Global Data and Cyber Handbook

Israel

Select a Topic
Start Comparison
Key Definitions
Jump to
Key Definitions Start Comparison
Personal data

Last review date: January 24, 2025

The current version of the Privacy Law does not define the term "Personal Data". It defines "Data" as "data about an individual's personality, personal status, intimate affairs, health condition, financial condition, professional qualifications, opinions and beliefs" and "Sensitive Data" as "data about an individual's personality, intimate affairs, health condition, financial condition, opinions and beliefs". Israeli courts and the PPA have interpreted the terms "Data" and "Sensitive Data" very broadly as encompassing various types of personal information that are not specifically mentioned in the definition of "data" or "sensitive data", and each matter will be reviewed based on its particular circumstances.

As of 14 August 2025 – the date in which Amendment 13 of the PPL comes into effect – the Privacy Law introduces a new term "Personal Data" which is defined as "data relating to an identified or identifiable person; for the purposes of this definition, "identifiable person" - one who can be identified with reasonable effort, directly or indirectly, including through an identifying detail such as name, identification number, biometric identifier, location data, online identifier, or one or more details relating to his physical, health, economic, social, or cultural status".

Sensitive/special personal data (including personal data subject to additional protections/ restrictions/breach notification obligations)

Last review date: January 24, 2025

Sensitive data includes:

☒         personal data revealing racial or ethnic origin
☒         personal data revealing political opinions
☒         personal data revealing religious or philosophical belief
☒         personal data revealing trade union membership
☒         genetic data
☒         biometric data for the purpose of uniquely identifying a natural person
☒         data concerning health/medical information
☒         data concerning a natural person's sex life or sexual orientation
☒         financial information
☒         government identity card or number information
☒        personal data regarding an individual's criminal convictions or record
☒         other

The following categories of data were also recognized by Israeli courts as "sensitive data": data regarding a person's family and marital status, biological data (such as blood type, DNA, skin tissues etc.).

As of 14 August 2025 – the date in which Amendment 13 of the PPL comes into effect – the Privacy Law introduces a new term "Data of Special Sensitivity" which is defined as "any of the following:

(1) Personal data about a person's intimate family life, personal intimate affairs and sexual orientation;

(2) Personal data relating to a person's health status, including medical data as defined in the Patient Rights Law, 1996;

(3) Personal data that constitutes genetic data as defined in the Genetic Information Law, 2000;

(4) Personal data that is a biometric identifier used or intended to be used to identify a person or verify his identity in a computerized manner;

(5) Personal data about a person's origin;

(6) Personal data about a person's criminal history;

(7) Personal data about a person's political opinions or religious beliefs or worldview;

(8) Personal data which is a personality assessment conducted by a professional entity that, as part of their occupation, expresses an opinion on a person's personality, or is conducted by means intended to perform an assessment of material personality traits, including character traits, intellectual competence, and ability to function at work or in studies;

(9) Personal data that is location data and transmission data, as defined in the Criminal Procedure Law (Enforcement Powers-Communication. Data), 2007, created by an authorized provider as defined in the said law, regarding a person, and data about a person's location that can indicate data in accordance with paragraphs (1) to (7) and (11);

(10) Personal data about a person's payroll data and financial activity;

(11) Personal data subject by law to confidentiality obligations;

(12) Personal data about an employee's labor union membership, provided that it is personal data in a database located in Israel that was transferred to it from outside the country and that in the place from which it was transferred, special legal provisions apply to such personal data compared to the law applicable to other personal data."

Controller vs Processor

Last review date: January 24, 2025

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

  • the controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • the processor/agent is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Yes.

In general, the Privacy Law (and the regulations promulgated thereunder) applies with respect to any type of controller/owner and processor/agent, whether the respective controller/owner/processor/agent is a natural or legal person, public authority, agency or other body.

In this context, the Privacy Law currently differentiates between the "owner" of the database (the Israeli equivalent of "controller" under the GDPR) and the "holder" of the database (the Israeli equivalent of "processor" under the GDPR). The Privacy Law currently does not include a definition of an "owner" of a database, however it is viewed by the PPA to be the person who is responsible for the collection of the personal data, and the means by which and the purposes for which the personal data will be collected. This perspective is now reflected in the updated definition of a "data controller," as introduced in Amendment 13 to the Privacy Law, which will take effect on 14 August 2025. From that date, the term "data controller" will refer to "the entity that determines, alone or jointly with others, the purposes for processing data within a database, or an entity or an officer within that entity who is legally authorized to process data in the database".

With respect to the database holder, the Privacy Law defines such term, for the purpose of a database, as a person who has a database in its possession permanently and is permitted to use it. Amendment 13 to the Privacy Law, which will come into force on 14 August 2025, re-defines a Holder as an external entity that processes personal data on behalf of the data controller...

It should be noted that certain public bodies (e.g., governmental bodies, state institutions, local authorities and other bodies carrying out public functions under any law) are subject to certain requirements under the Privacy Law, including with respect to the sharing of personal data between public bodies, access and review rights, etc.

{{ $store.state.loadingScreen.message }} ...