The Privacy Protection Agency ('PPA') addressed, on 23 February 2023, via LinkedIn, the difference between a 'third party' under Regulation 15 of the Protection of Privacy Regulations (Data Security), 5777-2017 ('the Data Security Regulations'), and a 'holder' under the Protection of Privacy Law, 5741-1981 ('PPL'). In particular, the PPA outlined that the term 'third party' under Regulation 15 of the Data Security Regulations is broader than the term 'holder' under the PPL, and refers to any party that may have actual access to the database or its systems, by way of providing the service, even if access is not required for the provision of that service.

In this regard, the PPA clarified that the aforementioned access to the database does not relate only to access to the information stored in the database, but also to access to the database's systems, and that it is not necessary that access be granted permanently in order to consider the accessing party as a 'third party' for the purposes of Regulation 15 of the Data Security Regulations.

Accordingly, for the most part, the PPA stated that the external party under Regulation 15 of the Data Security Regulations will also be a 'holder' as defined in the PPL and there will be an overlap between the two functions, such as in cases where the third party is given permission to use, process, or store information. However, the PPA noted, in some cases, that the third party will not be considered the holder either, for example, in cases when the contract with the third party was made for the purpose of obtaining a service relating to the hardware systems of the database, or for the purpose of correcting a malfunction that does not involve the provision of permanent access to the database.

You can read the announcement, only available in Hebrew, here.