Montenegro - Data Protection Overview
1. Governing Texts
The Ministry of Interior ('MoI') prepared a draft of the new Personal Data Protection Act (only available for download in Montenegrin here) ('Draft Law'), which was generally consistent with the text of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), but omitted some important elements which the GDPR contains. The Draft Law was under consideration by the European Commission as of October 2020, and the Parliament of Montenegro is expected to adopt the Draft Law in the first half of 2023.
The Personal Data Protection Law 79/08 and 70/09 (only available in Montenegrin here) ('PDPL') is the main legislation governing the processing of personal data in Montenegro.
The PDPL was modelled after the Data Protection Directive (Directive 95/46/EC) ('the Data Protection Directive'). The legislative process to adopt a new PDPL, which would be for the most part compliant with the GDPR, is underway.
Numerous sectoral laws include provisions on the processing of personal data. The list includes, among others, the following statutes:
- Electronic Communications Act 2013 (only available in Montenegrin here) ('ECA'), which regulates direct marketing, data retention, and infringement of personal data by the electronic communications operator;
- E-commerce Act 2004 (only available in Montenegrin here), which regulates the sending of unsolicited electronic commercial communications;
- Patients' Rights Act 2010 (only available in Montenegrin here), which requires health professionals to keep personal data confidential;
- Healthcare Records Act 2008 (only available to download in Montenegrin here), which regulates collecting and keeping personal data in the healthcare sector;
- Genetic Data Protection Act 2010 (only available to download in Montenegrin here), which regulates processing genetic data gained by genetic testing and analysis of genetic samples taken for medical purposes;
- Pension and Disability Insurance Act 2003 (only available in Montenegrin here), which regulates collecting and keeping personal data within the pensions and disability insurance sector;
- Labour Act 2019 (only available in Montenegrin here), which requires employers to protect personal data of employees;
- Labour Records Act 2003 (available in Bosnian here) ('Labour Records Act'), which regulates collecting and keeping personal data in the employment sector;
- General Education Act 2002 (only available to download in Montenegrin here), which regulates data processing in the education sector; and
- High Education Act 2014 (only available in Montenegrin here), which regulates data processing in the high education sector.
1.3. Case law
- Supreme Court of Montenegro, Judgment Uvp. No. 404/21 dated 17 November 2021 on the obligation of the controller to obtain consent of the data subject prior to processing;
- Supreme Court of Montenegro, Judgment Uvp. no. 544/20 dated 8 October 2020 on the right of the authority to restrict access to information if it relates to the content of the actions taken by the police in pre-trial criminal proceedings and criminal proceedings (only available in Montenegrin here);
- Supreme Court of Montenegro, Judgment Uvp. no. 2119/18 dated 17 December 2018, on the limitation of access to health data without person's consent (only available in Montenegrin here);
- Supreme Court of Montenegro, Judgment Už. Uvp. no. 1/16 dated 22 December 2016, on the limitation of access to the data on person's convictions (not available online); and
- Supreme Court of Montenegro, Decision Uvp, Kž-II. no. 37/16 dated 2 November 2016, on the lawfulness of use as evidence in criminal proceedings of the audio-visual records made without regulator's approval (only available in Montenegrin here).
2. Scope of Application
The PDPL protects data subjects, i.e. natural persons who are identified or can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to physical, physiological, mental, economic, cultural, or social identity.
The PDPL applies to controllers who process personal data in the territory of Montenegro or outside Montenegro, where the regulations of Montenegro in accordance with international law, apply. It also applies to a personal data controller who is established outside Montenegro or does not reside in Montenegro, if the equipment used for processing is situated in the territory of Montenegro, unless such equipment is used only for purposes of transit of personal data through the territory of Montenegro.
The PDPL applies to automated or non-automated processing of personal data contained or intended to be contained in a filing system.
The processing of personal data means any operation undertaken in relation to personal data including collecting, recording, organising, keeping, modifying, retrieving, using, accessing, disclosing, transmitting, publishing, classifying, combining, blocking, and deleting.
The PDPL does not apply to the processing of personal data for the purposes of defence and national security, unless a special law provides otherwise. It also does not apply to a natural person processing personal data for their personal purposes.
3.1. Main regulator for data protection
The Agency for Personal Data Protection and Free Access to Information ('AZLP') is the main regulator for data protection in Montenegro.
3.2. Main powers, duties and responsibilities
The AZLP has several enforcement powers listed in Article 50 of the PDPL including:
- supervising the fulfilment of the obligation to protect personal data in accordance with the PDPL;
- deciding on requests for protection of rights;
- providing opinion on the application of the PDPL;
- giving consent to the establishment of personal data filing systems;
- providing an opinion in the case of a doubt as to whether a set of personal data should be considered a filing system within the meaning of the PDPL;
- monitoring the application of organisational and technical measures for the protection of personal data and proposing an improvement of these measures; and
- providing an opinion as to whether a specific way of personal data processing puts the rights and freedoms of individuals at risk.
4. Key Definitions
Data controller: An individual or legal entity who processes personal data on the territory of Montenegro or on the territory outside of Montenegro where, under international law, Montenegrin regulations apply; or is incorporated outside Montenegro or does not have residence in Montenegro but uses equipment for data processing situated in Montenegro, except if the equipment is used only for transfer of personal data over the territory of Montenegro. The data controller located out of the country must appoint a representative with a seat or residence in Montenegro. The representative is responsible for fulfilment of obligations under the PDPL.
Data processor: A public authority, public administration body, self-government, or local administration authority, commercial enterprise, or other legal person, entrepreneur of a natural person, who performs tasks concerning the processing of personal data on behalf of the controller (Article 9(5) of the PDPL).
Personal data: Any information relating to an identified or identifiable natural person (Article 9(1) of the PDPL).
Sensitive data: Personal data on racial or ethnic origin, political opinion, religious or philosophical belief, health condition, sexual life, or membership in trade union organisations (Article 9(7) of the PDPL).
Health data: The PDPL does not provide a definition for 'health data'.
Biometric data: Biometric data are data on physical or physiological characteristics possessed by each natural person, which are specific, unique and immutable, and on the basis of which it is possible to determine the identity of a person, either directly or indirectly (Article 9(8) of the PDPL).
Pseudonymisation: The PDPL does not provide a definition for 'pseudonymisation'.
5. Legal Bases
The processing must be based on the data subject's consent or on one of the five alternative grounds provided (Article 10 of the PDPL). These legal bases are based on the Data Protection Directive.
There is no national variation in relation to consent as a legal basis.
There is no national variation in relation to contract with the data subject as a legal basis.
There is no national variation in relation to legal obligations as a legal basis.
There is no national variation in relation to protection of life and other vital interests as a legal basis.
There is no national variation in relation to public interest as a legal basis.
There is no national variation in relation to legitimate interests of the data controller as a legal basis.
The main obligations of the data controllers include the following:
- data cannot be processed more than is necessary to achieve the purpose of processing, nor in a way incompatible with the purpose (Article 2 of the PDPL);
- data must be complete, accurate, and regularly updated (Article 3 of the PDPL); and
- if the retention period is not specified by law, data which allows identification of the data subject may be kept only for the period necessary for the purpose for which the data is processed (Article 3(2) of the PDPL).
7. Controller and Processor Obligations
According to Article 16 of the PDPL, after carrying out the processing operations, the data processor is obliged to:
- destroy the data; or
- return the data to the data controller.
Article 24(1) of the PDPL stipulates that data processors, like data controllers, must take all necessary technical, personnel, and organisational measures to protect the data.
with Article 26(2) of the PDPL, the data controller must notify the AZLP of the intended processing.
The notification must contain the following information:
- name of the filing system;
- legal grounds for processing the personal data or creating the filing system;
- name, registered office, and address of the data controller;
- purpose of processing;
- categories of data subjects;
- type of data;
- period of data retention and use;
- name, registered office, and address of user;
- information on the data transfer outside of Montenegro;
- indication of the country in which the data is exported;
- identification of the international organisation or another foreign user of the data;
- purpose of the data transfer;
- whether the ground for allowing the transfer is supported by international treaty, law, or by written consent of the person; and
- internal rules of processing and protection of the personal data, which enable a prior analysis of the adequacy of the measures to ensure the security of the processing.
Generally, a transfer authorisation from the AZLP is necessary to transfer data outside Montenegro (Article 41 of the PDPL). However, Article 42 of the PDPL contains a list of exceptions when authorisation is not necessary.
For a cross-border transfer to a data processor, a transfer authorisation from the AZLP is not required if:
- the transfer is to an European Economic Area ('EEA') or EU Member State;
- the transfer is to a country which is on the European Commission's list of countries providing for an adequate level of data protection; and
- a data transfer agreement concluded between the controller and the processor contains the EU Standard Contractual Clauses ('SCCs') (controller to processor).
For a cross-border transfer to a data user, a transfer authorisation is not required, if one of the following conditions is fulfilled:
- the data subject was informed of the possible consequences of data transfer and has provided their prior consent;
- the transfer is to a country which is a member of the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ('Convention 108'); or
- the transfer is to an EEA or EU Member State, or to a country enumerated in the European Commission's list of countries providing for an adequate level of data protection.
Data controllers and processors have to maintain data processing records. The data processing record must contain:
- name of the record;
- legal basis for personal data processing;
- personal name, i.e. the name of the controller, its seat, i.e. permanent or temporary residence and address;
- the purpose of personal data processing;
- categories of persons;
- types of personal data contained in the records of personal data;
- period of storage and use of personal data;
- personal name, i.e. the name of the third party, i.e. the user of personal data, and its seat, i.e. residence and address;
- data on the export of personal data from Montenegro with an indication of the country to which the data are transferred, i.e. international organisations or other foreign users of personal data, the purpose of disclosure determined by a confirmed international agreement and law, or determined by written consent; and
- internal rules for the processing and protection of personal data, which enable preliminary analysis of the adequacy of measures in order to ensure the security of processing.
There are no such requirements in the PDPL.
After the establishment of an automated data filing system, if the data controller has more than ten staff members who process the data, the data controller must determine a person who is responsible for the protection of personal data (Article 27(3) of the PDPL).
There is no such requirement in the PDPL.
Article 170(1) of the ECA provides that the operator of electronic communications must notify the Agency for Electronic Communications and Postal Services as well as the AZLP of the personal data and privacy breaches without delay.
The notification must contain a description of the consequences of the breach, as well as the measures proposed or undertaken to remedy the cause of the breach. An operator must also notify the user of electronic communications, without delay, if the breach may adversely affect the personal data or privacy of the user. The notification must contain a description of the nature of the breach and refer to the person engaged by the operator from whom the user can obtain closer information on the breach, as well as the proposed measures to mitigate the negative consequences of the breach.
Article 2 of the PDPL provides that data cannot be processed more than is necessary to achieve the purpose of processing, nor in a way incompatible with the purpose. Article 3 of the PDPL states that data must be complete, accurate, and regularly updated. In accordance with Article 3(2) of the PDPL, if the retention period is not specified by law, data which allows identification of the data subject may be kept only for the period necessary for the purpose for which the data is processed.
The consent for processing for a minor (a person below 18) must be given by their parents/adoptive parents/guardians (Article 10(3) of the PDPL).
Article 13 of the PDPL provides that special categories of personal data may be processed only:
- with the express consent of the person;
- when the processing of personal data is necessary for the purpose of employment in accordance with the law governing labor relations, whereby adequate protection measures must be prescribed;
- when the processing of personal data is necessary for the detection, prevention, and diagnosis of diseases, and treatment of persons, as well as for the management of health services, if such data is processed by a health worker or other person who has the obligation to maintain secrecy;
- when it is necessary for the protection of life or other vital interests of the person to whom the personal data relate or another person, and that person is not able to give consent in person;
- if the person has obviously made personal data available to the public or the processing is necessary for the realisation or protection of the legal interests of that person before a court or other authorities; or
- when the processing of personal data is performed within the legal activities of a non-governmental organisation, association, or other non-profit organisation with political, philosophical, religious, or trade union goals, if such data relate only to members of that organisation or persons who have constant contact with it in connection with the purpose of its activity, and if these data is not published without the consent of those persons.
Special categories of personal data have to be specially marked and protected in order to prevent unauthorised access to such data.
In accordance with Article 16 of the PDPL, the data controller and the data processor must conclude an agreement in writing regulating the processing of the data on behalf of the data controller. The agreement must provide for the obligation of the data processor to act in accordance with the data controller's instructions.
8. Data Subject Rights
The data subject has the following rights (Articles 43 to 47 of the PDPL):
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to object to processing; and
- the rights in relation to automated decision making.
The controller must provide a data subject from whom data is collected with the following information (Article 20 of the PDPL):
- the identity of the controller, its address, and that of its representative, if any;
- the purposes and legal basis of the processing;
- the third parties, i.e. the recipients of personal data and the legal basis for sharing the data;
- whether providing personal data is obligatory or voluntary, as well as the possible consequences of failure to provide the data; and
- the existence of the right of access to and the right to rectify the data concerning them.
Where the data has not been obtained directly from the data subject, the controller must at the time immediately before undertaking the processing of personal data provide the data subject with the following information (Article 21 of the PDPL):
- the identity of the controller and of their representative, if any;
- the purposes and legal basis of the processing;
- the categories of data;
- the third parties, i.e. the recipients; and
- the existence of the right of access to and the right to rectify the data concerning them.
The obligation to inform data subjects does not apply when the processing is performed for statistical purposes or for the purposes of historical or scientific research, if processing is expressly laid down by law, if the provision of such information proves impossible, or it would involve a disproportionate effort. In their case the controller is obliged to apply appropriate safeguard measures (Article 23(2) and (3) of the PDPL).
The data controller must, on written request of the data subject or their legal representative, after the verification of the identity of that person, notify the data subject no later than 15 days from the day when the request was submitted of whether personal data are undergoing processing. If the personal data are processed, the data controller must provide the following information in writing (Article 43 of the PDPL):
- the name, domicile or residence, or seat of the controller, data processor, and recipient of personal data, as well as of the source of data;
- the name, or the name and address of the data processor in the event that it is expressly required;
- the content of the data undergoing processing;
- the purpose and legal basis for the processing of personal data;
- the source of the data, according to the information available;
- third party, i.e. users, of the personal data; and
- the manner of automatic processing of personal data, if any.
The controller of the personal data collection is obliged to, at the written request of the data subject, within 15 days from the day of submitting the request:
- supplement, rectify, i.e. delete inaccurate personal data;
- delete personal data if its processing is not in accordance with the law; and
- inform the data subject within eight days that these actions were performed, unless it proves impossible.
If the controller does not act in accordance with the request or rejects the request, the data subject has the right to file a complaint to the controller or to request protection of rights with the supervisory authority (Article 44 of the PDPL).
See section on data subject rights above above.
See section on data subject rights above above.
In addition, before processing personal data for direct marketing purposes, the person must be given the opportunity to object to the processing of the data (Article 15 of the PDPL).
See section on data subject rights above above.
When deciding on the rights, obligations, and interests of the person, the assessment of their personal characteristics and abilities (performance at work, reliability, creditworthiness, behaviour, etc.) that are important for decision-making may not be based exclusively on automatic data processing.
Exceptionally, decision-making may be based only on automatic processing of data if (Article 15a of the PDPL):
- during the conclusion or execution of the contract, the request of the data subject has been respected or there are appropriate measures to safeguard their legitimate interests, such as arrangements allowing them to put their point of view; or
- this is authorised by a law, which also lays down measures to safeguard the data subject's legitimate interests.
In case of non-compliance, Article 71 of the PDPL provides that the AZLP has the authority to:
- order that irregularities in the processing of personal data be eliminated;
- impose a temporary ban on unlawful processing of personal data;
- order the erasure of personal data collected without legal grounds;
- impose a ban on transfer of personal data from Montenegro or on disclosure of data to recipients in contravention to the PDPL; and
- impose a ban on entrusting of personal data processing where the processor of personal data does not meet the requirements with regard to the protection of personal data or where entrusting of such tasks was carried out in contravention to the PDPL.
Processing of personal data contrary to the PDPL constitutes a misdemeanour. Article 74 of the PDPL lists the following activities which may give rise to misdemeanour proceedings instituted by the AZLP:
- processing personal data in breach of the PDPL;
- using sensitive data for the purposes of direct marketing, without prior consent of the data subject;
- entrusting the tasks of personal data processing to a processor who does not meet the requirements for implementation of technical, personnel, and organisational measures for the protection of personal data;
- failing to notify the DPA before establishing the personal data filing system; or
- failing to supplement, alter, or erase the personal data within 15 days from the day when the request by a data subject was submitted.
The fine for the misdemeanour ranges from €500 to €20,000 for the legal entity acting as the data controller, data processor, or user. In addition, the individual responsible for the misdemeanour within the legal entity and natural persons can be fined from €150 to €2,000. For entrepreneurs the fine ranges from €150 to €6,000.
In addition, Article 176 of the Criminal Code 2003 provides that the following are criminal offences:
- unauthorised acquisition or disclosure of personal data which was collected, processed, and used in accordance with the law, or use of the data for purposes other than for which the data is intended;
- collection or use of personal data in breach of the law; and
- unauthorised assumption of other person's identity and use of that person's name in order to:
- use the other person's rights;
- acquire benefits for oneself or for another; or
- invade personal life of the other person, infringe their personal dignity, or inflict damage.
According to Articles 50 and 176 of the Criminal Code, the penalty for these criminal offences vary from a monetary fine between €600 and €8,000 to a three-year imprisonment term, depending on the capacity of the offender.