.svg "Logo White")
Montenegro PDPL
Personal Data Protection Law or Law 79/2008, 70/2009, 44/2012 and 22/2017
What is Montenegro's Personal Data Protection Law (PDPL)?
The Montenegro PDPL (Personal Data Protection Law), also known as Law 79/2008, 70/2009, 44/2012 and 22/2017, is the country’s data privacy law setting out obligations and putting in place protections of personal data “in accordance with the principles and standards contained in the ratified international human rights treaties and generally recognised rules of international law.”
The law bears similarities to the Data Protection Directive (Directive 95/46/EC), being modeled after it, rather than the GDPR.
How does Montenegro's Personal Data Protection Law (PDPL) define Personal Information and what are other key definitions?
Under Montenegro’s personal data protection law, ‘personal data’ is “any information relating to an identified or identifiable natural person” and a ‘data subject’ is defined as “a natural person who is identified or can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
‘Sensitive personal data’ is here called 'special categories of data' and is understood to mean “personal data concerning racial or ethnic origin, political, religious or other beliefs, social origin, trade-union membership, data concerning health, sex life or sexual orientation, biometric data, as well as data from registers of misdemeanor and criminal convictions.”
'Biometric data' under Montenegro’s law refers to “data on physical or physiological features intrinsic to every natural person, which are specific, unique and unchangeable and capable of revealing the identity of an individual either directly or indirectly” and the text of the law offers no exclusions here.
Consent has to be “a free statement given in writing or orally on record by which an individual signifies his agreement to personal data relating to him being processed for a specific purpose” and the law clarifies what 'processing of personal data' means, namely “any operation which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, use, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, as well any other operation performed upon personal data.”
Montenegro’s PDPL defines a 'processor of personal data,' as “a public authority, public administration body, self-government or local administration authority, commercial enterprise or other legal person, entrepreneur of a natural person, who performs tasks concerning the processing of personal data on behalf of the controller, in accordance with this law,” and a ‘personal data filing system controller’ as a “legal person, entrepreneur and natural person, with the seat or domicile in Montenegro, which carries out processing of personal data or establishes personal data filing systems in line with the PDPL.
Last but not least, the data privacy law of Montenegro offers a definition for what it calls a 'personal data filing system,' which is to be understood as “any structured, whether centralized, decentralized or dispersed on a functional or geographical basis, set of personal data which are undergoing processing and which may be accessible according to the specific criteria.”
Who does Montenegro's Personal Data Protection Law (PDPL) apply to?
Montenegro's PDPL law applies to:
- Any state authority, public administration body, local self-government and local administration authority, commercial enterprise, or any personal data filing system controller.
- The processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means which forms part of a personal data filing system or is intended to form part of a personal data filing system.
- A personal data filing system controller whose seat or domicile is outside Montenegro if the equipment for processing of personal data is situated in Montenegro, unless such equipment is used only for purposes of transit through the territory of Montenegro. In such cases, the controller shall designate a representative or an attorney with the seat or domicile in the territory of Montenegro who shall be responsible for the application of this law.
Talk to one of our experts today about your compliance needs! Speak to an Expert →
Who does Montenegro's Personal Data Protection Law (PDPL) exempt?
The following are exempt under the privacy law of Montenegro:
- The processing of personal data for the purposes of defence, national and public security nor in pre-trial and criminal proceedings, unless otherwise provided by a separate law.
- The processing of personal data by a natural person in the course of a personal activity.
Global Privacy Overview
The PDPL sets out obligations for both data controllers and processors as follows:
Controller Obligations:
- Article 2: personal data may be processed only for a lawful purpose or with the prior consent of the data subject;
- Article 3: personal data undergoing processing must be accurate, complete, and kept up to date and can only be stored for the time required to achieve the purpose for which the data is processed;
- Article 13: special categories of personal data can only be processed with the consent of the data subject, if it’s necessary for medical purposes, if it’s needed to protect the life or interests of an individual, if the data has been made public by the individual themselves, or for legal reasons, and has to be clearly marked and protected against unauthorized access;
- Article 24: data controllers have to implement technical, personnel, and organizational safeguards to protect personal data against loss, destruction, unauthorized access, alteration, publicizing, and abuse;
- Article 20: data controllers have an obligation to inform data subjects about the processing of their data, including the purpose of processing, recipients, and their rights;
- Article 26: controllers have to keep records of the personal data filing system they establish, including detailed information about the data processing activities;
- Article 27: controllers must obtain the consent of the supervisory authority before establishing a personal data filing system and have to notify the supervisory authority of new or altered data processing activities;
- Articles 41-42: when transferring personal data from Montenegro to another country, controllers have to obtain prior consent from the supervisory authority.
- Articles 43-44: data controllers have an obligation to respond to data subject requests for access, rectification, or erasure of personal data within 15 days.
Processor Obligations:
- Article 16: the personal data filing system controller may entrust specific activities concerning the processing of personal data to a processor by way of a contract, which has to stipulate mutual rights and obligations, including the need for the processor to destroy or return personal data after processing; in they work with a sub-processor, they have an obligation to make sure that any sub-processors involved meet the requirements for the protection of personal data as stipulated in the contract that the processor has with the controller;
- Article 24: same as controllers, processors have to implement appropriate safeguards for the protection of personal data.
- Article 25: officers and other employees carrying out the processing of personal data must keep the secrecy of personal data they become privy to in the course of their tasks.
- Article 67: processors have to provide access to personal data filing systems, files, and documents during inspections by the supervisory authority.
See how Clym can facilitate compliance
with Montenegro's PDPL
What are the data subject rights under Montenegro's Personal Data Protection Law?
Monaco's data privacy law gives individuals the right to:
- Access;
- Correct;
- Delete;
- Restrict processing;
- Object to processing.
How to respond to consumer requests under Montenegro's PDPL?
The Personal Data Protection Law of Montenegro mandates that for data subject requests controllers have 15 days to respond and provide all the relevant information in the form of an extract, confirmation, or transcript.
Where they find that the personal data they hold about a data subject is incomplete or inaccurate, and upon the request of the data subject to have their data deleted, data controllers have to inform the data subjects that their data has been altered, supplemented or deleted.
There are no extensions mentioned in the text of the law for responding to data subject requests and no other guidelines.
Manage Your Data Subject Access Requests (DSARs)
Montenegro Personal Data Protection Law (PDPL) enforcement and penalties
The PDPL is enforced by the AZLP (the Agency for Personal Data Protection), which has the authority to supervise compliance, issue opinions, and impose measures such as erasure of unlawfully collected data or banning data transfers.
Penalties for non-compliance include fines ranging from tenfold (approx. $ 4,950) to three hundred times the minimum wage in Montenegro for legal persons (approx. $ 148,500), and smaller fines for responsible individuals within those organizations.
Data Subject Rights - GDPR vs. Montenegro PDPL
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
MONTENEGRO - PDPL
- Right to know
- Right to access
- Right to correct
- Right to delete
- Right to restrict processing
- Right to object to processing
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 50+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
See Clym in action today!
FAQs about Montenegro's Personal Data Protection Law (PDPL)
What does the Personal Data Protection Law (PDPL) of Montenegro apply to?
- State and local authorities, public bodies, and businesses processing personal data.
- Automated and non-automated data processing within a filing system.
- Foreign data controllers using equipment in Montenegro, requiring a local representative or attorney.
What is exempt under Montenegro’s personal data protection law?
Montenegro’s personal data protection law exempts the processing of personal data for the purposes of defence, national and public security nor in pre-trial and criminal proceedings, unless otherwise provided by a separate law, and the processing of personal data by a natural person in the course of a personal activity.
What data subject rights does Montenegro’s personal data protection law grant?
Data subjects have the following rights under Montenegro's privacy law:
- To Know
- To Access
- To Correct
- To Delete
- To restrict processing
- To object to processing
What are the penalties for non-compliance with Montenegro’s PDPL?
Penalties for non-compliance with Montenegro’s PDPL include fines ranging from tenfold (approx. $ 4,950) to three hundred times the minimum wage in Montenegro for legal persons (approx. $ 148,500), and smaller fines for responsible individuals within those organizations.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message