This website uses cookies so that we can provide you with the best user experience possible. Our Cookie Notice is part of our Privacy Policy and explains in detail how and why we use cookies. To take full advantage of our website, we recommend that you click on “Accept All”. You can change these settings at any time via the button “Update Cookie Preferences” in our Cookie Notice.
Technical cookies are required for the site to function properly, to be legally compliant and secure. Session cookies only last for the duration of your visit and are deleted from your device when you close your internet browser. Persistent cookies, however, remain and continue functioning on repeat visits.
CMS does not use any cookie based Analytics or tracking on our websites; see details here.
Personalisation cookies collect information about your website browsing habits and offer you a personalised user experience based on past visits, your location or browser settings. They also allow you to log in to personalised areas and to access third party tools that may be embedded in our website. Some functionality will not work if you don’t accept these cookies.
The Personal Data Protection Law (Official Gazette of Montenegro Nos. 79/2008, 70/2009, 44/2012 and 22/2017) (“the PDPL”)
Agency for Personal Data Protection and Free Access to Information (“the Agency”): http://www.azlp.me/en/home
Changes of the PDPL are anticipated soon, first drafts of the law are already being negotiated.
N/A
The Agency does not have any enforcement powers. Sanctions can only be imposed by a judge (in criminal or offence proceedings). The fines for offences range from EUR 500 to EUR 20,000 for a legal entity, from EUR 150 to EUR 2,000 for the responsible person in the legal entity, and from EUR 150 to EUR 6,000 for an entrepreneur, per offence.
Criminal offences involving the unauthorised collection and usage of personal data carry a penalty of a monetary fine or imprisonment for up to one year.
Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than ten people who process personal data).
Data subjects have the right to:
According to the PDPL, a third party i.e. user of personal data, is any natural or legal person, state body, state administration body, local self-government body or local administration and other entities exercising public authority, which has the right to process personal data, and it is not a person whose personal data is processed, the original data controller of a data filing system, the processor of personal data or a person employed by the controller of the data filling system or the processor of personal data.
A data controller is obliged to inform a person if his/her data will be processed by the third party.
The Agency’s approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.
The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than ten employees who process personal data must designate a person responsible for protecting personal data.
Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.
A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.
Prior information consent of a data subject (a natural person) is required.
Not regulated. General personal data protection rules apply.
Moderate
Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 14/2010,40/2016 and 74/2020) (“the Law”)
N/A
The Law regulates the application of measures and standards of information security. The Law defines information security as confidentiality, integrity and availability of data.
Directorate for protection of computer security incidents on the internet – the Computer Incident Response Team (CIRT): http://www.cirt.me/en/cirt
Users must report computer security incidents to CIRT.
N/A.
Yes. The Montenegrin CIRT is the central point of contact nationally and internationally for all computer security incidents in which one of the parties to the incident is located in Montenegro (i.e. in the me. domain or in Montenegrin IP address space)
The Law calls for the establishment of a governmental body – the Council for Information Security – whose role will be to improve information security measures, monitor the work and propose the activities of CIRT.
In order to spread the awareness in relation to cyber security, the CIRT organises conferences and/or provides useful information to the public via its webpage concerning, inter alia, the importance of safe usage of the internet, electronic devices etc. (in particular in connection with the safety of the children and youth who are using the internet).
Write us a message and we will get in contact.
Thank you for contacting us. We will get back to you soon.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.