This article, authored by Milena Rončević and Sanja Spasenović, was originally published in the Global Data Protection Handbook.
Law in Montenegro
The Montenegrin law governing data protection issues is the Law on Protection of Personal Data ('Official Journal of Montenegro', nos. 79/2008, 70/2009 and 44/2012) ('DP Law'). It originates from December 2008 and its latest amendments were made in August 2012.
Definition of personal data
The DP Law defines personal data as any information relating to an identified or identifiable natural person. The data subjects are natural persons whose identity is or can be determined, directly or indirectly, in particular by reference to a personal identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
Under the DP Law, sensitive personal data is data relating to
- ethnicity, or race
- political opinion, or religious or philosophical belief
- trade union membership, and
- information on health condition and sexual life.
National Data Protection Authority
The Agency for Protection of Personal Data and Free Access to Information ('DPA') is the local data protection authority. The DPA is seated in Kralja Nikole 2, Podgorica (www.azlp.me)
Each data controller is obliged firstly
- to register itself as a data controller (this registration is to be performed only once), and, once the data controller's registration is completed
- the controller has to register separately each database containing personal data ('Database') which it intends to establish, prior to the respective Database's establishment.
Both registrations are carried out by submitting the prescribed forms which are accessible on-line and can be submitted on-line, via the DPA's website (as identified in the section 'National Data Protection Authority'). The type and scope of the information necessary to be submitted to the DPA when registering the Database is explicitly prescribed by the DP Law (eg, the data controller's name and address of its registered seat, name of the Database, legal ground for the processing and processing's purpose, types of processed data, categories of data subjects, information on the data transfer out of Montenegro (if any), etc). Any subsequent significant change of the data processing should be registered with the DPA as well.
Exceptionally (ie if the intended data processing represents a special risk for rights and freedoms of natural persons), a data controller may, depending on the circumstances of each particular case, be obliged to obtain a prior DPA's approval for the respective processing (eg, if biometric data is to be processed and no data subject's consent is obtained for the respective processing).
Data Protection Officers
Under the DP Law, a data controller is obliged, after the Database's establishment, to appoint a person responsible for the protection of personal data. However, this obligation is not applicable if a data controller has less than 10 employees who process personal data.
Collection & Processing
A precondition for the legitimate processing of personal data is so-called informed consent of the data subject. The content of this consent is explicitly prescribed by the DP Law (for example, data subjects have to be informed on the purpose of and legal ground for the respective processing). The processing is allowed without consent only exceptionally, ie in the particular cases explicitly prescribed by the DP Law (for example, if the processing is necessary for the fulfilment of the data controller's statutory obligations or for the protection of life and other vital interests of the data subject who cannot provide consent personally).
In any case, in order to be considered as fully compliant with the DP Law, the processing has to be done in a fair and lawful way, the type and scope of processed data must be proportionate to the purpose of the respective processing, the data should not be retained longer than necessary for the processing purpose's fulfilment and the data has to be true, complete and updated.
Under the transfer rules envisaged by the DP Law, personal data may be transferred to countries or provided to international organizations, where adequate level of personal data protection is ensured, on the basis of the DPA's previously obtained consent. The DPA issues the respective consent only if it establishes that adequate measures for the protection of personal data are undertaken (the circumstances based on which the respective adequacy assessment is made include, for example, type of the data and statutory rules in force in the country to which the data is to be transferred).
However, the DPA's consent is not required for the data transfer out of Montenegro in certain cases explicitly prescribed by the DP Law (for example, if the data subject consented to the transfer and was made aware of possible consequences of such transfer or the data is transferred to the European Union or European Economic Area's country or to any country which is on the EU list of the countries which ensure adequate level of the data protection).
The DP Law prescribes that both data controllers and processors are obliged to undertake technical, personnel and organizational measures for the protection of personal data from loss, destruction, unauthorized access, alteration, publication and misuse. Furthermore, the natural persons who work on data processing are obliged to keep secrecy of the processed personal data.
Additionally, data controllers are obliged to have internal rules on the personal data processing and protection (which should include the identification of the undertaken measures). The controllers should also determine which employees have access to the processed data (and to which of this data), as well as the types of data which may be provided to other users (and the conditions for the respective providing). Finally, if the processing is performed electronically, a data controller is obliged to ensure that certain information on the usage of the respective data and its users is automatically kept in the information system.
There is no data security breach notification duty envisaged by the DP Law. However, the Law on Electronic Communications ('Official Journal of Montenegro', nos. 40/2013 and 56/2013) ('EC Law') does impose a duty on operators to notify, without delay, the Montenegrin Agency for Electronic Communications and Postal Activity ('EC Agency') and the DPA of any breach of personal data or privacy of the users. The respective users should be notified as well if the breach may have a detrimental effect to their personal data or privacy (unless the EC Agency issues an opinion that such notification is not needed). Failure to comply with any of the above duties is subject to offence liability and fines in range from EUR 6,000 to EUR 30,000 for a legal entity, and in range from EUR 300 to EUR 3,000 for a responsible person in a legal entity, plus, if some material gain was obtained by the offence's execution, the protective measure which includes the respective gain's seizure, may be imposed in addition to the above monetary fine.
The DPA is the authority competent for the DP Law's enforcement. It is authorized and obliged to monitor implementation of the DP Law, both ex officio, and upon a third party complaint. When monitoring the DP Law's implementation, the DPA is authorized to pass the following decisions:
- order removal of the existing irregularities within certain period of time
- temporarily ban the processing of personal data which is carried out in contravention to the DP Law
- order deletion of illegally collected data
- ban transfer of data outside of Montenegro or its providing to data users which is carried out in contravention to the DP Law, and
- ban data processing by an outsourced data processor if it does not fulfil the data protection requirements or if its engagement as a data processor is carried out in contravention to the DP Law.
The DPA's decisions may not be appealed, but an administrative dispute before the competent court may be initiated against the same.
The DPA may also file a request for the initiation of an offence proceeding. The offences and sanctions are explicitly prescribed by the DP Law, which includes monetary fines in range from EUR 500 to EUR 20,000 for a legal entity and in range from EUR 150 to EUR 2,000 for a responsible person in a legal entity.
Moreover, criminal liability is also a possibility since a criminal offence Unauthorized collection and usage of personal data is prescribed by the Montenegrin Criminal Code. The sanctions prescribed for this criminal offence are a monetary fine (in an amount to be determined by the court) or imprisonment up to one (1) year. Both natural persons and legal entities can be subject to criminal liability.
Electronic marketing is not governed by the DP Law. Nevertheless, this law does govern protection of personal data used in direct marketing. In that regard, it is prescribed that data subjects have to be provided with a possibility to oppose the processing of their personal data for the direct marketing purposes prior to the commencement of the respective processing. Regarding the usage of sensitive personal data in direct marketing, it is explicitly prescribed that a data subject's consent is a prerequisite for the respective processing.
Furthermore, although electronic marketing is not governed by the DP Law, there are other regulations which prescribe the rules relevant for the same including the Law on Electronic Trade ('Official Journal of the Republic of Montenegro', no. 80/04 and 'Official Journal of Montenegro', nos. 41/10, (…), 56/13) ('ET Law'). In this respect, one of the most important rules prescribed by the ET Law is the rule that any sending of unsolicited commercial messages is not allowed unless with prior consent of the persons to whom the respective marketing is addressed. It is absolutely forbidden to send any of the respective messages to the persons who have indicated that they do not want to receive the same (and a service provider which sends unsolicited commercial messages is obliged to establish a record of the respective persons). A violation of the respective rules is subject to offence liability and prescribed sanction is monetary fine in range from EUR 500 to EUR 17,000 (for a legal entity) and in range from EUR 100 to EUR 1,500 (for a responsible person in a legal entity). It is also prescribed that, in the case of particularly serious violations or repeated violations, a prohibition to perform business activity (lasting from three (3) months to six (6) months) may be imposed to an entity responsible for the respective violations.
There is no specific regulation explicitly governing on-line privacy (including cookies). Accordingly, the general data protection rules, as introduced by the DP Law, are, to the extent applicable, relevant for on-line privacy as well. On the other hand, the EC Law, as defined in the section "Breach Notification" above, introduces relevant rules which are obligatory for the operators under this law. Among other, it is prescribed that a public electronic communication services' user is particularly entitled to the protection of his/her electronic communications' secrecy in compliance with the DP Law. Furthermore, explicit rules on traffic data and location data are envisaged by the EC Law. Under these rules, the operators are:
- obliged to retain certain traffic data and location data for certain purposes explicitly prescribed by the law (for example, for the detection and criminal prosecution of criminal offenders), whereas the retention period should last at least six (6) months and would not be longer than two (2) years ('Retention Obligation'), keeping in mind that this obligation does not apply to data which reveals a content of electronic communications
- regarding traffic data related to subscribers/users which is not subject to the Retention Obligation, an operator is obliged to delete this data if it is no longer needed for the communication's transmission or can keep it, but only if it modifies the respective data in a way that it cannot be linked to a particular person. Apart from this, it is also prescribed that
- if traffic data's retention purpose is to use it for the calculation of the costs of the relevant services/interconnection, it can be retained for as long as claims regarding the respective costs can legally be requested, but under condition that an user is informed on its processing's purpose and duration, and that
- if traffic data's processing purpose is to promote and sell electronic communication services or to provide value added services, such processing is allowed, but only with the data subjects' prior consent (which can be withdrawn at any moment), and
- regarding location data which is not subject to the Retention Obligation, an operator is allowed to process it but only with a data subject's consent (which can be withdrawn at any moment) or without the same if the respective data is modified in a way that it cannot be linked to a particular person.
Failure to comply with any of the above rules regarding the processing of traffic or location data which is not covered by the above-identified Retention Obligation, is subject to offence liability and fines in range from EUR 4,000 to EUR 20,000 for a legal entity, and in range from EUR 200 to EUR 2,000 for a responsible person in a legal entity.
The full publication can be viewed at http://www.dlapiperdataprotection.com/