Data Law Navigator | Montenegro
Information on Data Protection and Cyber Security laws from CMS experts
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security
Last updated 11 April 2018
- The Personal Data Protection Law (Official Gazette of Montenegro Nos. 14/2008, 76/2009, 48/2015) (“the PDPL”)
Agency for Personal Data Protection and Free Access to Information (“the Agency”): http://www.azlp.me/en/home
The PDPL applies to the determination of data confidentiality, access to classified information, and data storage, usage, records and protection.
The Agency does not have any enforcement powers. Sanctions can only be imposed by a judge (in criminal or offence proceedings). The fines for offences range from EUR 500 to EUR 20,000 for a legal entity, from EUR 150 to EUR 2,000 for the responsible person in the legal entity, and from EUR 150 to EUR 6,000 for an entrepreneur, per offence.
Criminal offences involving the unauthorised collection and usage of personal data carry a penalty of a monetary fine or imprisonment for up to 1 year.
Registration / notification
Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than 10 people who process personal data).
Main obligations and processing requirements
- Information requirement.
- Consent requirements, unless processing is required by the law.
- Notification requirement.
Data subject rights
Data subjects have the right to:
- be informed in connection with the data processing
- access data relating to them
- request that the data be corrected, modified, updated or deleted
- request a stay and suspension of processing
- have the data processing stayed or suspended if they have challenged the correctness, completeness and accuracy of the data.
Processing by third parties
A data controller may delegate certain processing-related duties under the law or on the basis of a contract.
Transfers out of country
The Agency’s approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.
Personal data may be freely transferred from Montenegro to states that are parties to the Council of Europe Convention.
Data Protection Officer
The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than 10 employees who process personal data must designate a person responsible for protecting personal data.
Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.
A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.
Prior information consent of a data subject (a natural person) is required.
The consent of data subjects (natural persons) is required if the direct marketing is used for processing special categories of personal data – data concerning racial or ethnic origin, political, religious or philosophic beliefs, trade-union membership, health or sex life.
Not regulated. General personal data protection rules apply.
Last updated 11 April 2018
Laws and regulations
- Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 14/2010 and 40/2016) (“the Law”)
The Law regulates the application of measures and standards of information security. The Law defines information security as confidentiality, integrity and availability of data.
Directorate for protection of computer security incidents on the internet – the Computer Incident Response Team (CIRT): http://www.cirt.me/en/cirt?alphabet=lat
Users must report computer security incidents to CIRT.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Yes. Montenegrin CIRT is the central point of contact nationally and internationally for all computer security incidents in which one of the parties to the incident is located in Montenegro (i.e. in the me. domain or in Montenegrin IP address space).
Is there a national incident management structure for responding to cybersecurity incidents?
The Law calls for the establishment of a governmental body – the Council for Information Security – whose role will be to improve information security measures, monitor the work and propose the activities of CIRT.