Data protection and cybersecurity laws in Montenegro

Data protection

1. Local data protection laws and scope

The Personal Data Protection Law (Official Gazette of Montenegro Nos. 79/2008, 70/2009, 44/2012 and 22/2017) (“the PDPL”)

2. Data protection authority

Agency for Personal Data Protection and Free Access to Information (“the Agency”): http://www.azlp.me/en/home

3. Anticipated changes to local laws

Changes of the PDPL are anticipated soon, first drafts of the law are already being negotiated.

4. Sanctions & non-compliance

Administrative sanctions:

N/A

Criminal sanctions:

The Agency does not have any enforcement powers. Sanctions can only be imposed by a judge (in criminal or offence proceedings). The fines for offences range from EUR 500 to EUR 20,000 for a legal entity, from EUR 150 to EUR 2,000 for the responsible person in the legal entity, and from EUR 150 to EUR 6,000 for an entrepreneur, per offence.

Criminal offences involving the unauthorised collection and usage of personal data carry a penalty of a monetary fine or imprisonment for up to one year.

Others: 
  • Reputational risk;
  • Reimbursement of the potential damages (material and non-material)

5. Registration / notification / authorisation

Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than ten people who process personal data).

6. Main obligations and processing requirements

  • Information requirement;
  • Consent requirements, unless processing is required by the law;
  • Notification requirement.

7. Data subject rights

Data subjects have the right to:

  • be informed in connection with the data processing
  • access data relating to them;
  • request that the data be corrected, modified, updated or deleted;
  • request a stay and suspension of processing;
  • have the data processing stayed or suspended if they have challenged the correctness, completeness and accuracy of the data. 

8. Processing by third parties

According to the PDPL, a third party i.e. user of personal data, is any natural or legal person, state body, state administration body, local self-government body or local administration and other entities exercising public authority, which has the right to process personal data, and it is not a person whose personal data is processed, the original data controller of a data filing system, the processor of personal data or a person employed by the controller of the data filling system or the processor of personal data.

A data controller is obliged to inform a person if his/her data will be processed by the third party.

9. Transfers out of country

The Agency’s approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.

10. Data Protection Officer

The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than ten employees who process personal data must designate a person responsible for protecting personal data.

11. Security

Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.

12. Breach notification

A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.

13. Direct marketing

Prior information consent of a data subject (a natural person) is required.

14. Cookies and adtech

Not regulated. General personal data protection rules apply.

15. Risk scale

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 14/2010,40/2016 and 74/2020) (“the Law”)

2. Anticipated changes to local laws

N/A

3. Application 

The Law regulates the application of measures and standards of information security. The Law defines information security as confidentiality, integrity and availability of data.

4. Authority

Directorate for protection of computer security incidents on the internet – the Computer Incident Response Team (CIRT): http://www.cirt.me/en/cirt

5. Key obligations 

Users must report computer security incidents to CIRT.

6. Sanctions & non-compliance 

Administrative sanctions:

N/A.

Criminal sanctions:
  • CIRT does not have any enforcement powers. Sanctions can only be imposed by a judge in criminal proceedings. Criminal Code of Montenegro (Official Gazette of Montenegro Nos. 70/2003, 13/2004…3/2020) (“the Code”) envisages the legal frame for sanctioning the criminal offences against safety of computer data. Subject criminal offences are:
  • Damaging computer data and programmes (Article 349 of the Code), for which is envisaged a monetary fine or imprisonment up to five years;
  • Computer sabotage (Article 350 of the Code) for which is envisaged a monetary fine or imprisonment up to eight years;
  • Producing and entering computer viruses (Article 351 of the Code) for which is envisaged a monetary fine or imprisonment up to two years;
  • Computer fraud (Article 352 of the Code) for which is envisaged a monetary fine or imprisonment up to 12 years;
  • Unauthorised use of computers and computer network (Article 353 of the Code) for which is envisaged a monetary fine or imprisonment up to five years;
  • Disturbing electronic processing, data transfer and computer network functioning (Article 354 of the Code) for which is envisaged a monetary fine or imprisonment up to three years.
Others: 
  • Reputational risk;
  • Reimbursement of the potential damages (material and non-material).

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. The Montenegrin CIRT is the central point of contact nationally and internationally for all computer security incidents in which one of the parties to the incident is located in Montenegro (i.e. in the me. domain or in Montenegrin IP address space)

8. National cybersecurity incident management structure

The Law calls for the establishment of a governmental body – the Council for Information Security – whose role will be to improve information security measures, monitor the work and propose the activities of CIRT.

9. Other cybersecurity initiatives 

In order to spread the awareness in relation to cyber security, the CIRT organises conferences and/or provides useful information to the public via its webpage concerning, inter alia, the importance of safe usage of the internet, electronic devices etc. (in particular in connection with the safety of the children and youth who are using the internet).

Foto vonMilica Popović
Milica Popović
Partnerin
Belgrad
Foto vonTamara Samardžija
Tamara Samardžija
Senior Lawyer
Podgorica