1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
There is no obligation to notify affected individuals or the Personal Data Protection Agency ("Agency") in the event of a data breach according to the applicable legal regulation in Montenegro. However, affected individuals who consider that their rights have been violated may file a request for protection of their rights to the Agency ("Request").
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
Since there is no obligation to notify affected individuals or the Agency in the event of a data breach affecting residents, the notification procedure is not regulated. However, if the affected individual has filed a Request to the Agency, the Agency is obliged to decide on the request within 60 days from the day of submission of the Request. Until the decision is rendered, the Agency may temporarily prohibit further processing of personal data, if there is a probability of violation of rights (at the written request of the person who submitted the Request).
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
If an affected individual files the Request to the Agency it should do so by filing the available form under the section Zahtjev za zaštitu prava.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
Since there is no obligation to notify affected individuals or the Agency in the event of a data breach affecting residents the penalties for failure to notify are not prescribed in the Law On The Protection Of Personal Data.
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
Even though such obligation is not prescribed in the law, it would be recommendable to inform affected individuals in order to reduce potential damage to both controller/processor and affected individuals.
1.6 What are the applicable (data protection) laws or guidelines within your country?
Law On The Protection Of Personal Data ("Official Gazette of Montenegro", No. 079/08 dated 23 December 2008, 070/09 dated 21 October 2009, 044/12 dated 09 August 2012, 022/17 of 03/04/2017).
1.7 Contact information for the local Data Protection Authority:
Personal Data Protection Agency and free access to information
Bulevar Sv. Petra Cetinjskog no. 147, Podgorica, Montenegro
+382 20 634 894 / +382 20 623 863
For more information, contact:
Bulevar Džordža Vašingtona 3/22, 81000 Podgorica, Montenegro
+382 20 416 070 / +381 11 320 8900
+382 20 416 071