Karanović & Partners

 

What law(s) specifically govern personal data / information?

Processing of personal data is regulated by the Montenegrin Law on Personal Data Protection (“Law”). As a general note, this law has not yet been aligned with the GDPR, despite the rather frequent mentions and announcements that the legislator is working on a draft compliant with the GDPR.

 

What are the key data protection principles in this jurisdiction?:

  • Legitimacy (data can be processed only for the fulfilment of a legitimate purpose);
  • Proportionality (data types, scope and processing manner must be proportionate to the processing purpose);
  • Existence of valid legal grounds;
  • Accuracy (the collected data has to be accurate, complete and up to date).

 

What is the supervisory authority / regulator in charge of data protection?

The Agency for Personal Data Protection and Free Access to Information (“Agency”) (http://www.azlp.me/en/home )

 

Is there a requirement to register with a supervisory authority / regulator?

Yes, all data controllers in Montenegro are required to perform two basic registrations before the Agency: (i) to register themselves as data controllers (one-time obligation), and (ii) to register each personal database they intend to establish before they start with processing (the same also applies to any subsequent changes).

Regarding the fees, all registration activities are free of charge.

 

Is there a requirement to notify the supervisory authority / regulator?

No, there is no notification obligation (as described above, there is only registration obligation).

 

Is it possible to register with / notify the supervisory authority / regulator online?

Yes, both registrations can be performed online at the following link .

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Data subjects are entitled to exercise the following rights:

  • to be informed on the processing of their personal data;
  • to be provided with the relevant details concerning personal data processing;
  • to request the update, modification or deletion of incomplete or incorrect personal data, or data processed contrary to the Law.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

No.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

No.

 

Does this jurisdiction have any specific data breach notification requirements?

No.

 

What restrictions apply to the international transfer of personal data / information?

As a general rule, personal data can be transferred outside of Montenegro only after obtaining a prior approval of the Agency confirming that adequate data protection measures are applied in the destination country.

However, there are a few exceptions from the obligation of obtaining the approval:

  • if data is to be transferred to EU/EEA countries or to countries on the EU list of countries with adequate level of personal data protection;
  • if the data subject provided their prior written consent for transfer, upon being informed of the possible consequences of transfer;
  • if the transfer is necessary for the performance of an agreement concluded between data controller and legal or natural person or for fulfilment of the pre-contractual obligations;
  • if the transfer is required in order to save the data subject’s life or in case of public interest;
  • if the data controller concludes a contract, which contains the relevant contractual obligations accepted by the Member States of the European Union, with the processor of personal data from a non-EU state.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

No, in the sense of GDPR’s “extra-territorial effect”. The Law will be applicable to foreign data controllers only if their data processing equipment is located in Montenegro (unless it is used only for data transit over Montenegro). In case that local Law applies, foreign data controllers are required to appoint a local representative responsible for compliance with the Law.

 

What rules specifically deal with marketing?

Marketing is regulated primarily under general data protection rules, save in cases of direct marketing via electronic means where a separate Law on Electronic Communications and Law on Electronic Trade apply as well. Personal data may be used for marketing purposes only if the data subject has consented to the use of personal data for such a purpose.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No, relevant provisions are generally neutral in terms of the nature of relationship, if personal data is e.g. used in corporate emails. Legislation does not apply to generic emails used for marketing purposes (e.g. if a recipient is [email protected])

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

The relevant laws include the Law on Electronic Trade and the Law on Electronic Communications. Personal data may be used for marketing purposes only if the data subject has consented to the use of personal data for such purpose.

 

What rules specifically deal with cookies?

The Law on Electronic Communications contains a brief rule applicable to cookies, stipulating that storage of data or access to data stored in the terminal equipment of the user is allowed only on condition that the user has consented to this, after being informed on the purposes of data processing and storage. In any case, the general rules of the Law apply to cookies as well.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

The legal entity can be fined up to EUR 20,000 and the responsible person within the legal entity can be fined up to EUR 2,000.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

There are no specific factors applicable to multinational organisations processing personal data of Montenegrin individuals from abroad, as the Law does not apply extra-territorially, save in case the data processing equipment is located in Montenegro (unless it is used only for data transit over Montenegro).

 

What upcoming data protection developments should multinational organisations be aware of?

A fresh data protection law is expected to be adopted in the times to come, therefore this is the key trend to look out for.

 

Search by:

Need more information?
Contact a member firm:
Marjan Poljak
Karanovic & Partners
Montenegro


Goran Radošević
Karanovic & Partners
Montenegro