Last review date: January 24, 2025

☒        the identity and the contact details of the controller and, where applicable, of the controller's representative
☒        the contact details of the data protection officer, where applicable
☒        the purposes of the processing for which the personal data is intended
☒        the legal basis for the processing
☒        the recipients or categories of recipients of the personal data, if any
☒        information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards and the means by which by to obtain a copy of them or where they have been made available
☒        the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
☒        the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.
☒        whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
☒        if applicable, information regarding automated decision making, including profiling

According to guidelines issued by PPA on 31 July 2022, titled "Notification Obligation in the Context of Collecting and Using Personal Data", the PPA recommends that, aside from the mandatory disclosure detailed that must be provided to data subjects prior to the collection of their personal data into a database, in accordance with Section 11 to the Privacy Law (and detailed above), privacy notices to data subjects will also include information regarding: the period for which the personal data will be stored, the existence of data subjects' rights and where applicable -  information regarding automated decision making, including profiling or relevant information relating to collection of data through AI systems.

Amendment 13, effective 14 August 2025, expands the transparency requirements outlined in Section 11 of the Privacy Law. It introduces additional elements that must be included in privacy notices provided to data subjects. These include the identity and contact details of the data controller; information about the rights available to data subjects, and; when the provision of personal data is based on consent, an explanation of the consequences of refusing to provide such data.

In addition, while the Privacy Law, following Amendment 13, does not specifically state that the Privacy Notice shall include the contact details of the data protection officer, Amendment 13 determines that the contact details of the data protection officer shall be made accessible to the public.

Last review date: January 24, 2025

Yes.

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

☒         right to access the data subject's own personal data
☒         right to rectify/correct the data subject's own personal data where inaccurate or incomplete
☒         right to erasure of personal data ^[1]
☒        other

[1] According to the Privacy Law, a data subject is entitled to request that their personal data will be deleted from a database in case: (i) the data is unclear, incomplete, incorrect or out-of-date; or (ii) in case the data is used for direct marketing.

In addition, according to the EEA Data Import Regulations, the data controller is required to enable a European data subject (and as of 2025 – Israeli data subjects as well, to the extent their data is included in the same database as the data about European data subjects) to exercise their “right to be forgotten” and to delete personal data from a database if it was created, received, accumulated or gathered contrary to the provisions of the law, if continuing the usage of such data violates any law, or if the data is no longer needed for its original purposes (unless the data controller implemented reasonable measures to anonymize the data so that it can no longer identify the data subject).

The data controller will be entitled to refuse a deletion request if one of certain exceptions provided under the EEA Data Import Regulations is satisfied, which include: maintaining the data for exercising the right of freedom of expression or the people’s “right to know”; fulfillment of a legal obligation or exercising an authority under law; protecting a public interest (e.g., archive, scientific or statistical research); management of a legal proceeding or debt collection; prevention of fraud, theft or other activities which may impact the accuracy or integrity of the data; fulfilling the duties derived from an international agreement to which the Israeli Government is a party; all, to the necessary and proportionate extent for that purpose.

Last review date: January 24, 2025

Yes.

There are accountability and governance requirements to:

☐         perform and document data protection impact assessments (DPIAs) for high-risk processing:^[1]

☒        maintain a record of processing activities

☒        implement appropriate measures to comply with data privacy and security

☒        demonstrate compliance with data privacy and security

☒        identify a specific individual as the data privacy contact for data subject or data protection authority inquiries

☒        provide training to employees

☒        audit or supervise data processors

☒         other ^[2]

[1] Although implementing privacy-by-design measures or performing DPIAs is not mandatory under Israeli law, it is highly recommended by the PPA to implement such measures prior to the engagement in or establishment of any activity or business which involves the processing of personal data which may affect the privacy of an individual. The PPA has published a privacy impact assessment guide, which can be found (in Hebrew) here.

[2] According to Section 17 to the Privacy Law, the Owner of the database, the holder of the database, the manager of the database and the Information Security Officer (if appointed), are each responsible for the security of the data maintained in the database.

In addition, on 3 September 2024, the PPA published guidelines regarding the role of the board of directors in fulfilling the corporation's obligations according to the Data Security Regulations. The fundamental position of the PPA is that when personal data is processed as part of the core of the company's activity, or in case there is a likelihood that its activity will create an increased risk to privacy, the board of directors is the appropriate and effective organ to decide who is responsible in the company for carrying out the requirements set out in the regulations.

In these aspects, the board of directors' roles include implementing supervisory, control, compliance and report procedures with respect to the execution of the regulations' obligations by the nominated organ, and to make policy decisions regarding the use of personal data in the company, and its management in material aspects.