Home / Publications / Data Law Navigator | Montenegro

Data Law Navigator | Montenegro

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security

Data Protection

Last updated 11 April 2018

Risk scale

Risk Scale Orange


  • The Personal Data Protection Law (Official Gazette of Montenegro Nos. 14/2008, 76/2009, 48/2015) (“the PDPL”)


Agency for Personal Data Protection and Free Access to Information (“the Agency”): http://www.azlp.me/en/home


The PDPL applies to the determination of data confidentiality, access to classified information, and data storage, usage, records and protection.


The Agency does not have any enforcement powers. Sanctions can only be imposed by a judge (in criminal or offence proceedings). The fines for offences range from EUR 500 to EUR 20,000 for a legal entity, from EUR 150 to EUR 2,000 for the responsible person in the legal entity, and from EUR 150 to EUR 6,000 for an entrepreneur, per offence.

Criminal offences involving the unauthorised collection and usage of personal data carry a penalty of a monetary fine or imprisonment for up to 1 year.

Registration / notification 

Setting up a personal data filing system is subject to notification. After setting up a data filing system, the data controller must appoint a person responsible for the protection of personal data (if the data controller employs more than 10 people who process personal data).

Main obligations and processing requirements

  • Information requirement.
  • Consent requirements, unless processing is required by the law.
  • Notification requirement.

Data subject rights

Data subjects have the right to:

  • be informed in connection with the data processing
  • access data relating to them
  • request that the data be corrected, modified, updated or deleted
  • request a stay and suspension of processing
  • have the data processing stayed or suspended if they have challenged the correctness, completeness and accuracy of the data.

Processing by third parties

A data controller may delegate certain processing-related duties under the law or on the basis of a contract.

Transfers out of country

The Agency’s approval is required for the transfer of personal data from Montenegro to a state that is not party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Agency determines whether the requirements are met and whether safeguards are in place for the transfer of data from Montenegro.

Personal data may be freely transferred from Montenegro to states that are parties to the Council of Europe Convention.

Data Protection Officer

The personal data collection manager is obliged, after the establishment of automatic personal data collection, to appoint a person responsible for the protection of personal data. A data controller with more than 10 employees who process personal data must designate a person responsible for protecting personal data.


Data controllers and data processors must take all necessary technical, human resources and organisational measures to protect data in accordance with established standards and procedures in order to protect data from loss, damage, inadmissible access, modification, publication and any other abuse. These measures must also include a data confidentiality obligation for all persons who work on data processing.

Breach notification

A breach notification is not regulated by the PDPL. However, under the Law on Information Security of Montenegro, users must report computer security incidents to the competent body.

Direct marketing

Prior information consent of a data subject (a natural person) is required.

The consent of data subjects (natural persons) is required if the direct marketing is used for processing special categories of personal data –  data concerning racial or ethnic origin, political, religious or philosophic beliefs, trade-union membership, health or sex life.


Not regulated. General personal data protection rules apply.

Useful links


Cyber Security

Last updated 11 April 2018

Risk scale

Risk Scale Orange

Laws and regulations

  • Law on Information Security of Montenegro (Official Gazette of Montenegro Nos. 14/2010 and 40/2016) (“the Law”)


The Law regulates the application of measures and standards of information security. The Law defines information security as confidentiality, integrity and availability of data.


Directorate for protection of computer security incidents on the internet  – the Computer Incident Response Team (CIRT): http://www.cirt.me/en/cirt?alphabet=lat

Key obligations

Users must report computer security incidents to CIRT.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes. Montenegrin CIRT is the central point of contact nationally and internationally for all computer security incidents in which one of the parties to the incident is located in Montenegro (i.e. in the me. domain or in Montenegrin IP address space).

Is there a national incident management structure for responding to cybersecurity incidents?

The Law calls for the establishment of a governmental body –  the Council for Information Security – whose role will be to improve information security measures,  monitor the work and propose the activities of CIRT.

Useful links


< back to Overview


Picture of Tamara Samardzija
Tamara Samardžija