Last review date: January 24, 2025

Currently, there is no legal obligation in Israel to appoint a Data Protection Officer ("DPO"), the PPA has issued an opinion of January 2022 ("DPO Opinion") in which it determines that a voluntary appointment of a DPO amounts to best practice for organizations that collect and process personal data. There is however a legal obligation, in some circumstances, as detailed below, to appoint an Information Security Officer ("ISO").

As of 14 August 2025, after Amendment 13 to the Privacy Law enters into force, the following will be obliged to appoint a DPO:

1. A controller of a database that is a "public body" as defined in Section 23 of the Privacy Law or holds such a database, excluding a security body as defined in Section 23(c) of the Privacy Law.
2. A controller of a database whose primary purpose is the collection of personal data for the purpose of transferring it to others as a business activity or for compensation, including direct mailing services, and where the database contains personal data about more than 10,000 individuals.
3. A controller or holder of a database whose primary activities include information processing operations or are associated with such operations, which, by their nature, scope, or purpose, require ongoing and systematic monitoring of individuals, including systematic tracking or tracing of a person’s behavior, location, or activities on a significant scale, including, among others, a licensed provider offering mobile radio telephone services under the Telecommunications Law (Telecommunications and Broadcasts), 1982, or a provider of online search services or someone whose primary business involves such activities.
4. A controller or holder of a database whose main business includes processing data with special sensitivity on a significant scale, including, among others, a banking corporation as defined in the Banking (Service to Customer) Law, 1981, an insurer as defined in the Financial Services (Insurance) Supervision Law, 1981, a general hospital as defined in the Public Health Ordinance, 1940, and a health fund as defined in the National Health Insurance Law, 1994.

With respect to (3) and (4) above, "significant scale" data processing takes into account, among other things, the number of individuals about whom data is processed, their proportion in a specific population, the volume and quantity of data, the range of types of data processed, the duration and frequency of processing activities, the data retention period, and the geographic scope of processing activities.

Not as of January 2025. However, as of 14 August 2025, after Amendment 13 to the Privacy Law enters into force, certain categories of data controllers and data processors will be obliged to appoint a DPO, as further detailed above.

If yes, under what circumstances?

☒        the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
☒        the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
☒        the core activities of the controller or the processor consist of processing on a large scale of special categories of data
☒        other

In addition to the above, a controller of a database whose primary purpose is the collection of personal data for the purpose of transferring it to others as a business activity or for compensation, including direct mailing services, and where the database contains personal data about more than 10,000 individuals, will also be obliged to appoint a DPO, as of 14 August 2025.

Last review date: January 24, 2025

Yes (however, the below requirements are currently not mandatory but best practice guidelines issued by the PPA).

If yes, what are these requirements?

☒ legal qualifications / experience

☒ other professional qualifications / experience

☒ other

As stated above, currently, the appointment of the DPO is recommended by the PPA as best practice, although it is not mandatory. According to the DPO Opinion (which is a non-binding position of the PPA):

1. The DPO must have, at the very least, comprehensive knowledge of Israeli privacy and data protection laws (not necessarily as part of a formal education), a sufficient knowledge with respect to information technologies and basic information with respect to information security. Expertise and knowledge in these areas are even more required in case the involvement of the organization in the processing of personal data is more extensive.
2. The appointment of a DPO can be either an internal (i.e. an employee of the organization) or external appointment, and the DPO will be part of the senior management or report directly to the senior management. The DPO will also have sufficient seniority in the organization to effectively influence data processing activities in the organization
3. An external DPO can be appointed therefore generally there is no restriction on appointing a single DPO for a group of companies. However, according to the DPO Opinion, the PPA is of the view that an internal appointment of a DPO can be advantageous in large organizations, or in organizations where core operations are extensive in scope or include the processing of personal data.
4. The DPO should have sufficient authority and independence in order to best perform their role, and an organization must ensure that: (1) the DPO is involved in all the matters related to the protection of personal data in the organization; (2) all the resources and authorities required in order to fulfill the role are granted; (3) the DPO's institutional and professional independence is maintained, and (4) the DPO does not serve another role in the organization if this creates a conflict of interest.

As of 14 August 2025, when Amendment 13 to the Privacy Law comes into force, the appointment of a DPO is mandatory for certain categories of data controllers and data processors.

The DPO must be a person fulfilling the following characteristics:

• The DPO shall possess the knowledge and skills required to adequately perform their duties, including in-depth knowledge of privacy protection laws, appropriate understanding of technology and information security and familiarity with the organization's areas of activity and objectives, considering the nature, circumstances, scope, and purposes of data processing.
• The DPO may be an external party not employed by the organization in which they serve.
• The DPO shall not hold additional positions or be subordinate to a position-holder within the organization or another body if such dual roles or subordination might create a conflict of interest in fulfilling their duties under the Privacy Law.

The DPO roles are as follows:

• The DPO shall serve as a professional authority and knowledge hub, advise the management of the organization in which they serve and its employees, prepare a training program, and oversee its implementation.
• The DPO shall prepare a program for continuous monitoring of compliance with the provisions of the Privacy Law regarding information databases, ensure its implementation by the data controller or data processor, report findings to the organization's management, and propose corrections for deficiencies.
• The DPO shall ensure the existence of an information security procedure and a database definition document, as required under the Data Security Regulations. These documents shall be submitted for approval by the organization's management.
• The DPO shall ensure the handling of inquiries from individuals whose personal data is stored in the database, concerning the processing of such data or the exercise of their rights under the Privacy Law, including requests to access or amend personal data.
• The DPO shall act as the organization's point of contact with the PPA.

Last review date: January 24, 2025

Yes.

According to the Privacy Law, no person shall own, hold or manage a computerized database which is required to be registered in accordance with the Privacy Law, unless such database is registered with the Databases' Registry at the Ministry of Justice.

A database owner is obligated to register its database with the PPA, if one of the following applies:

• The database contains data on more than 10,000 individuals.
• The database contains sensitive data.
• The database includes data on persons, and the data was not delivered to the database by them, on their behalf or with their consent.
• The database is owned by a public body.
• The database is used for direct-mailing services as referred to in the Privacy Law.

The registration is subject to the PPA's approval, whereas the PPA may refuse to register the database if it sees reasonable cause for believing that the database serves or is likely to serve illegal activities or as a cover for them, or that the data included within it was received, accumulated or collected in violation of the Privacy Law or in violation of the provisions of any law. In addition, the owner or a holder of a database must notify the PPA with respect to every change regarding the name of the owner and/or holder and/or manager of the database, their addresses in Israel, the purposes for which the database was established and the purposes for which the data is intended, the categories of data maintained in the database, transfer of data abroad, receiving data on a permanent basis from a public body and the discontinue of the database's operation.

In addition, a person who holds at least five databases that require registration shall provide to the PPA, on an annual basis, a list of the databases in his/her possession, indicating the names of the owners of the databases, verified by affidavit that, in respect of each of the databases, the persons entitled to access to the database were determined by agreement between the holder and the owner, and the name of the ISO appointed by the holder.

As of 14 August 2025, when Amendment 13 enters into force, the registration and notification obligations change as follows:

• Reduce of scope of registration: Registration of databases with the PPA is required where: (i) the primary purpose of the database is the collection of personal data for the purpose of transferring it to others as a business activity or for compensation, including direct mailing services, and where such database contains personal data about more than 10,000 individuals; and (ii) the controller of the database is a "public body" - government ministries or other state institutions, local authorities or other bodies performing public functions under law - except where such database only includes personal data about the employees of such public body.

   

  The data controller will not process nor permit others to process personal data included in a database which is required to be registered unless such a database is registered.

• Notification obligation: A controller of a database containing personal data with special sensitivity about more than 100,000 data subjects, is obliged to notify the PPA regarding the identify, address and contact details of the controller, the identity and contact details of the DPO, if appointed in accordance with the Privacy Law and will provide the PPA with a copy of the database definition document which is required to be formulated in accordance with the Data Security Regulations. The controller shall update the PPA within 30 days from any change in any of the following details or with respect to the cessation of the operation of the database.

• The obligation of data processors to file annual reports to the PPA regarding their possession of databases is annulled.