU, the KVKK in Turkey, or the CPPA in California. Each regulator explains on its website who it covers and how to raise a concern.

Why does it matter which law applies to me?

Because your specific rights, the time limits, and the regulator you would approach all depend on the framework. Knowing which one applies helps you understand what you can ask an organisation for and where to turn if you are not satisfied.

Related terms

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

Reviewed by OSINTA's founding lawyer — 2026-06-27.

See your footprint, on your own terms

OSINTA helps you understand your own digital footprint and route your own data-rights requests — you stay in control of every step.

See the DSAR guideJoin the waitlist