Privacy Law at Montenegro
Privacy Law in Montenegro is primarily governed by the Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti), which was adopted in 2018 to align with the European Union’s General Data Protection Regulation (GDPR). As a country seeking EU membership, Montenegro has taken steps to harmonize its legislation with EU data protection standards.
Here’s a comprehensive overview of privacy law in Montenegro:
📘 1. Primary Legislation
Law on Personal Data Protection (2018)
This law governs the collection, processing, and use of personal data in Montenegro. It is heavily inspired by the GDPR and is designed to protect individuals' privacy and ensure responsible data use by both public and private entities.
🔑 2. Key Definitions
Personal Data: Any information relating to an identified or identifiable individual (e.g. name, ID number, location data).
Sensitive Data: Special categories such as health information, racial/ethnic origin, political views, religious beliefs, and biometric data.
Data Controller: Entity that determines the purpose and means of processing personal data.
Data Processor: Entity that processes personal data on behalf of the controller.
⚖️ 3. Core Principles of Data Processing
The law incorporates standard GDPR-like principles:
Lawfulness, Fairness & Transparency
Purpose Limitation
Data Minimization
Accuracy
Storage Limitation
Integrity & Confidentiality (Security)
Accountability
👤 4. Data Subject Rights
Individuals in Montenegro have the following rights:
Right to Access: Know what personal data is held and how it’s used.
Right to Rectification: Correct inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Delete data under certain conditions.
Right to Restriction of Processing: Temporarily limit use of data.
Right to Object: Oppose processing, especially for direct marketing.
Right to Data Portability: Transfer data to another service provider.
Right Not to Be Subject to Automated Decision-Making (including profiling), unless legally justified.
🏛 5. Supervisory Authority
Agency for Personal Data Protection and Free Access to Information (AZLP)
Website: https://www.azlp.me
Functions:
Monitor and enforce compliance
Handle complaints
Conduct audits
Issue fines and guidelines
Educate data controllers and the public
🚨 6. Data Breach Notification
Mandatory Notification to the AZLP within 72 hours of becoming aware of a breach.
Affected Individuals must be informed if there’s a high risk to their rights and freedoms.
🌍 7. Cross-Border Data Transfers
Allowed only to countries that ensure an adequate level of data protection.
If not, transfers must be safeguarded by:
Standard Contractual Clauses (SCCs)
Binding Corporate Rules (BCRs)
Explicit Consent from the data subject
⚠️ 8. Penalties for Non-Compliance
The law provides for administrative and criminal penalties, including:
Fines for organizations (amounts depend on severity and type of violation)
Criminal liability for unlawful processing in certain cases
Examples:
Fines up to €20,000 for small-scale violations
Much higher penalties for larger enterprises and serious infringements
🧩 9. Exemptions
Certain processing activities may be exempt from some provisions, such as:
National security and defense
Public safety
Journalistic, academic, and artistic purposes
Statistical and scientific research, under strict conditions
📈 10. Montenegro's EU Accession & GDPR Harmonization
Montenegro is a candidate country for EU membership, so harmonizing its data protection laws with the GDPR is part of the broader EU integration process.
This alignment boosts legal certainty for businesses operating across EU and Western Balkans.
✅ Summary
| Topic | Status/Details |
|---|---|
| Law | Law on Personal Data Protection (2018) |
| Supervisory Authority | Agency for Personal Data Protection (AZLP) |
| GDPR Alignment | Yes |
| Individual Rights | Strong (GDPR-style) |
| Cross-Border Transfers | Restricted unless safeguards are in place |
| Breach Notification | Within 72 hours to AZLP |
| Penalties | Fines + Criminal liability for serious breaches |
RELATED Blog
0 comments