Data Privacy - Israel

Laws: PPL, DSR and Transfer Regulations – see Survey A1

Extra-territorial scope: Limited – see Survey A2

Regulator: PPA - website

What data is covered?

Data protection laws in Israel apply to Data and Sensitive Data. Data is defined as “information regarding the personality, personal status, intimate affairs, health condition, economic situation, professional qualifications, opinions, and beliefs of a person”.

Sensitive Data is defined as “information on the personality, intimate affairs, health condition, economic situation, opinions and beliefs of a person”.

Key risks and considerations

1. Robust, established regime; compliance standards less onerous than the GDPR.
2. Consent required, but implied consent generally acceptable.
3. Requirement to register Databases with the PPA and assign a level of risk, which will determine the appropriate security measures to implement.
4. Severe security incidents must be notified to the PPA immediately.
5. Additional rules that apply to all Data transferred from the EEA.

Compliance overview 

Register with regulator: Not required. However, a Data Owner must register a Database with the PPA for approval in certain circumstances – see Survey D5.1(c).

Appoint a DPO: Not required. However, the PPA considers that the voluntary appointment of a DPO is best practice.

Appoint a CISO: Certain entities (e.g. those that hold five or more Databases controlled by another entity, banks and insurance companies) must appoint a DPO.

Formal compliance programme: In order to comply with data privacy laws organisations must have appropriate documented plans, policies, processes and procedures.

Publish/provide privacy notice: Privacy information must be provided to individuals prior to the collection of their data into a Database.

Maintain records of activities: The Owner of a Database is required to maintain a document which includes a general description of Personal Data collected and purposes.

Conduct privacy assessment (DPIA): Not required. However, conducting a DPIA is generally a good practice.

Data security measures: Organisations must protect Data from being exposed, used or copied without lawful permission. Specific security requirements apply, depending on level of risk assigned to a Database.

Enforcement and top fines

• Maximum possible fine: up to NIS 5,000 per violation (and up to 5x this amount where the infringer is a corporate entity).
• The PPA is very active in terms of enforcement and conducts a relatively large number of investigations. However, it does not often issue fines for breaches of the PPL and only issued 6 financial penalties from 2021 to date.
• Top fine imposed to-date: NIS 320,000 (approx. USD 86,000) in November 2022.
• Personal criminal liability is possible and compensation claims may be brought by individuals or via a class action.

See the aosphere Enforcements Tracker for an up-to-date record of global enforcement action.

Practically the only legal basis for the processing of Data by a private commercial organisation is informed consent, which can generally be either express or implied.

However, the PPL does set out a number of possible defences to any criminal or civil proceedings for infringement of the right of privacy (i.e. where Data is processed without consent), which include where Data is processed in response to a legal, moral social or professional obligation.

Data may only be transferred with the data subject’s informed consent.

International transfers of Data to any country or international organisation are prohibited unless the receiving country in question ensures a level of protection of Data which is not lower than the level of protection provided for under the Israeli law (or any of the conditions for transfer set out under the Transfer Regulations e.g. contract safeguard, consent, legal requirement, public welfare or security applies). Transfers to “adequate recipients” (i.e. EU Member States and the UK) are permitted.

 

 

Israeli data privacy laws impose direct obligations on service providers (i.e. the Holder of a Database), such as to implement a compliance program, to notify the PPA when it holds more than 5 Databases that require registration and to comply with security obligations. The Owner of a Database is required to enter into a written agreement with the Holder of a Database, which includes mandatory requirements in relation to data handling and security.

Organisations are required to immediately notify the PPA of any ‘Severe Security Incident’. There is no obligation to notify affected individuals although the PPA may order it. In practice, organisations tend to notify individuals where a data breach may result in harm. See the aosphere Breach Response app for critical breach notification requirements.