News
New Amendment to Israeli Privacy Protection Law and Mandatory DPO Appointment
The Israeli parliament recently adopted a new amendment to the Israeli Protection of Privacy Law, 5741-1981 ("PPL") entering into force in 12 months, on August 14, 2025.
The Amendment, titled Amendment 13, is not a full amendment of the law, still lacking legal bases of processing (other than consent and legal obligation), extended data subject rights and obligatory DPIAs, but is nonetheless a very extensive amendment to a law from 1981 that was outdated and urgently needed adaptation to modern privacy laws. The intensity of the 20 sessions in the parliamentary Constitutional Committee producing the final text of the Amendment for approval by the main plenary of parliament, was primarily driven by the need to impose meaningful sanctions on breach of the Protection of Privacy Regulations (Data Security), 5777-2017, inter alia in light of the increase in cyberattacks due to the Iron Swords War, and also by the recently re-affirmed adequacy status by the EU recommending enshrining amendments in primary legislation.
The Amendment is expected to impact the entire market, including private and public entities. The Head of the Privacy Protection Authority ("PPA") was quoted referring to the imposition of financial sanctions as a "repricing of the right of privacy" in Israel.
Here is a list of the key changes:
- New definitions of Controller, Processor (titled Holder), Personal Data, Especially Sensitive Data and Processing (similar to GDPR);
- Database registration – the requirement to register legal Databases (a collection of personal information in digitized means) was cancelled except for public entities and data brokers processing data of more than 10,000 data subjects. A new notification obligation to the PPA for Databases of Especially Sensitive Data of 100,000 data subjects was added;
- Stakeholders: the unique position of a Database manager (entailing personal liability) was cancelled, the obligation to appoint an information security officer (CISO) was amended and we now have a new mandatory DPO appointment (see more on this subject below);
- A few new material provisions were added: (i) new purpose limitation principle - prohibition on processing personal data for a purpose contrary to the lawfully compliant purposes set for such database, (ii) prohibition on processing Personal Data without authorization from the Controller, (iii) prohibition on processing Personal Data collected in breach of PPL or any other law;
- Extensive investigative and enforcement powers were added to the PPA;
- Addition of new significant administrative fines (amounting to millions of NIS if multiple obligations are breached), some imposed without prior opportunity to remedy, but subject to reductions under certain circumstances and a cap of 5% of the annual turnover of the Controller or Processor;
- The PPA may request a court order to stop processing, when certain material provisions are breached;
- The list of criminal offences was amended and includes, for example, providing notification with erroneous information with an intent to mislead individuals to provide Personal Data, processing Personal Data without authorization from the Controller, etc.;
- In a civil claim for breach of certain provisions of the PPL, i.e. lack of notification, breach of data subject rights, etc., statutory damages in the amount of NIS 10,000 (approx. 2,500 EURO) may be claimed without need to prove actual damages;
- The notification obligation prior to collection of Personal Data from a data subject includes additional information;
- The limitation period for claims under the PPL was aligned to the 7 years of the general law in lieu of 2 years in the pre amended version of the PPL;
- A new statutory pre ruling procedure with the PPA was added;
- The Amendment includes specific provisions for law enforcement and national security agencies and specific provisions to be applied at election times.
In this article I will focus on the new requirement to appoint a Data Protection Officer (DPO).
DPO Appointment
Until the enactment of Amendment 13 there was no obligation on Israeli Controllers or Processors to appoint DPOs, although the PPA issued a document in January 2022 recommending such appointment in certain cases.
The Amendment imposes the obligation to appoint a DPO on the following entities:
(1) A Database Controller that is a public entity (i.e. government ministries and municipalities and additional entities, such as universities and HMOs) or a Processor of such Database (i.e. cloud provider of such entities), except for national security entities.
(2) A Database Controller when the Database contains Personal Data about more than 10,000 data subjects and the main purpose of the Database is collecting Personal Data in order to disclose it to a third parties as a business or for value, including direct-mailing services. i.e. a data broker.
(3) The core activities of a Database Controller or a Processor consist of data processing operations or are involved with processing operations, which, by virtue of their nature, scope or purposes, require ongoing and systematic monitoring of data subjects on a large scale, including systematic surveillance or monitoring of the behavior, location or actions of a person, amongst others, a cellular services provider, internet service provider, or online search engine.
(4) The core activities of a Database Controller or a Processor consist processing of Especially Sensitive Data on a large scale, including amongst others: a bank, insurance company, general hospital, a Health Medical Organization. "Especially Sensitive Data" is a very detailed definition including a list of 12 items, inter alia: medical data, sexual orientation, genetic data, biometric identifier, criminal records, personality assessment, and more. This is the most relevant criteria for the appointment of a DPO in the private sector.
The Amendment stipulates that processing Personal Data “on a large scale” includes, among others, taking into consideration the number of individuals whose data is being processed, their percentage in a certain population, the scope, quantity and range of the types of the processed Personal Data, the frequency and duration of the processing operations, data retention period and geographical area of the processing operations.
A comparison with the DPO provisions of the GDPR reflects that the provisions for appointment DPOs in the private sector in Israeli are almost identical.
DPO Tasks
The PPL Amendment states that the DPO will act to ensure compliance of the Database Controller or the Processor with the PPL and will promote privacy protection and information security, including:
(1) Serve as a professional authority and a source of knowledge, provide advice, prepare a training program and supervise its execution.
(2) Prepare a program for ongoing monitoring of compliance with the PPL, ensure its execution, report findings to the management and offer suggestions to remedy defects found.
(3) Ensure the existence of an information security procedure and a database definitions document (the local equivalent of a GDPR records of processing), that are brought for management approval.
(4) Ensure exercise of data subject requests regarding processing of their Personal Data, including requests to access or correct Personal Data.
(5) Act as the contact point between the entity and the PPA.
As opposed to the GDPR, the DPO tasks do not include advice regarding data protection impact assessments and monitoring their performance, as they are not mandatory under the PPL.
The contact details of the Data Protection Officer need to be published to the public in a simple, accessible manner.
The Database Controller or Processor appointing the DPO have to provide the DPO the conditions and resources necessary for the proper fulfillment of his role and ensure that the DPO is properly involved in any matter related to privacy protection.
DPO Qualifications
According to the Amendment, the Data Protection Officer needs to have the required knowledge and qualifications for the fulfilment of his/her role in an adequate manner, including, in depth knowledge of data protection laws, appropriate understanding of technology and information security, familiarization with the activity and purposes of the entity in which he/she serves, all while taking into account the nature, circumstances, scope, and purposes of data processing. It should be noted that during the Committee hearings a discussion evolved on what constitutes "appropriate understanding" of information security as opposed to "in depth knowledge" of data protection laws and it was clarified that the requirement is adequate understanding enabling the DPO to ensure the organizations' compliance with information security obligations.
The DPO does not have to be an employee of the entity, and these services can be outsourced.
The DPO will directly report to the general manager of the Database Controller or Processor appointing the DPO or to an employee directly subordinated to the general manager. This provision is intended to reflect on the seniority of the DPO in the organizational structure.
The DPO is prohibited from fulfilling an additional role or from reporting to a manager, if such additional role or reporting line may cause a potential conflict of interest in fulfilling the DPO duties according to the PPL. The PPA has already voiced its position in the past that the DPO and information security officer positions need to be fulfilled by different individuals as there is an inherent conflict of interest in one person fulfilling both roles.
PPA Authorities in relation of breach of DPO provisions
Authority to instruct to stop a breach
In any of the circumstances below, the Head of the PPA is authorized to notify a Database Controller or Processor who are obligated to appoint a Data Protection Officer because they are a public entity or a data broker, that their actions constitute a breach of the PPL and to instruct them to stop the breach and how it should be remedied (including a warning that administrative fines may be imposed if the breach is not remedied):
(1) the DPO did not receive the necessary resources or conditions or the was not adequately involved in all matters pertaining to data protection laws;
(2) the DPO does not directly report to the general manager or to an employee directly subordinated to the general manager;
(3) the DPO does not have the required knowledge and qualifications as listed in the PPL;
(4) the DPO performs an additional role or is subordinate to another manager in a manner that may subject the DPO to a potential conflict of interest in fulfilling the DPO duties.
Financial Sanctions
The Amendment introduces a new mechanism of administrative fines for breach of an array of obligations under the PPL and of certain regulations promulgated therefrom. The penalties are set as fixed amounts for specific breaches, can be reduced by up to 70% based on certain conditions defined in the PPL, such as a first-time violation and are capped by 5% of the annual turnover. Fines for small and tiny businesses are capped at much lower amounts.
If a public entity or a data broker do not appoint a DPO, or do not fulfil the orders of the Head of the PPA to stop or rectify a breach in relation to the DPO obligations (as listed above), the Head of the PPA will be authorized to impose financial fines in the amount of NIS 2 (approx. 0.5 EURO) for each person whose personal data is included in the Database multiplied by the number of data subjects and not less than NIS 20,000 (approx. 5,000 EURO), and if the personal data in the Database is Especially Sensitive Data – an amount of NIS 4 per person (approx. 1 EURO) and not less than NIS 40,000 (approx. 10,000 EURO).
DPO in the private sector - Sanctions
The enforcement powers of the PPA in relation to breach of the new provisions regarding DPO appointment listed above will initially be applicable only to obligations regarding DPOs of public entities or data brokers. The Constitution Committee was concerned that since the DPO appointment in the private sector is a novel position and training the required number of DPOs may take some time, enforcement of these provisions should be postponed until such time that the Minister of Justice has issued an order, approved by the Constitution Committee, according to which the PPA's authorities will also apply to a DPO of a private entity. When such order is issued, the PPA can also declare a breach when a DPO is not appointed in an entity systematically monitoring data subjects on a large scale or the core business of which includes processing Especially Sensitive Data on a large scale and can impose the financial sanctions mentioned above.
Reduction of fines
The PPA will reduce the amount of the fine by 10% if a controller or processor who are obligated to appoint a DPO when an entity systematically monitors data subjects on a large scale or when the core business includes processing Especially Sensitive Data on a large scale, actually appointed the DPO prior to imposition of the fines. This reduction if not applicable for public bodies or data brokers.
Conclusion
Amendment 13 is a landmark for Israeli privacy and a finale of extensive work by the Israeli Ministry of Justice, the Privacy Protection Authority, the Knesset Constitutional Committee and many privacy practitioners, including myself, participating in the Committee hearings.
The Amendment is a reform that will center stage the rights of privacy in Israel and push entities to prioritize allocation of resources for privacy compliance in light of the increased regulatory, civil and criminal risks. And the best place to start such compliance is by appointment of a qualified DPO.
Article provided by INPLP member: Dalit Ben-Israel (Naschitz Brandes Amir, Israel)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010