The PDPL, Ensuring Data Privacy and Protection
Montenegro’s Personal Data Protection Law 79/08 and 70/09, also known as the PDPL for short, is a data protection law that was passed in 2012. As Montenegro is one of a handful of nations in Europe that is not a part of the European Union and as such, does not fall under the jurisdiction of the General Data Protection Regulation or GDPR, the country needed a data protection law that would be comparative to other European data privacy laws. To this extent, the PDPL was largely modeled after the EU’s Data Protection Directive or Directive 95/46/EC, subsequently placing the law in general compliance with the EU’s current GDPR Law. As such, the PDPL puts forth the legal framework that data controllers, processors, and organizations must adhere to at all times when engaging in data processing activities.
How are data controllers and processors defined under the PDPL?
Under the PDPL, the term data controller is defined to mean “An individual or legal entity who processes personal data on the territory of Montenegro or on the territory outside of Montenegro where, under international law, Montenegrin regulations apply; or is incorporated outside Montenegro or does not have a residence in Montenegro but uses equipment for data processing situated in Montenegro, except if the equipment is used only for transfer of personal data over the territory of Montenegro”. As the PDPL contains no provisions that explicitly state the territorial scope of the law, the term data controller accounts for individuals and legal entities both inside and outside of Montenegro.
Alternatively, the term data processor is defined to mean “A public authority, public administration body, self-government, or local administration authority, commercial enterprise, or other legal person, entrepreneur or a natural person, who performs tasks concerning the processing of personal data on behalf of the controller”. In terms of the types of personal data that are covered by the PDPL, the law “applies to automated or non-automated processing of personal data contained or intended to be contained in a filing system”. Moreover, the processing of personal data includes all functions and operations undertaken in regard to personal data, including collection, processing, transmitting, classifying, and deleting.
What are the obligations of data controllers and processors under the PDPL?
Under the PDPL, data controllers and processors who process the personal data of Montenegrin citizens are required to fulfill the following obligations and responsibilities:
- Data controllers and processors are prohibited from processing personal data more than is necessary to achieve the intended purpose for which it was collected.
- Data controllers and processors must ensure that all data in their possession is complete, accurate, and regularly updated when needed.
- Data controllers and processors are responsible for retaining personal data that would allow for the identification of data subjects for no period longer than is necessary to fulfill the purposes for which it was collected, unless otherwise stated by law.
- All data processing activities must be based on the expressed consent of applicable data subjects, or on one of five other alternative grounds set forth by the law.
- Data controllers and processors are responsible for erasing personal data that has not been processed in accordance with the law, or at the request of a data subject.
- In instances where data controllers or processors establish an automated data filing system, said parties are responsible for appointing an individual who is responsible for the protection of personal data, otherwise known as a data protection officer or DPO, permitting said parties to employ more than ten staff members who process personal data.
- After data processing activities have been completed, data controllers and processors are responsible for either destroying the personal data in their possession, or returning it to the data subjects from whom they collected it from.
- Data controllers and processors are responsible for implementing all necessary organizational, personnel, and technical measures to ensure the protection of personal data that is in their possession.
- Data controllers and processors must create a written agreement between one another, for the purpose of regulating the personal data that data processors process on behalf of data controllers. This written agreement must also outline the obligations of data processors to act in accordance with the direction and instruction of data controllers.
What are the rights of Montenegrin citizens under the PDPL?
The PDPL provides Montenegrin citizens with the following rights as it relates to data protection and privacy:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict the processing of personal data.
- The right to object to the processing of personal data.
- The right not to be subject to data processing decisions made solely on the basis of automated decision making.
In terms of punishment as it pertains to violations of the law, the PDPL is enforced by the Agency for Personal Data Protection and Free Access to Information, or the AZLP for short. To this end, the AZLP has the power to impose the following sanctions for non-compliance under the law:
- Impose a temporary ban against data controllers or processors who are found to have collected or processed personal data unlawfully.
- An order that a data controller or processor delete personal data that has been collected on unlawful grounds.
- Monetary fines ranging from €500 to €20,000 ($584 to $23,361) for legal entities, €150 to €6,000 ($175 to $7,007) for entrepreneurs, and €150 to €2,000 ($175 to $2,335) for individuals.
As Montenegro is one of the various countries within Europe that is not a part of the EU and does not fall under the jurisdiction of the General Data Protection Regulation as a result, the PDPL serves to protect the privacy and personal data of Montenegrin citizens. However, despite the fact that Montenegro is not a part of the European Union, the EU’s data legislation policies throughout the years have undoubtedly played a large role in influencing many of the provisions of the PDPL. In this way, Montenegrin citizens are afforded a level of data privacy that is similar to their European counterparts.