Firon Law Firm
What law(s) specifically govern personal data / information?
The primary legislation is the Protection of Privacy Law, 5741-1981 (PPL), which governs the collection, use, disclosure, and other processing of personal data. This law has undergone several amendments, with Amendment No. 13 to take effect on August 15, 2025, significantly overhauling the PPL. Additionally, the Privacy Protection Regulations (Data Security), 5777-2017, which entered into force concurrently with the EU GDPR in May 2018, impose detailed information security requirements on organisations holding databases with personal data.
What are the key data protection principles in this jurisdiction?:
Key principles include: Right to be informed, Right to access, Right to rectification, Right to erasure (unless a compelling legal reason exists to keep data), Purpose limitation (data collected for specified, legitimate purposes), Data minimisation (only necessary data collected), Data security (appropriate measures to protect data), Data retention (only as long as necessary for the specified purpose), and Transparency. Consent is also a primary legal basis for data processing.
What is the supervisory authority / regulator in charge of data protection?
The Privacy Protection Authority (PPA) is the main supervisory unit, established by the Minister of Justice. The individual leading the PPA also holds the position of the Registrar of Databases.
Is there a requirement to register with a supervisory authority / regulator?
Yes, the PPL outlines requirements for database registration.
Is there a requirement to notify the supervisory authority / regulator?
Yes, the Data Security Regulations require organisations to immediately report "Severe Security Incidents" (data breaches) to the PPA.
Is it possible to register with / notify the supervisory authority / regulator online?
Specific online processes for registration/notification were not detailed in the provided search results, so this would require further specific inquiry.
What are the key data subject rights under the data protection laws of this jurisdiction?
In Israel, the key data subject rights under the Protection of Privacy Law, 5741-1981 (PPL), align with generally accepted data protection principles, including these specific points:
- Right to information: Individuals have the right to be informed about the collection and processing of their personal data.
- Right of access: Data subjects have the right to access their personal data held in databases.
- Right to rectification of errors: Individuals can request the correction of inaccurate or incomplete personal data.
- Right to deletion/right to be forgotten: Data subjects have the right to request the deletion of their personal data, unless there is a compelling legal reason for the data to be retained.
- Right to restriction of processing: The PPL includes provisions for the restriction of data processing under certain circumstances.
- Right to data portability: This right allows individuals to obtain and reuse their personal data for their own purposes across different services.
- Right to object to processing: Data subjects can object to the processing of their personal data in specific situations.
- Right to withdraw consent: Where processing is based on consent, individuals have the right to withdraw that consent at any time.
- Right to complain to the relevant data protection authority(ies): Individuals can lodge complaints with the Privacy Protection Authority (PPA).
- Right not to be subject to automated individual decision-making: This right protects individuals from decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects concerning them.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, the PPL, as amended by Amendment No. 13 (taking effect August 15, 2025), will make the appointment of a Privacy Protection Officer and Data Security Officer mandatory. The DPO must have comprehensive knowledge of Israeli privacy and data protection laws, sufficient knowledge of information technologies and basic information security, and sufficient authority and independence.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
The Data Security Regulations require the adoption and implementation of a written policy for protecting personal data, which includes addressing risk management. The PPL also mandates automated DPIAs & Risk Assessments under Security Regulation 5.
Does this jurisdiction have any specific data breach notification requirements?
Yes. In the case of a "Severe Security Incident" (data breach), the owner of the database must immediately notify the PPA. The PPA may also order the database owner to notify affected data subjects who are likely to be harmed. Processors must notify controllers of any data security incident.
What restrictions apply to the international transfer of personal data / information?
Data from databases in Israel cannot be transferred abroad unless the receiving country's laws ensure a level of protection equal to or exceeding that provided by Israeli law. Transfers are permissible if there is a legal basis and conditions are met, such as data subject consent, necessity for public welfare/security, or if the recipient has undertaken to comply with Israeli data processing conditions.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The Privacy Protection Authority (PPA) has an expansive approach regarding the extraterritorial application of Israeli privacy protection laws to foreign entities. The Authority has stated that databases abroad may be subject to all provisions of the PPL if they have an extensive impact on Israeli data subjects, even if their owners are not registered in Israel. This implies that foreign companies offering cloud storage to Israeli companies may be directly subject to the PPL.
What rules specifically deal with marketing?
The Consumer Protection Law, 5741-1981, broadly prohibits misleading acts in marketing and taking advantage of a consumer's distress or lack of knowledge. Specific rules apply to electronic marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
The provided information primarily discusses consumer-focused marketing laws, without explicit distinction for B2B. Further specific legal consultation would be needed for a definitive answer.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
All companies must not directly contact consumers for marketing purposes whose numbers are registered in the national "do not call me" registry, which became effective for businesses on January 1, 2023. There is no specific law explicitly requiring notification for cookie use, but if cookies collect personal information, users must be informed, typically via a privacy policy.
What rules specifically deal with cookies?
There is no specific law in Israel that explicitly requires notification for the use of cookies. However, if cookies are used to collect personal information, there is an obligation to inform users in connection with the collection of such data, usually reflected in the privacy policy.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Non-compliance can result in criminal, administrative, and civil penalties. The PPA can impose administrative fines (e.g., ILS 10,000 to ILS 25,000 for corporations, with daily fines for continued violations). Serious violations, such as unauthorised use or disclosure of personal data, may lead to fines or imprisonment (up to five years for willful infringement). Breaches of PPL provisions regarding databases can constitute a tort, allowing data subjects to claim damages (up to ILS 65,000, even without proving direct harm). The PPA can also suspend or cancel database registrations.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Multinational organisations should be aware of the extraterritorial application of Israeli data protection laws, meaning they may be directly subject to the PPL even without a physical presence in Israel if they impact Israeli data subjects. They must also ensure that any data transferred out of Israel goes to a country with an adequate level of protection or that appropriate safeguards are in place. Adherence to the Data Security Regulations, including breach notification requirements, is crucial. The upcoming Amendment No. 13 (effective August 2025) will further align Israeli law with GDPR principles, including expanded definitions of personal information and processing, mandatory DPO appointments, and increased data subject rights.
What upcoming data protection developments should multinational organisations be aware of?
Amendment No. 13 to the Privacy Protection Law, which will take effect on August 15, 2025, is a significant development. This amendment expands key definitions of "personal information" and "data processing," mandates the appointment of a Privacy Protection Officer and Data Security Officer, broadens enforcement authority, expands data breach notice obligations, increases data subject rights, extends the statute of limitations, and introduces exemplary damages. This overhaul aims to make Israel's data protection legislation more aligned with GDPR-like standards.