-
Data protection
- 1. Local data protection laws and scope
- 2. Data protection authority
- 3. Anticipated changes to local laws
- 4. Sanctions & non-compliance
- Administrative sanctions:
- Criminal sanctions:
- Others:
- 5. Registration / notification / authorisation
- 6. Main obligations and processing requirements
- 7. Data subject rights
- 8. Processing by third parties
- 9. Transfers out of country
- 10. Data Protection Officer
- 11. Security
- 12. Breach notification
- 13. Direct marketing
- 14. Cookies and adtech
- 15. Risk scale
- 16. Useful links
-
Cybersecurity
- 1. Local cybersecurity laws and scope
- 2. Anticipated changes to local laws
- 3. Application
- 4. Authority
- 5. Key obligations
- 6. Sanctions & non-compliance
- Administrative sanctions:
- Criminal sanctions:
- Others:
- 7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
- 8. National cybersecurity incident management structure
- 9. Other cybersecurity initiatives
- 10. Useful links
jurisdiction
- Albania
- Algeria
- Angola
- Austria
- Belgium
- Bosnia and Herzegovina
- Brazil
- Bulgaria
- Chile
- China
- Colombia
- Croatia
- Czech Republic
- France
- Germany
- Hong Kong
- Hungary
- Kenya
- Luxembourg
- Mexico
- Monaco
-
Montenegro
- Netherlands
- Peru
- Portugal
- Romania
- Russia
- Saudi Arabia
- Serbia
- Singapore
- Slovakia
- Slovenia
- South Africa
- Spain
- Sweden
- Switzerland
- Turkey
- UAE
- Ukraine
- United Kingdom
Data protection
1. Local data protection laws and scope
The Personal Data Protection Law (Official Gazette of Montenegro Nos. 79/2008, 70/2009, 44/2012 and 22/2017) (“the PDPL”)
2. Data protection authority
Agency for Personal Data Protection and Free Access to Information (“the Agency”): http://www.azlp.me/en/home
3. Anticipated changes to local laws
Changes of the PDPL are anticipated soon, first drafts of the law are already being negotiated.
4. Sanctions & non-compliance
Administrative sanctions:
N/A
Criminal sanctions:
The Agency does not have any enforcement powers. Sanctions can only be imposed by a judge (in criminal or offence proceedings). The fines for offences range from EUR 500 to EUR 20,000 for a legal entity, from EUR 150 to EUR 2,000 for the responsible person in the legal entity, and from EUR 150 to EUR 6,000 for an entrepreneur, per offence.
Criminal offences involving the unauthorised collection and usage of personal data carry a penalty of a monetary fine or imprisonment for up to one year.
Others:
- Reputational risk;
- Reimbursement of the potential damages (material and non-material)
5. Registration / notification / authorisation
Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than ten people who process personal data).
6. Main obligations and processing requirements
- Information requirement;
- Consent requirements, unless processing is required by the law;
- Notification requirement.
7. Data subject rights
Data subjects have the right to:
- be informed in connection with the data processing
- access data relating to them;
- request that the data be corrected, modified, updated or deleted;
- request a stay and suspension of processing;
- have the data processing stayed or suspended if they have challenged the correctness, completeness and accuracy of the data.
8. Processing by third parties
According to the PDPL, a third party i.e. user of personal data, is any natural or legal person, state body, state administration body, local self-government body or local administration and other entities exercising public authority, which has the right to process personal data, and it is not a person whose personal data is processed, the original data controller of a data filing system, the processor of personal data or a person employed by the controller of the data filling system or the processor of personal data.
A data controller is obliged to inform a person if his/her data will be processed by the third party.
9. Transfers out of country
The Agency’s approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.
10. Data Protection Officer
The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than ten employees who process personal data must designate a person responsible for protecting personal data.
11. Security
Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.
12. Breach notification
A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.
13. Direct marketing
Prior information consent of a data subject (a natural person) is required.
14. Cookies and adtech
Not regulated. General personal data protection rules apply.
15. Risk scale
Moderate
16. Useful links
Cybersecurity
1. Local cybersecurity laws and scope
Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 14/2010,40/2016 and 74/2020) (“the Law”)
2. Anticipated changes to local laws
N/A
3. Application
The Law regulates the application of measures and standards of information security. The Law defines information security as confidentiality, integrity and availability of data.
4. Authority
Directorate for protection of computer security incidents on the internet – the Computer Incident Response Team (CIRT): http://www.cirt.me/en/cirt
5. Key obligations
Users must report computer security incidents to CIRT.
6. Sanctions & non-compliance
Administrative sanctions:
N/A.
Criminal sanctions:
- CIRT does not have any enforcement powers. Sanctions can only be imposed by a judge in criminal proceedings. Criminal Code of Montenegro (Official Gazette of Montenegro Nos. 70/2003, 13/2004…3/2020) (“the Code”) envisages the legal frame for sanctioning the criminal offences against safety of computer data. Subject criminal offences are:
- Damaging computer data and programmes (Article 349 of the Code), for which is envisaged a monetary fine or imprisonment up to five years;
- Computer sabotage (Article 350 of the Code) for which is envisaged a monetary fine or imprisonment up to eight years;
- Producing and entering computer viruses (Article 351 of the Code) for which is envisaged a monetary fine or imprisonment up to two years;
- Computer fraud (Article 352 of the Code) for which is envisaged a monetary fine or imprisonment up to 12 years;
- Unauthorised use of computers and computer network (Article 353 of the Code) for which is envisaged a monetary fine or imprisonment up to five years;
- Disturbing electronic processing, data transfer and computer network functioning (Article 354 of the Code) for which is envisaged a monetary fine or imprisonment up to three years.
Others:
- Reputational risk;
- Reimbursement of the potential damages (material and non-material).
7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Yes. The Montenegrin CIRT is the central point of contact nationally and internationally for all computer security incidents in which one of the parties to the incident is located in Montenegro (i.e. in the me. domain or in Montenegrin IP address space)
8. National cybersecurity incident management structure
The Law calls for the establishment of a governmental body – the Council for Information Security – whose role will be to improve information security measures, monitor the work and propose the activities of CIRT.
9. Other cybersecurity initiatives
In order to spread the awareness in relation to cyber security, the CIRT organises conferences and/or provides useful information to the public via its webpage concerning, inter alia, the importance of safe usage of the internet, electronic devices etc. (in particular in connection with the safety of the children and youth who are using the internet).