Privacy PolicyTerms of ServiceCookie PolicyGDPR RightsAgent TermsSub-ProcessorsDPIARoPABreach Policy

Data Breach Notification Policy

Last updated: 22 May 2026
Effective under: GDPR Article 33-34 and Montenegro PDPL Article 27.

What is a personal data breach?

A personal data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data we hold.

Our notification commitments

Notification to the supervisory authority (AZLP)

When a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify Montenegro's Agency for Personal Data Protection (AZLP) within 72 hours of becoming aware of it, in accordance with GDPR Article 33(1) and PDPL Article 27.

If the 72-hour window is not feasible, notification will be accompanied by reasons for the delay, as permitted by Article 33(1).

Notification to affected data subjects

When a breach is likely to result in a high risk to your rights and freedoms (e.g. financial loss, identity theft, reputational damage), we will notify you without undue delay, per GDPR Article 34 and PDPL Article 28.

Notification will be by email to the address on file, with the subject line clearly identifying it as a data protection notice.

What our notification will contain

Each breach notification will include, where known:

  • The nature of the breach (categories and approximate number of data subjects and records affected)
  • The name and contact details of our data protection contact
  • The likely consequences of the breach
  • The measures we have taken or propose to take to address the breach, including mitigation
  • Steps you can take to protect yourself (e.g. password reset, monitoring statements)

Internal process

Upon detection of a suspected breach:

  1. Containment — affected systems isolated; access tokens rotated as needed.
  2. Assessment — severity, scope, and risk to data subjects evaluated within 24 hours.
  3. Documentation — incident logged in internal breach register (RoPA Annex).
  4. Notification — AZLP notification drafted within 48 hours, sent within 72.
  5. Communication — affected users notified if high-risk threshold met.
  6. Post-incident review — root cause analysis and process improvements within 14 days.

A suspected-breach detection capability is part of our error monitoring (Sentry) and database access controls (Railway).

Your rights and remedies

If you believe your personal data has been involved in a breach we have not notified you about, you may:

  • Contact us at contact@montenegrohousing.com with details of your concern
  • Lodge a complaint with the Montenegro Agency for Personal Data Protection (AZLP): azlp.me
  • Seek judicial remedy under GDPR Article 79 / PDPL Article 49

We respond to good-faith breach concerns within 7 days.

Limitation of scope

This policy covers breaches affecting personal data we control. Breaches at third-party sub-processors (Railway, Cloudinary, Resend, Sentry, etc.) are handled by them directly under their own DPAs; we will relay their notifications to affected users where applicable.

For the list of sub-processors and their notification obligations, see /legal/sub-processors.

Contact

For data protection matters: contact@montenegrohousing.com
For urgent breach reports (third-party concern): mark email subject as "URGENT — Data Protection Breach Report"

Related documents

Disclaimer: This document is provided for informational purposes only and does not constitute legal advice. MN Housing is not a law firm. For legal advice, please consult a qualified attorney.