Understanding Israel’s Privacy Protection Law and Its Requirements

Introduction

Israel’s data protection framework is anchored in the Protection of Privacy Law (PPL), originally enacted in 1981. This law governs how organizations collect, process, store, and secure personal data and is enforced by the Privacy Protection Authority (PPA). Over the years, the digital age has brought new challenges, and with that, Israel has responded by modernizing its privacy law. The most significant reform to date is Amendment No. 13, adopted in August 2024, which came into effect in mid-August 2025.

Amendment 13 marks a pivotal shift: it aligns Israel’s protection law more closely with global standards, notably the GDPR, by refining definitions, strengthening enforcement, and enhancing data security obligations. Under this updated legal regime, data controllers and processors must pay greater attention to sensitive personal data, data transfers abroad, risk assessments, and the rights of data subjects.

For businesses operating in Israel or processing data of Israeli residents, compliance with Israel’s data protection framework is not optional. Entities must adapt their policies, appoint the right personnel, implement robust security measures, and, where necessary, establish data transfer agreements to align with the expanded legal duties.

Importantly, Israel’s law now includes unique provisions not found in all global privacy laws. For example, under the new regime, there are stricter rules on database registration (or reporting), especially for large sensitive databases, and stronger enforcement powers for the PPA.

Key Principles for Processing Personal Data

Under Israel’s Privacy Protection Law (especially after Amendment 13), several key principles guide lawful data processing. These principles shape how organizations should process such data, balancing innovation with fundamental rights.

First, transparency is essential. When organizations collect personal data from individuals, they must provide clear notice: they must inform data subjects not only about the purpose of collection and to whom the data may be transferred, but also about the consequences of refusing consent. Amendment 13 expands these disclosure obligations.

Second, data minimization is required. Organizations should avoid excessive data processing; they may collect only what is necessary for a legitimate purpose, and should not retain sensitive personal data or highly sensitive data longer than needed. The law’s modernization reflects this principle by narrowing database registration obligations for many types of databases, reducing “paper burden” for entities that do not process large volumes of sensitive data.

Third, security is non-negotiable. Entities that process personal data must implement robust security measures, including data encryption, access controls, audits, and risk assessments, to protect data integrity and confidentiality. The Protection of Privacy Regulations (Data Security) from 2017 remain in force, and organizations must comply with these detailed rules.

Fourth, organizations must ensure informed consent. Under the amended PPL, explicit consent is required before processing, especially highly sensitive personal data, such as genetic data, medical data, criminal records, or biometric identifiers.

Finally, accountability underlies everything: data controllers must conduct risk assessments, maintain records, and regularly review their data processing activities. The law also emphasizes data integrity, meaning that the personal data held must remain accurate and uncorrupted.

Data Subject Rights

One of the most important aspects of Israel’s privacy regime is the protection of the data subject, that is, the individuals whose personal data is processed. Under the PPL (and even more so with Amendment 13), data subjects gain clearer, stronger rights.

Right of Access: Every individual can request to see the personal data held about them in a database. The PPL guarantees a right of inspection. When doing so, controllers must provide the data in Hebrew, English, or Arabic, and allow access either directly or via an authorized representative.

Right to Correction and Deletion: Data subjects have the right to ask for inaccuracies to be corrected. They may also request deletion of their data, especially when it is no longer needed for the purpose it was collected for or if there is no longer a lawful ground to continue processing.

Right to Object: Particularly for direct marketing or direct mailing services, data subjects may object to their personal data being used. Controllers must have processes in place to promptly address such objections.

Right to Data Portability: While the PPL does not explicitly grant a data portability right (as in some international laws), best practices encouraged under the new regime suggest that organizations should provide personal data back to data subjects in a structured, machine-readable format when possible. This helps foster user control and aligns with global data protection trends.

Transparency and Informed Consent: Under Amendment 13, the notification that organizations provide when requesting personal data must include more details than before. Controllers now must inform data subjects about the consequences of refusal to provide data, the identity and contact details of the controller, and the rights of access and rectification.

Role of the Data Protection Officer

A central change introduced by Amendment 13 is the mandatory appointment of a Data Protection Officer (DPO) for certain organizations. This role is critical in ensuring compliance with the PPL, safeguarding sensitive data, and overseeing data processing activities.

When Is a DPO Mandatory?

The law requires the appointment of a DPO for entities meeting any of these criteria:

• Controllers of databases that must be registered (e.g., data brokers)
• Controllers or holders engaged in systematic monitoring or significant tracking (e.g., telecoms, surveillance-based organizations)
• Controllers or processors whose core activity is processing highly sensitive personal data, such as health insurers, hospitals, and financial institutions

Responsibilities of the DPO

The DPO must be independent and report directly to senior management. Their duties include:

• Overseeing compliance with the PPL and data security regulations
• Conducting risk assessments and data protection impact assessments (DPIAs)
• Monitoring data processing activities, especially where there is systematic monitoring or large sensitive databases
• Establishing internal policies, database definition documents, and data security procedures as required by law
• Acting as a point of contact for the Privacy Protection Authority (PPA) and for data subjects

The DPO thus serves as a guardian of privacy, ensuring that processes are aligned with data protection practices and that robust security measures are implemented.

Data Security

Data security is foundational in Israel’s updated privacy protection law. The Protection of Privacy Regulations (Data Security), 5777, set out detailed security obligations, and Amendment 13 strengthens this mandate.

Security Measures Required: Organizations must implement reasonable and appropriate measures to safeguard personal data and sensitive personal data. These measures may include:

• Encryption of data both at rest and in transit, to protect confidentiality and data integrity
• Strict access control mechanisms, ensuring that only authorized personnel can access databases
• Routine security audits, vulnerability assessments, and risk assessments to identify and mitigate threats
• Documentation of security protocols and detailed records of data processing and access

Handling Data Breaches: Entities must prepare for the possibility of data breaches. Under the law, there must be a formal procedure to investigate data breaches, assess the severity of a security incident, and notify both the PPA and the affected data subjects, if required. The DPO often leads this breach response, coordinating investigations and remediation.

Database Definition Document: Controllers are required to maintain a database definition document that describes the structure of each database, its purpose, and the categories of data, particularly for highly sensitive data. The PPA may require the submission of this document in the context of notification obligations.

Through these requirements, Israel’s legal framework ensures that data security protocols are not just a formality but are integrated into day-to-day operations, preserving data integrity and minimizing risks.

Data Portability

Although the PPL does not explicitly provide a data portability right, the spirit of the law, particularly under the reformed framework, supports practices that align with portability principles.

Why Data Portability Matters: Enabling individuals to receive their personal data held by an organization in a structured, machine-readable format enhances user control, transparency, and trust. While not mandated by text, organizations are strongly encouraged to adopt such practices in order to align with global trends and to meet data subject rights standards.

Best Practice Implementation

Organizations should:

• Design data processing systems that allow export of data
• Ensure the format is comprehensive, including both personal data and metadata, so that data subjects receive coherent datasets
• Document policies for data portability requests

By proactively enabling data portability, organizations demonstrate a compliance mindset and support informed consent and user empowerment, even beyond legal minimums.

Data Transfer Regulations

Transferring personal data outside of Israel carries specific obligations under the PPL’s updated framework. With the globalization of business, these data transfer regulations are critical for compliance.

Adequate Protection Requirement: When organizations in Israel (or those processing Israeli data) transfer personal data abroad, they must ensure an adequate level of data protection in the destination country, or otherwise implement safeguards.

Data Transfer Agreements: To legally transfer personal data, entities should establish data transfer agreements, such as contractual clauses, to ensure protection that mirrors Israel’s own privacy standards. These agreements help preserve data integrity, confidentiality, and the rights of data subjects when data is processed by foreign entities.

Risk Assessments: Prior to a transfer, organizations must conduct risk assessments to evaluate cross-border data flow risks. This includes assessing the data security regulatory environment in the receiving country, the potential for surveillance, and whether sensitive data (e.g., genetic data, medical data) is involved.

Notification Obligations: In some cases, controllers must notify the PPA about the transfer. For example, where large volumes of sensitive data are transferred abroad, or where data is being processed in high-risk jurisdictions, transparency to the Authority is key.

By fulfilling these regulatory requirements, organizations ensure that personal data remains protected even when it moves across borders and that adequate data protection is maintained throughout.

Compliance with Data Protection Laws

Given the significant reforms introduced by Amendment 13, compliance has become more demanding. To align with both Israeli data protection law and broader international standards, organizations must take a structured, proactive approach.

Compliance Steps for Organizations

1. Gap Analysis & Risk Assessment: Conduct a comprehensive review of current data processing practices. Identify where sensitive data processing or systematic monitoring occurs and assess risk levels.
2. Appoint a DPO: Determine whether your organization meets the criteria for mandatory DPO appointment. If so, hire or designate someone with appropriate expertise and independence.
3. Update Policies & Procedures: Draft or revise data protection policies, consent mechanisms, database definition documents, and breach response plans. Make sure informed consent and data subject rights are embedded into your operations.
4. Implement Data Security Measures: Encrypt data, restrict access, perform regular audits, and document security protocols. Establish the necessary procedures under the Data Security Regulations.
5. Manage Database Registration or Notification: Decide whether your databases must be registered with the PPA, or whether you need to notify the PPA (especially for large, sensitive databases).
6. Set Up Transfer Safeguards: For data transfers abroad, put in place data transfer agreements, perform risk assessments, and ensure ongoing compliance with regulatory requirements.
7. Train Staff & Build Awareness: Ensure that employees understand data protection practices, data subject rights, and their roles in data security and breach response.
8. Ongoing Monitoring & Audit: Maintain records, regularly review data processing activities, and conduct data protection impact assessments (DPIAs) where necessary to comply with legal duties.

By following these steps, organizations can embed robust data protection practices into their operations and demonstrate good-faith compliance with Israel’s enhanced privacy protection law.

Enforcement and Penalties

With the passage of Amendment 13, the PPA’s enforcement powers have been significantly strengthened, signaling that Israel is serious about data protection enforcement.

Administrative Sanctions: The Authority can impose financial penalties for non-compliance with the PPL or the Data Security Regulations. These fines can reach millions of NIS depending on the severity of the violation, the number of data subjects, and whether the non-compliance is ongoing.

Court Orders: The head of the PPA may petition the administrative court to issue orders to cease data processing, or even to delete improperly processed or stored personal data.

Criminal Liability: Amendment 13 also expands criminal offenses under the PPL. For example, unauthorized processing of data, providing false information when requesting data, or misdirecting individuals when requesting personal information may result in criminal liability.

Statutory Damages: Notably, the law now allows courts to award statutory damages (without proof of actual harm) in cases involving breach of database obligations, up to NIS 10,000 per claim in certain circumstances.

Given these enforcement tools, organizations must treat compliance not only as a legal necessity but as a risk-management imperative.

Conclusion

Israel’s Privacy Protection Law, especially after Amendment 13, reflects a major modernization of the country’s privacy regime. By redefining core concepts, introducing a mandatory Data Protection Officer, strengthening data security requirements, and enhancing enforcement mechanisms, the law aligns Israel more closely with global frameworks like the GDPR.

For businesses and organizations, the mandate is clear: to process personal data responsibly, to protect sensitive personal data, to respect data subject rights, and to invest in robust security measures. Whether you are a data controller, a data broker, or a processor, the time to act is now. Establishing policies, conducting risk assessments, appointing a DPO, and embedding privacy into your operations will not only ensure compliance but also build trust with users.