Personal Data Protection Law (PDPL) Montenegro

    Overview

    The Montenegro Personal Data Protection Law  establishes comprehensive rules for safeguarding individuals’ personal data. It aligns with international standards and human rights treaties, addressing data processing, storage, and transfer. The law ensures the protection of personal data against unauthorized access, misuse, or loss, with specific provisions for sensitive data like biometrics and criminal records. It applies to various entities within Montenegro and those outside using data processing equipment within the country.

     

    Regulation Summary

    Timeline
    • December 22, 2008 – Law published in the Official Gazette.
    • June 22, 2009 – Law comes into effect.
    • March 22, 2010 – Deadline for compliance with personal data filing system requirements.
    • December 22, 2010 – Deadline for compliance with video surveillance and record-keeping requirements.
    • April 3, 2017 - amended definitions and increased supervisory authority powers to align with EU standards.
    • July 3, 2024 - further amendments to align Montenegro’s law with the GDPR.
    What Businesses Are Affected?
    • Entities with a registered office or domicile in Montenegro processing personal data.
    • Foreign businesses using Montenegrin infrastructure for data processing must designate a local representative.
    Exemptions
    • Defense, national/public security, and pre-trial or criminal proceedings (unless otherwise stated in separate laws).
    • Personal or household data processing, unless made public.
    Responsibilities for Businesses
    • Obtain consent where required, but allow processing for legal obligations, contracts, public interest, and legitimate interests.
    • Ensure data accuracy and secure storage.
    • Conduct processing in line with legal requirements for special categories of data.
    • Maintain records of processing activities.
    • Appoint a Data Protection Officer (DPO) when required.
    Specific Website Owner Responsibilities
    • Publish a privacy policy outlining processing details.
    • Allow data subjects to access, correct, or delete their data.
    • Manage cookies and tracking mechanisms with proper consent.
    • Implement mechanisms for users to exercise their rights.
    Additional Requirements
    • Cross-border data transfers require approval from AZLP, unless certain conditions apply.
    • Parental consent is required for processing children’s data.
    • Processing sensitive data requires legal justification or explicit consent.
    Data Subject Rights
    • Right to information & access.
    • Right to rectification & erasure (Right to be Forgotten).
    • Right to restriction & objection to processing.
    Enforcement
    • Supervised by the Agency for Personal Data Protection (AZLP).
    • Entities: A fine ranging from 10x to 300x the minimum wage in Montenegro (approx. $5,775 – $173,200 USD).
    • Responsible persons: A fine ranging from 1x to 20x the minimum wage (approx. $577.50 – $11,550 USD).
    • Sanctions include data deletion, processing bans, and corrective measures.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596