Montenegro's Personal Data Protection Law (PDPL) employs the "use of equipment" factor to extend its territorial scope beyond the country's borders.

Text of Relevant Provisions

PDPL Art.5(2):

"This law also applies to data controllers who are established outside Montenegro or do not have a residence in Montenegro, if the equipment for processing personal data is located in Montenegro, except if that equipment is only used for transmitting personal data across the territory of Montenegro."

Analysis of Provisions

The PDPL extends its applicability to data controllers not established or residing in Montenegro based on the location of data processing equipment. This provision captures scenarios where foreign entities utilize equipment within Montenegro's territory for data processing activities.

The key elements of this provision are:

1. "data controllers who are established outside Montenegro or do not have a residence in Montenegro": This targets foreign entities without a physical presence in the country.
2. "equipment for processing personal data is located in Montenegro": The critical factor determining applicability is the physical location of the processing equipment within Montenegro's borders.
3. "except if that equipment is only used for transmitting personal data across the territory of Montenegro": This exception excludes mere data transit scenarios, focusing on actual data processing activities.

The rationale behind this provision is to ensure that Montenegro's data protection standards apply to all personal data processing activities occurring within its territory, regardless of the data controller's location. This approach prevents potential regulatory gaps that could arise if foreign entities could process data within Montenegro without adhering to its data protection laws.

Implications

This provision has significant implications for foreign companies processing personal data in Montenegro:

1. Equipment location: Companies must assess whether they use any data processing equipment physically located in Montenegro.
2. Data transit vs. processing: Organizations need to distinguish between mere data transmission through Montenegro and actual data processing activities within the country.
3. Compliance obligations: Foreign entities using equipment in Montenegro for data processing must comply with the PDPL, potentially including appointing a local representative as per PDPL Art.5(3).
4. Extraterritorial reach: The law effectively extends Montenegro's data protection regime beyond its borders, capturing foreign entities that might otherwise fall outside its jurisdiction.
5. Cloud services: Companies using cloud services with data centers in Montenegro may fall under the PDPL's scope, depending on the nature of data processing activities.