top of page

MONTENEGRO - Data Protection and GDPR Review

The history of data protection in Montenegro is relatively young and is closely intertwined with the country's political and economic transitions, as well as its aspirations towards European Union membership. This article aims to offer an overview of how data protection has evolved in Montenegro, highlighting key milestones and legislative shifts.

Pre-Independence Era: Limited Framework

Before Montenegro became an independent state in 2006, it was part of the State Union of Serbia and Montenegro. During this period, data protection was neither a priority nor significantly regulated, primarily due to the political and economic instability that plagued the region.

Post-Independence Period: An Emerging Awareness

Following its declaration of independence, Montenegro undertook comprehensive reforms to align its legislative framework with European norms and standards. Although the focus was initially on political stability and economic reform, there was growing awareness of the importance of data protection.

Initial Legislation

The first notable legislation that provided some level of data protection was Montenegro’s Law on Free Access to Information, passed in 2005, just before independence. However, this law was primarily concerned with access to public information and did not adequately cover data protection in a comprehensive sense.

Comprehensive Data Protection Law

In 2012, Montenegro adopted the Law on Personal Data Protection, providing a framework more aligned with European standards. This law laid the foundation for data protection in Montenegro by defining key terms, prescribing rules for data collection and processing, and outlining individuals' rights concerning their data.

Creation of Regulatory Body

With the adoption of the 2012 law, Montenegro also established the Agency for Personal Data Protection and Free Access to Information. This body is responsible for supervising the application of data protection and free access to information laws, as well as handling complaints and conducting investigations.

Alignment with GDPR

The European Union's adoption of the General Data Protection Regulation (GDPR) in 2018 had implications for Montenegro, as it is a candidate country for EU membership. The nation started efforts to update its legislation to be compliant with GDPR principles, although as of my last update in September 2021, full alignment had not been completed.

Recent Developments and Challenges

As part of its ongoing legislative reform and the European integration process, Montenegro is expected to make additional updates to its data protection framework. However, challenges remain, including limited public awareness, capacity constraints in enforcing laws, and the need for businesses to adapt to evolving regulations.


Montenegro has made significant strides in the area of data protection since its independence. Driven by a combination of internal reforms and external pressures, especially the EU accession process, the country has worked to establish a modern legal framework for data protection. As Montenegro continues on its path toward European integration, its data protection landscape is expected to evolve further, aiming for full alignment with the GDPR and other international standards.

Data protection is an evolving field in Montenegro, as the country aims to align its legislation with European Union (EU) standards, particularly the General Data Protection Regulation (GDPR). Although Montenegro is not an EU member, its status as a candidate for membership means it must work towards GDPR compliance. This guide provides a comprehensive overview of data protection in Montenegro in relation to GDPR.

Regulatory Framework

National Law

  • Law on Personal Data Protection: This is the primary legislation governing data protection in Montenegro. Adopted in 2012, it outlines the general principles and procedures for personal data protection.

Regulatory Body

  • Agency for Personal Data Protection and Free Access to Information: This agency is responsible for enforcing data protection laws, including GDPR principles as they become incorporated into Montenegrin law.

European Union

  • General Data Protection Regulation (GDPR): This regulation is a key influence on Montenegro's data protection landscape, given the country's candidacy for EU membership.

Key Concepts

  • Personal Data: Any information relating to an identified or identifiable individual.

  • Data Controller: The entity responsible for determining how personal data will be processed.

  • Data Processor: An organization that processes data on behalf of a data controller.

  • Data Subject: An individual whose personal data is being processed.

  • Consent: Explicit permission given by the data subject for processing their data.

Obligations of Data Controllers and Processors

Data Collection Limitation

Data must be collected for a specified, explicit, and legitimate purpose, and further processing must be compatible with that purpose.

Data Accuracy

The data collected must be accurate, and any inaccuracies must be corrected or deleted.

Data Storage Limitation

Personal data should not be kept longer than is necessary for the intended purpose.

Security Measures

Data controllers must implement appropriate technical and organizational measures to ensure data security.

Data Protection Officer (DPO)

Large organizations or those processing sensitive data may be required to appoint a Data Protection Officer.

Data Breach Notification

In the event of a data breach, both the regulatory body and affected data subjects should be notified promptly.

Rights of Data Subjects

  • Right to Information: Data subjects have the right to be informed about the processing of their data.

  • Right to Access: Individuals have the right to request access to their data to verify its accuracy.

  • Right to Rectification: Data subjects can ask for their inaccurate data to be corrected.

  • Right to Erasure: Under certain conditions, individuals can request their data be deleted.

  • Right to Object: Data subjects have the right to object to data processing, particularly for direct marketing.

Penalties and Enforcement

Failure to comply with Montenegro's data protection laws can result in fines, penalties, or legal action. These will likely become more stringent as Montenegro continues to harmonize its laws with GDPR.

GDPR and Montenegro

Given its candidate status for EU membership, Montenegro is working to align its data protection legislation with GDPR. Organizations that process data of EU residents or operate within the EU must be aware of GDPR requirements in addition to Montenegrin law.


Data protection in Montenegro is in a state of transformation as the country moves toward European integration. The Law on Personal Data Protection forms the backbone of Montenegrin data protection law, but ongoing reforms are expected to bring it in line with GDPR. Organizations operating in Montenegro should stay abreast of these changes to ensure compliance and avoid legal repercussions.


bottom of page