Montenegrin PDPA

Personal Data Protection Act (Zakon o zaštiti podataka o ličnosti)

Flag of ME
MontenegroOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
July 1, 2023
Enacted
March 1, 2023
Enforcing Authority
AZLP (Agency for Personal Data Protection and Free Access to Information)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Montenegro

Overview

Montenegro adopted a new GDPR-aligned Personal Data Protection Act in March 2023. The AZLP gained the ability to impose administrative fines directly, eliminating the need for criminal proceedings. However, maximum penalties of EUR 20,000 for legal entities remain well below GDPR levels.

What This Means for Your Website

  • Consent is required for processing personal data of Montenegrin visitors, including through cookies
  • Data protection by design and by default principles apply
  • Maximum penalties are modest at EUR 20,000 per offense for legal entities
  • The AZLP has direct administrative fine powers since the 2023 law

Key Requirements

The AZLP enforces the PDPA with penalties of EUR 500-20,000 for legal entities. The law introduces GDPR-aligned requirements including DPIAs, processing records, and breach notification. While penalties are modest, the AZLP's new administrative enforcement powers make enforcement more efficient.

How ConsentStack Handles This

ConsentStack applies GDPR-compliant consent standards for Montenegrin visitors, ensuring compliance with the PDPA's accountability-based requirements.

Penalties

EUR 500-20,000 for legal entities per offense. EUR 150-2,000 for responsible persons. EUR 150-6,000 for entrepreneurs.

Maximum Fine
€20,000 per violation

Key Requirements

  • Consent for personal data processing including cookies
  • Data protection by design and by default
  • Data protection impact assessments for high-risk processing
  • Detailed records of processing activities
  • Data breach notification obligations

Notable Provisions

  • Modest maximum penalties (EUR 20,000 for legal entities)
  • AZLP gained administrative fine powers (no longer requires criminal proceedings)
  • GDPR-aligned framework with reduced penalties
  • Replaced previous PDPL with accountability-based approach

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Does Montenegro have GDPR-aligned data protection?

Yes. Montenegro's 2023 PDPA is modeled on the GDPR, though maximum penalties are significantly lower at EUR 20,000 for legal entities.

What are the penalties in Montenegro?

EUR 500-20,000 for legal entities, EUR 150-2,000 for responsible persons. Significantly below GDPR levels.

Can Montenegro's DPA impose fines directly?

Yes. Since the 2023 law, the AZLP can impose administrative fines directly without requiring criminal proceedings.

Stay compliant with Montenegrin PDPA

ConsentStack helps you implement Opt-in consent for Montenegro automatically.

Get started free