Data protection & privacy laws in Montenegro (2026)

The 2023 Personal Data Protection Act broadly mirrors the GDPR: it introduces accountability-based compliance, data protection by design and default, mandatory DPIAs for high-risk processing, and replaces the old registration regime with records-of-processing obligations.

The Agency for Personal Data Protection and Free Access to Information (AZLP) is the independent supervisory authority; it holds administrative enforcement powers including the ability to issue binding corrective measures and fines.

The 2023 Act guarantees rights to access, rectification, erasure (right to be forgotten), restriction of processing, objection, and data portability (the latter added via the 2024 amendment), bringing the rights catalogue fully in line with GDPR Articles 15–21.

Controllers employing more than ten people, or whose processing activities pose heightened risks to data subjects, are required to appoint a Data Protection Officer under the 2023 Act.

Official Gazette No. 77/2024 (August 2024) amended the 2023 Act to explicitly introduce data portability rights and further harmonise provisions with the GDPR, reflecting Montenegro's EU accession obligations under Chapter 23 (Judiciary and Fundamental Rights).

Montenegro is the frontrunner in EU enlargement; EU ambassadors approved drafting of the accession treaty in April 2026. Chapter 23 interim benchmarks were met in 2024, and full closure requires sustained structural compliance — a key driver of ongoing data-protection law reforms.