Data Protection in Montenegro – Overview and Upcoming Regulatives

Written By Bojana Minic

Montenegro is in the midst of a major data protection reform as part of its ongoing efforts to align with EU standards in preparation for accession. This transformation is crucial for businesses, investors, and citizens, ensuring compliance with European regulations and enhancing trust in Montenegro’s digital landscape.

Why Is Montenegro Reforming Its Data Protection Laws?

Montenegro has been working towards EU membership for several years. In addition to economic and financial reforms—such as its recent integration into SEPA (Single Euro Payments Area)—the country is now modernizing its data protection framework to align with EU standards.

Currently, Montenegro operates under the Personal Data Protection Law (PDPL), originally based on an older EU directive. However, since the directive was replaced by the GDPR in 2018, Montenegro is now striving to update its legislation accordingly.

A draft of the new data protection law was introduced in March 2024, closely modeled on the GDPR. It has undergone public consultations and review by Montenegro’s Agency for Personal Data Protection and Free Access to Information (AZLP).

The law is expected to be passed in 2025, provided that the European Commission approves it as part of the EU accession negotiations.

Why Does Data Protection Matter for Montenegro?

For German and EU-based companies, strong data protection policies in Montenegro are not just a legal necessity—they are a business priority.

  • Compliance with GDPR: The GDPR extends beyond the EU’s borders, meaning that any service providers in Montenegro handling EU customer data must meet high privacy standards.

  • Customer & Investor Trust: Today’s consumers and business partners are more aware of data security risks and expect transparent, secure handling of personal data.

  • Practical Business Considerations: Ensuring data security is not just about legal compliance—it involves robust IT infrastructure, well-trained employees, and strong contractual agreements (such as Data Processing Agreements).

Key Aspects of Secure Data Management

  • IT Security Measures: Access controls, encryption, anonymization, and data pseudonymization.

  • Organizational Policies: Clear internal guidelines, data breach protocols, and designated data protection officers.

  • Legal Safeguards: Formal agreements, such as Data Processing Agreements (DPA) for outsourced data processing.

For Montenegro, a modernized data protection framework isn’t just about EU accession—it’s a key factor for attracting foreign investment and fostering a trustworthy digital ecosystem.

Current Data Protection Laws in Montenegro

Montenegro’s existing Personal Data Protection Law (PDPL)—last updated in 2017—shares similarities with the GDPR but also has key differences:

Appointment of a Data Protection Officer (DPO):

  • Mandatory in Montenegro for businesses with 10+ employees handling personal data.

  • In Germany, this threshold is 20 employees under the Federal Data Protection Act (BDSG).

  • The GDPR does not specify a staff threshold, instead requiring a DPO based on the nature of data processing activities.

Database Registration Requirement:

  • Businesses may need official approval from the AZLP before setting up databases, especially for large-scale or sensitive data processing.

Cross-Border Data Transfers:

  • Transfers to non-EU countries (without an EU adequacy decision) often require approval from the Montenegrin data protection authority.

  • This is stricter than GDPR’s framework, which allows businesses to rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Industry-Specific Data Protection Rules

Montenegro also has sector-specific laws governing data privacy in:

  • Healthcare

  • Telecommunications

  • Insurance

  • Education

  • Employment law

Some key regulations include:

  • Law on Electronic Communications

  • E-Commerce Law

  • Labour Law

Who Regulates Data Protection in Montenegro?

The Agency for Personal Data Protection and Free Access to Information (AZLP) serves as Montenegro’s data protection authority. It is responsible for:

  • Monitoring compliance with data protection laws

  • Approving or rejecting new data processing activities

  • Handling complaints from individuals regarding data misuse

  • Issuing fines for data protection violations

Recent Data Protection Violations in Montenegro

April 19, 2024

  • A medical center failed to implement proper access controls for electronic patient records.

  • The director misused patient data for legal proceedings.

October 26, 2023

  • An employer included psychological assessments in an employee’s personal file.

  • A third-party data processor was engaged without a proper Data Processing Agreement.

  • Employee data was transferred to Serbia without AZLP approval.

Fines & Penalties

  • The AZLP can impose fines up to €20,000, significantly lower than GDPR penalties (which can reach millions).

  • Severe violations can lead to personal liability and, in extreme cases, criminal prosecution.

Looking Ahead: The Future of Data Protection in Montenegro

Montenegro’s upcoming data protection law represents a major step toward EU integration. Beyond legal compliance, this reform will:

  • Increase investor confidence in Montenegro’s digital security standards.

  • Enhance consumer trust in businesses and public institutions.

  • Facilitate international business, ensuring smoother compliance with EU regulations.

For businesses operating in Montenegro or considering expansion, staying informed on these developments is essential.

How Businesses Can Prepare for Compliance

Appoint a Data Protection Officer (DPO)

Internal or outsourced DPOs can ensure compliance and handle regulatory interactions efficiently.

Database Requirements

Before creating a database, check if regulatory approval is needed.

Evaluate Cross-Border Data Transfers

Verify whether the recipient country has an EU adequacy decision or if additional safeguards are required.

Train Employees on Data Security

Regular cybersecurity awareness programs reduce phishing and social engineering risks.

If you need expert guidance on data protection in Montenegro, we can assist with compliance strategies and regulatory interactions

Author

Bojana Minic

Managing Director | Mountain Forest Investment | RC Montenegro Consulting

How to get in touch with us?

info@montenegroconsulting.me | www.montenegroconsulting.com | +38267555715 | Viber | Whatsapp | Telegram

Follow us on social media:
LinkedIn Instagram Facebook Youtube

Bojana Minic
Next

Montenegro Joins SEPA: A Major Step Toward Financial Integration