
Speed Read
Data Privacy - Israel


The full report, available to subscribers and those on a free trial, includes access to a detailed legal memorandum, Breach Response App, Horizon Scanning and Sanctions Tracking, Schrems II Toolkit and Territorial Scope View, all supported by daily monitoring and alerts.
Source date: 14th August 2025
Overview
Legal Framework
Relevant law: Protection of Privacy Law (amendments in force August 2025), DSR and Transfer Regulations
Regulator: Privacy Protection Authority (website)
Fines and Enforcement
Maximum possible fine: NIS 150,000 (c. $40,000 ) for individual major instances of non-compliance (cumulative system) and NIS 320,000 (c. $430,000) for certain security violations
Top fine to-date: NIS 400,000 (c. $117,000) in 2017
Compliance Overview
Register with regulator: Not required. However, a Data Owner (controller) must register a Database with the PPA for approval in certain circumstances.
Appoint a DPO: Required where (i) the Controller is required to register its Database; (ii) the main activities involve regular and systematic monitoring; and (iii) the primary activity is processing Highly Sensitive Data on a significant scale.
Appoint a CISO: Required in certain circumstances, e.g. when an entity controls or holds five or more Databases that are subject to registration requirements.
Formal compliance programme: In order to comply with data privacy laws organisations must have appropriate documented plans, policies, processes and procedures.
Publish/provide privacy notice: Privacy information must be provided to individuals prior to the collection of their personal data into a Database.
Maintain records of activities: The Controller is required to maintain a document which includes a general description of the personal data collected and purposes behind the processing.
Conduct privacy assessment (DPIA): Not required. However, conducting a DPIA is generally considered a good practice.
Data security measures: Organisations must protect personal data from being exposed, used or copied without lawful permission. Specific security requirements apply, depending on level of risk assigned to a Database.
Key Risks and Considerations
1) Robust, established regime; compliance standards less onerous than GDPR although significant changes have been introduced in August 2025.
2) Consent required, but implied consent generally acceptable.
3) Requirement to register personal data Databases with the PPA and assign a level of risk, which will determine the appropriate security measures to implement.
4) Severe Security Incidents must be notified to the PPA immediately.
5) Additional rules that apply to all data transferred from the EEA.
Find out how aosphere can help
Rulefinder Data Privacy is an easy-to-use online resource that provides practical analysis of data protection and privacy laws across key global markets. The analysis is simple to access online, easy to navigate and maintained by a dedicated team of senior lawyers.
