Access to Information


FREE ACCESS TO INFORMATION


Pursuant to the Law on Free Access to Information, any resident or non-resident foreign legal and natural entity shall have access to information filed with the Central Bank of Montenegro. 


Access to information ensures transparency in operations and affirms integrity.


Pursuant to Article 45 paragraph 2 point 7 of the Central Bank of Montenegro Law (OGM 40/10, 6/13), and in reference to Article 24 of the Personal Data Protection Law (OGM 79/08, 70/09, 44/12) the Governor of the Central Bank of Montenegro adopted the 


RULEBOOK

on personal data protection


I. GENERAL PROVISIONS


Article 1


This Rulebook shall regulate in detail the protection of personal data processed by the Central Bank of Montenegro (the Central Bank) to prevent their loss, unauthorised access, alteration, disclosure, destruction or misuse.


Article 2


Information relating to an individual (personal data) shall be processed legally following the principles of the prohibition of discrimination, proportionality, accuracy and timeliness.


Article 3


The purpose of processing personal data in the Central Bank’s collections shall be determined by the Law and the bylaws.


II. PERSONAL DATA COLLECTIONS


Article 4


The Central Bank shall process personal data for the following personal data collections (the Collections):


  1. Employee records, pursuant to the law governing labour records;
  2. Records on employees’ salaries, pursuant to the law governing labour records;
  3. Credit Registry, pursuant to the law governing the Central Bank’s operations;
  4. Records of issued approvals for members of Boards of Directors and Executive Directors in banks, pursuant to the law governing the banking operations;
  5. Central Register of Transaction Accounts, pursuant to the law governing payment operations;
  6. Records of third-party visitors entering/visiting the Central Bank’s business premises, pursuant to the law regulating personal data protection;
  7. Records on video surveillance, pursuant to the law governing personal data protection;
  8. Records of compensations paid to the members of the Council, pursuant to the law governing the Central Bank’s operations;
  9. Records of third parties to whom personal data were given for storage, pursuant to the law governing personal data protection;
  10. Records of personal data collections, pursuant to the law governing personal data protection;
  11. Register of payment institutions and their agents, pursuant to the law governing payment operations;
  12. Register of electronic money institutions, pursuant to the law governing payment operations.


Article 5


The Central Bank shall process personal data in the Collections only for the time required to achieve the purpose for which they are processed unless specific law provides otherwise.


III. PERSONAL DATA PROTECTION MEASURES


Article 6


The use of personal data outside of the purpose of their collection shall be prohibited.


Article 7


Personal data shall be processed in hard copy and/or electronic form or at a transmission medium, depending on the purpose of their processing.


Article 8


Personal data contained in the Collections may not be given to third parties without the contents of the persons they relate to, except pursuant to the Law and the provisions herein.


In exercising its duty, the Central Bank employee who processes personal data (hereinafter: authorised employee) shall act following the Central Bank’s internal acts governing data secrecy and information security and protect them with crypto protection methods and means and other appropriate technical protection measures (password, etc.).



The authorised employee shall use personal data solely for its processing and in the manner so as to limit privacy-encroachment to the minimum.


Article 9


Personal data from employee records and records of their salaries may be given to relevant authorities to regulate labour legal status and other rights and obligations of employees.


Article 10


Premises in which the Collections are kept shall be subject to physical and technical protection following the Central Bank’s internal acts in the manner preventing unauthorised access.


Cabinets and drawers with documents containing personal data must be locked.


Article 11


After the need for personal data processing expires, the data in the electronic form shall be deleted in a manner that prevents the original information from being restored, while those in the paper form shall be destroyed unless the law regulates otherwise.


Employees whose personal data are processed may request deletion of personal data if their processing breaches the law.


IV. OBLIGATIONS AND RESPONSIBILITIES OF EMPLOYEES


Article 12


The authorised employee shall update personal data in Collections in a timely manner based on relevant documents to ensure their accuracy and completeness.


Article 13


The persons responsible for instituting proceedings and measures of personal data protection shall be the person organising work in the basic organisational unit where personal data are processed and the authorised employee.


Article 14


Upon learning of actions related to unauthorised access and personal data processing, the employee shall immediately notify the person who organises the work in the competent organisational unit and report the security incident following the Central Bank’s internal acts.


Article 15


Unlawful disclosure of personal data shall constitute a breach of the labour obligation for which the employee is subject to disciplinary action under the regulations on disciplinary responsibility.


V. FINAL PROVISIONS


Article 16


The person who organises the work in the basic organisational unit shall promptly initiate the procedure for amending or supplementing this Rulebook after the establishment of the new Collection.


Article 17


The provisions of the law governing personal data protection and other regulations governing this issue shall apply to issues not regulated herein.


Article 18


This Regulation shall enter into force on the eighth day following the day of its publication.


GOVERNOR,                          

Radoje Žugić, m.p.                   


No. 0102-2869-1/2017

Podgorica, 28 March 2017