ICG - ממשל תאגידי
Israeli Privacy Protection Authority: Safeguarding Personal Information
The Privacy Protection Authority (formerly the Israel Law, Information and Technology Authority - ILITA) is the Israeli regulatory and enforcing authority for the protection of personal digital information, in accordance with the Privacy Protection Law.
The Privacy Protection Authority is empowered to regulate and enforce the protection of personal information held in digital databases by all entities in Israel - corporations, businesses, government and public bodies. The PPA conducts regulation processes, including administrative and criminal investigations, digital phorensics, issues guidelines and various sanctions.
David Bowie, a visionary who foresaw the digital age's impact on privacy.
Even in the digital age, people still request, need, and deserve privacy. Privacy doesn't die; it sometimes just changes shape. A bit like David Bowie.
Is Privacy Dead - The Future Privacy of Digital Age
The Israeli government passed a resolution on October 2, 2022, declaring the independence of the Privacy Protection Authority in the Ministry of Justice as it pertains to the exercise of its authorities and the fulfillment of its roles.
Rather, this declaration was issued against the backdrop of a review process currently underway by the European Commission in relation to Israel. This review process concerns a decision on whether to renew the “adequacy status” granted to Israel by the European Commission in 2011 as a country whose level of data protection is on par with Europe’s data protection regulation (the General Data Protection Regulation).
This status is granted to a limited number of countries around the world and has considerable economic significance for the Israeli economy, as well as importance in terms of Israel’s foreign relations. In addition to issuing this declaration, the government resolution also specifies the Privacy Protection Authority’s principal roles, as an open list.
Amendment 13 to the Privacy Protection Law: Key Changes
Amendment 13 to Israel’s Privacy Protection Law (the “Law”), which came into effect on August 14, 2025, marks a significant and broad change to Israeli privacy law and practice. Among its reforms, the amendment introduces a mandatory requirement for many organizations to appoint a Data Protection Officer (DPO), aligning Israeli practice with leading international standards and reflecting the growing importance of privacy governance.
The following update provides a summary of the new requirements and recommended next steps, based on the latest draft guidance from the Privacy Protection Authority (“PPA”).
Who Needs to Appoint a Data Protection Officer (DPO)?
The Law sets out clear criteria for organizations required to appoint a DPO:
- Public Bodies: All entities considered “public bodies” under the Law, including government ministries, state authorities, municipalities and other entities performing public functions are included. This category of “public bodies” also includes organizations that are expressly identified as public bodies under relevant regulations, such as health funds, hospitals, higher education institutions and labor unions.
- Data Brokers: Entities whose main business involves collecting personal data for the purpose of transferring it to others, whether for consideration or not, are also included.
- Entities Engaged in Systematic and Ongoing Monitoring: Organizations whose core activities involve systematic and ongoing monitoring of individuals, such as tracking behaviors, locations, or activities on a significant scale, are also subject to the requirement.
- Organizations Processing Large Volumes of Sensitive Data: Entities whose main business includes processing large volumes of “Data of Special Sensitivity” as defined by Law (e.g., health, biometric, or financial data) are also required to appoint a DPO. This requirement is particularly relevant for banks, insurance companies, hospitals, and health funds, but may also apply to other organizations whose core activities involve processing such data.
The Law does not set a fixed numerical threshold for what constitutes a “large volume” of data. Instead, organizations must assess on a case-by-case basis, considering factors such as the number of individuals affected and their percentage of a demographic, the scope and types of data processed, the frequency and duration of processing, and the geographic reach of the organization’s activities.
“Core activities” are those that are central to achieving the organization’s main business or operational objectives, rather than incidental or secondary functions.
Even organizations not strictly required to appoint a DPO are encouraged to consider doing so.
Data privacy considerations are paramount for organizations worldwide.
Expertise and Independence of the DPO
Expertise in Privacy Law - In-depth knowledge of Israeli privacy law and relevant sector-specific regulations, demonstrated through practical experience in the field.
The DPO must act independently, free from conflicts of interest, and should not hold another position in the organization which entails determining the purposes of data processing or that could compromise his/her objectivity.
Reporting and Transparency
Notify the Privacy Protection Authority of the DPO’s identity and contact information in specific cases, such as when registering a database containing Data of Special Sensitivity on more than 100,000 individuals.
Information Security Regulations
In May 2018, the “Privacy Protection Regulations (Information Security) - 2017” which were passed by the Israeli parliament in March 2017, went into effect, replacing the antiquated regulations dated back to 1986. Upon the going into effect of the regulations in May 2018, the level of implementing personal data security in Israel took a huge leap forward.
These regulations address the issues of physical and logical protection of databases which are relevant to the vast majority of organizations in Israel. The Israeli regulations will apply to all business owners in Israel who possess databases as the term is defined in the Privacy Protection Law.
The Regulations contain provisions for the realization of the obligations and liability of the organizations in the area of information security regarding the personal details of customers, vendors, and employees. The goal of these regulations is to set out information security principles that will protect against misuse by third parties as well as misuse by employees of the organization.
European Regulations and Data Protection
The European Regulations address the issues of collection, saving and transfer of personal data of private individuals and set out uniform rules for the protection of privacy. The regulation applies to any organization which comes into contact with personal data of citizens of the EU and defines the fundamental rights of the European residents with regard to their personal data and the protection of such data.
According to the regulation, the data collected by the organization belongs solely to the subject of the data, and the company has to relate to such data accordingly when it uses it.
Practical Steps for Ensuring Compliance
A practical guide published by the Authority may assist bodies belonging to the private investigators sector to increase their level of compliance with the provisions of the law.
- Recommendation of the Authority: Limit or prevent the connection of a disk or key as much as possible, and ensure that its use is subject to appropriate protection measures, including encryption.
- Use updated protection software and avoid using software that is not supported by the manufacturer unless appropriate alternative protection measures have been implemented.
- How do we deal with organizational failure?
- Automate the documentation of all security data in the organization and keep it for up to 24 months.
Don't wait for the next information security event.
| Regulation/Law | Description | Key Aspects |
|---|---|---|
| Israeli Privacy Protection Law | Main law governing data protection in Israel. | Defines personal data, sets rules for data processing, and establishes the Privacy Protection Authority. |
| Privacy Protection Regulations (Information Security) - 2017 | Regulations detailing the requirements for information security to protect personal data. | Physical and logical protection of databases, obligations, and liabilities of organizations. |
| General Data Protection Regulation (GDPR) | European Union regulation on data protection and privacy. | Collection, saving, and transfer of personal data of EU citizens; uniform rules for privacy protection. |
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing. The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future.
Images gallery
