
Speed Read
Data Privacy - Israel


The full report, available to subscribers and those on a free trial, includes access to a detailed legal memorandum, Breach Response App, Horizon Scanning and Sanctions Tracking, Schrems II Toolkit and Territorial Scope View, all supported by daily monitoring and alerts.
Source date: 12th August 2024
Overview
Legal Framework
Relevant law: Protection of Privacy Law (amendments in force August 2025), DSR and Transfer Regulations
Regulator: Privacy Protection Authority (website)
Fines and Enforcement
Maximum possible fine: ILS 5,000 (c. USD 1,400) per violation (and 5x this amount where infringer is a corporate entity).
Top fine to-date: ILS 320,000 (c. USD 86,000) in November 2022.
Compliance Overview
Register with regulator: Not required. However, a Data Owner (controller) must register a Database with the PPA for approval in certain circumstances.
Appoint a DPO: Not required. However, the PPA considers that the voluntary appointment of a DPO is best practice.
Appoint a CISO: Certain entities (e.g. those that hold five or more Databases controlled by another entity, banks and insurance companies) must appoint a DPO.
Formal compliance programme: In order to comply with data privacy laws organisations must have appropriate documented plans, policies, processes and procedures.
Publish/provide privacy notice: Privacy information must be provided to individuals prior to the collection of their data into a Database.
Maintain records of activities: The Owner of a Database is required to maintain a document which includes a general description of Personal Data collected and purposes.
Conduct privacy assessment (DPIA): Not required. However, conducting a DPIA is generally a good practice.
Data security measures: Organisations must protect Data from being exposed, used or copied without lawful permission. Specific security requirements apply, depending on level of risk assigned to a Database.
Key Risks and Considerations
1) Robust, established regime; compliance standards less onerous than GDPR.
2) Consent required, but implied consent generally acceptable.
3) Requirement to register personal data Databases with the PPA and assign a level of risk, which will determine the appropriate security measures to implement.
4) Severe security incidents must be notified to the PPA immediately.
5) Additional rules that apply to all data transferred from the EEA.
Find out how aosphere can help
Rulefinder Data Privacy is an easy-to-use online resource that provides practical analysis of data protection and privacy laws across key global markets. The analysis is simple to access online, easy to navigate and maintained by a dedicated team of senior lawyers.
