Karanovic & Partners in cooperation with local lawyers
The following law(s) specifically govern personal data / information:
Processing of personal data is regulated by the Montenegrin Law on Personal Data Protection (“Law”). As a general note, this law has not yet been aligned with the GDPR, but it is expected that a new (GDPR-compliant) law will be enacted during 2021.
The key data protection principles in this jurisdiction are:
- Legitimacy (data can be processed only for the fulfilment of a legitimate purpose);
- Proportionality (data types, scope and processing manner must be proportionate to the processing purpose);
- Existence of valid legal grounds;
- Accuracy (the collected data has to be accurate, complete and up to date).
The supervisory authority / regulator in charge of data protection is:
The Agency for Personal Data Protection and Free Access to Information (“Agency”) (http://www.azlp.me/en/home)
Is there a requirement to register with a supervisory authority / regulator?
Is there a requirement to notify the supervisory authority / regulator?
Yes, all data controllers in Montenegro are required to perform two basic registrations before the Agency: (i) to register themselves as data controllers (one-time obligation), and (ii) to register each personal database they intend to establish before they start with processing (the same also applies to any subsequent changes).
Regarding the fees, all registration activities are free of charge.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
Data subjects are entitled to exercise the following rights:
- to be informed on the processing of their personal data;
- to be provided with the relevant details concerning personal data processing;
- to request the update, modification or deletion of incomplete or incorrect personal data, or data processed contrary to the Law.
Is there a requirement to appoint a data protection officer (or equivalent)?
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Does this jurisdiction have any specific data breach notification requirements?
The following restrictions apply to the international transfer of personal data / information:
As a general rule, personal data can be transferred outside of Montenegro only after obtaining a prior approval of the Agency confirming that adequate data protection measures are applied in the destination country.
However, there are a few exceptions from the obligation of obtaining the approval:
- if data is to be transferred to EU/EEA countries or to countries on the EU list of countries with adequate level of personal data protection;
- if the data subject provided their prior written consent for transfer, upon being informed of the possible consequences of transfer;
- if the transfer is necessary for the performance of an agreement concluded between data controller and legal or natural person or for fulfilment of the pre-contractual obligations;
- if the transfer is required in order to save the data subject’s life or in case of public interest;
- if data controller concludes a contract, which contains the relevant contractual obligations accepted by the Member States of the European Union, with the processor of personal data from a non-EU state.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No, in the sense of GDPR’s “extra-territorial effect”. The Law will be applicable to foreign data controllers only if their data processing equipment is located in Montenegro (unless it is used only for data transit over Montenegro). In case that local Law applies, foreign data controllers are required to appoint a local representative responsible for compliance with the Law.
The following rules specifically deal with marketing:
General rules regarding data protection apply, save in cases of direct marketing via electronic means where a separate Law on Electronic Communications and Law on Electronic Trade apply as well. Personal data may be used for marketing purposes only if the data subject has consented to the use of personal data for such a purpose.
Do different rules apply to business-to-business and business-to-consumer marketing?
No, relevant provisions are generally neutral in terms of the nature of relationship, if personal data is e.g. used in corporate emails. Legislation does not apply to generic emails used for marketing purposes (e.g. if a recipient is [email protected])
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
The relevant laws include the Law on Electronic Trade and the Law on Electronic Communications. Personal data may be used for marketing purposes only if the data subject has consented to the use of personal data for such purpose.
The following rules specifically deal with cookies:
The Law on Electronic Communications does contain a brief rule applicable to cookies, stipulating that storage of data or access to data stored in the terminal equipment of the user is allowed only on condition that the user has consented to this, after being informed on the purposes of data processing and storage. In any case, the general rules of the Law apply to cookies as well.
The consequences of non compliance with data protections laws (including marketing laws) are:
The legal entity can be fined up to EUR 20,000 and the responsible person within legal entity can be fined up to EUR 2,000.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Multinational organisations should be aware of the following upcoming data protection developments:
It is expected that Montenegro will have the new Law on Personal Data Protection at the end of 2021, which should be harmonized with the GDPR.