October 2022

1. Governing Texts

Data Protection in Israel is governed primarily by the Protection of Privacy Law, 5741-1981 ('the Privacy Law') and enforced by the Privacy Protection Authority ('PPA'). The Privacy Law covers collection and use of personal data and sensitive data, sets the rights and obligations of the parties collecting and using the data, including security requirements with respect thereto, and sets the rights afforded to individuals whose data is collected and used.

1.1. Key acts, regulations, directives, bills

Data protection in Israel is governed primarily by the Privacy Law and the regulations promulgated under it, the Basic Law: Human Dignity and Liberty, 5752-1992, and the guidelines of the Israeli regulator, the PPA (formerly known as the Israel Law, Information, and Technology Authority ('ILITA'))

Additional legislation includes:

• Protection of Privacy (Data Security) Regulations, 5777-2017 ('the Data Security Regulations');
• Amendment No. 40 to the Communications Law (Telecommunications and Broadcasting), 5742-1982 ('the Anti-Spam Law');
• The Administrative Offences Regulations (Administrative Fines and Protection of Privacy) 2004 (only available in Hebrew here) ('the Administrative Fine Regulations');
• Protection of Privacy Regulations (Transfer of Information to Databases Abroad), 5761-2001 ('the Transfer of Information Regulations');
• Protection of Privacy Regulations (Conditions for Possessing and Protecting Data and Procedures for Transferring Data Between Public Bodies) 1986 (only available in Hebrew here); and
• Protection of Privacy Regulations (Conditions for Inspection of Data and Procedures for Appeal on a Denial of a Request to Inspect) 1981 (only available in Hebrew here) ('the Data Inspection Regulations').

1.2. Guidelines

Although the guidelines published by the PPA do not have the status of law, they reflect the PPA's interpretation of the obligations under the existing Privacy Law and therefore should be considered. The guidelines include:

• 2/2011 Use of Outsourcing Services for Personal Data Processing (only available in Hebrew here);
• 4/2012 Use of Security and Surveillance Cameras and Databases of Recorded Images (only available in Hebrew here);
• 2/2017 Direct Mailing and Direct Mailing Services (only available in Hebrew here);
• 5/2017 Use of Surveillance Cameras at the Workplace and in the Framework of Employment (only available in Hebrew here);
• Draft Guidelines on the Transfer of Ownership in a Database (only available in Hebrew here) ('the Transfer of Ownership Draft Guidelines'), which relate to database transfers in a merger & acquisition context;
• 3/2018 Application of the Data Security Regulations to Organisations Certified Under ISO 27001 (only available in Hebrew here); and
• January 2022, Recommendation Document – Appointment of a DPO and its roles and responsibilities (only available in Hebrew here) ('the DPO Guidelines').

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The Privacy Law applies to all entities in Israel, private, business, and public, that hold or process personal information.

2.2. Territorial scope

The Privacy Law does not explicitly determine its jurisdiction, nor does it require that the data subject be a resident or citizen of Israel. From this, one may conclude that the Privacy Law's jurisdiction is as of other Israeli laws, i.e., limited to acts within Israel. It is an unsettled legal question whether the Privacy Law applies to foreign entities processing personal information of Israelis, and whether it applies to Israeli entities processing personal information of non-Israelis. However, if the restrictions on the transfer of data are breached, any subsequent use of the data outside Israel is likely to be attributed to the party in Israel who breached the transfer restrictions.

2.3. Material scope

The Privacy Law applies to and covers personal data and sensitive data. Therefore, although it is not stated clearly in the Privacy Law that it does not cover anonymous data, it is reasonably assumed that the Privacy Law does not cover anonymous data.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The PPA was founded in 2006, and is part of the Ministry of Justice.

The head of the PPA also serves as the Registrar of Databases ('the Registrar'). The PPA is responsible for the protection of all personal information held in digital databases, including through the use of administrative and criminal enforcement.

3.2. Main powers, duties and responsibilities

The PPA represents Israel in the international privacy arena and participates in the legislative process. As mentioned above, the PPA publishes guidelines that reflect the PPA's interpretation of the obligations under the Privacy Law. The PPA has administrative and criminal investigatory powers and may conduct inspections and audits on any entity subject to the Privacy Law. The PPA may also impose administrative fines, in certain circumstances, as described below.

The Registrar is required to maintain the Registry of Databases and is empowered to supervise compliance with provisions of the Privacy Law and the regulations issued thereunder. The Registrar is authorised to refuse to register a database if it has reasonable grounds to assume that:

• the database is used, or might be used, for illegal activities, or as a cover for them; or
• the data included in the database was obtained, accrued, or collected in breach of the Privacy Law or any other law.

4. Key Definitions

The Privacy Law regulates two principal matters, the general right to privacy and the protection of personal data in databases. The following terms are defined under the Privacy Law:

Data controller: The Privacy Law does not use the terms 'data controller' and 'data processor' but rather refers to 'database owner', 'database holder', and 'database manager'.

Data processor: The Privacy Law does not use the terms 'data controller' and 'data processor' but rather refers to 'database owner', 'database holder', and 'database manager'.

Personal data: Data regarding the personality, personal status, intimate affairs, state of health, economic situation, professional qualifications, opinions, and beliefs of a person.

Sensitive data: Data on the personality, intimate affairs, state of health, economic situation, opinions, and beliefs of a person, and other information if designated as such by the Minister of Justice, with the approval of a parliamentary committee (no such determination has been made to date). A comparison between the definitions of personal data and sensitive data reveals that sensitive data does not include data regarding a person's personal status and professional qualifications.

Health data: Data referring to a patient's physical or mental health, or data about their medical treatment. Not defined in the Privacy Law, but in the Patient's Rights Law, 5756-1996 (only available in Hebrew here)

Biometric data: Data used to identify a person which is a unique physiological human characteristic that can be measured by a computer.

Pseudonymisation: Not applicable.

Data security: Protection of the data from disclosure, use, or copying performed without permission, or protection of the integrity of the data, i.e., that the data in the database is identical to the source from which they were extracted, and it has not been changed, delivered, or destroyed without permission.

Database: A collection of data, stored by magnetic or optical means and intended for computer processing, except for:

• a collection of data for personal use that is not business purposes; and
• a collection of data that includes only names, addresses, and contact information of persons which in itself does not create any characterisation that breaches the privacy of such persons, provided that neither the owner of the collection nor any corporation under its control has an additional collection of data.

Note that contrary to previous interpretations of this exemption, on 28 November 2018, the PPA clarified that a collection containing only names and email addresses would not fall under the exemption and therefore will be considered as a database (only available in Hebrew here).

Database holder: A legal person who has a database in its possession on a permanent basis and is permitted to use it.

Database owner: Not defined in the Privacy Law. Some compare the role of the database owner to that of the data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Although there are several similarities between the two, they are not the same, as the Privacy Law does not state generally that the database owner is primarily responsible for demonstrating compliance with the Privacy Law.

Database manager: The active manager of the legal entity which owns or possesses a database, or a legal person authorised to carry on such activities by the manager for this purpose.

Person: A natural person, as distinguished from a person for the purpose of ownership of a database, which may be a corporation. In order to differentiate the two meanings, in this Overview 'data subject' shall mean a natural person and 'legal person' shall mean a natural person or a corporation.

Data subject: Please see the definition of 'Person' above.

5. Legal Bases

5.1. Consent

A database owner who collects personal data directly from data subjects, must obtain their 'informed consent' and for that purpose inform them prior to collection: if they are under a legal duty to provide the data, the purpose of collection, and details of any third party that will receive the data and for what purpose. The circumstances of collection may require additional information to be provided in order to meet the 'informed consent' standard.

5.2. Contract with the data subject

Not applicable.

5.3. Legal obligations

No person may bear responsibility under the Privacy Law for an act which such person is empowered to do by law.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Confidentiality

A database manager, holder, or employee must not disclose any personal data except for the purpose of carrying out its duties, implementing the Privacy Law, or under a court order in connection with legal proceedings.

Storage Limitation

A database owner will review annually whether the data stored in the database exceeds what is required for the database purposes.

7. Controller and Processor Obligations

Database owner must:

• notify the Registrar and data subjects of a transfer of ownership in the database (in a merger or acquisition context or otherwise);
• comply with the security requirements set in the Data Security Regulations; and
• may be subject to administrative fines, and to civil and/or criminal liability.

Security of personal data

The Data Security Regulations set a list of requirements regarding data security. These requirements must apply to a database owner, manager, and holder. Although the Data Security Regulations do not establish what specific technical information security measures a database owner must adopt, they do mandate the adoption of a series of corporate and managerial measures, as well as technological measures, that conform to the types of information that the organisation stores and the uses that are made of the personal information. The security requirements may include, inter alia:

• drafting a database settings document (similar to a record of processing), that will include a general description of the collection and processing of data and details of any transfer of data from the database to another country;
• development and implementation of an information security policy and procedures, that will include provisions as to the physical security of the site where the infrastructure of the database is located, access authorisation to the database, and risks to which the database is vulnerable and how to resolve such risks, including by use of encryption mechanisms;
• taking reasonable measures, customary in employee sorting procedures, in order to verify that there is no concern that an employee should not be authorised to access the database;
• training and informing authorised employees of the requirements of the Privacy Law, the Data Security Regulations, and the security policy and procedures;
• limitation or absolute prevention of the possibility to connect a portable device to the systems of the database, considering the sensitivity of the data contained in the database;
• appointing an Information Security Officer ('ISO');
• documenting any security incident;
• assessing the risks involved in the engagement with a contractor and regulating certain matters in a written agreement with the contractor;
• conducting a periodical review by a competent person, other than the ISO, in order to verify compliance with the provisions of the Data Security Regulations; and
• maintaining, in a secured manner, data accumulated in the implementation of the Data Security Regulations provisions for a period of at least 24 months.

In the PPA guidelines regarding the application of the Data Security Regulations to organisations certified under ISO 27001 (only available in Hebrew here), the PPA stated that organisations certified under and complying with ISO 27001 will be considered as compliant with most of the requirements under the Data Security Regulations.

7.1. Data processing notification

Subject to certain exceptions (see below), a database owner is required to register its database to the extent that one of the following conditions are met:

• the database contains data in respect of more than 10,000 data subjects;
• the database contains sensitive data;
• the database includes data about persons, and such was not provided by them, on their behalf, or with their consent;
• the database belongs to a public entity; or
• the database is used for direct mailing services.

A database must be registered prior to managing or holding the database unless the Registrar permits performing such acts prior to registration.

The application for registration must be submitted to the Registrar and include the following information (Section 9(b) of the Privacy Law):

• the names of the owner of the database, the possessor of the database, and the manager of the database, and their addresses in Israel;
• the purposes for which the database was established and the purposes for which the information is intended;
• the kinds of information that will be included in the database;
• the particulars on the transfer of information abroad; and
• the particulars on receiving information, on a permanent basis, from a public body as defined in Section 23 of the Law, the name of the public body delivering the information and the nature of the information delivered, except for particulars that are delivered with the consent of the persons as to whom the information relates.

Registration is free of charge and can be done through the following PPA notification forms and further instructions (only available in Hebrew here).

The owner or possessor of a database shall notify the Registrar of every change in any of the particulars specified above and of the discontinuance of the operation of the database (Section 9(d) of the Privacy Law).

If one of the intended purposes of the database is direct mailing services, it is necessary to register such purpose with the Registrar in order to be able to carry out such activity (Section 17D of the Privacy Law).

In the event an application for registration has been submitted and the Registrar has not registered the database within 90 days, nor did it notify the applicant of the grounds for refusal or the reasons for the delay of registration, the applicant may lawfully manage and possess the database without it being registered (Section 10(b1) of the Privacy Law).

Where the database does not have one of the features listed above, the Registrar may still order the registration of the database for special reasons, which they will record (Section 8(e) of the Privacy Law).

Although the Privacy Law imposes the obligation to register on the database owner, the Privacy Law also prohibits managing or holding a database that is required to be registered but has not been registered. Therefore, database managers or database holders could also face liability in connection with a database that is not registered.

Databases are exempt from the registration obligation where:

• the database only contains data made public according to lawful authority; or
• the database only contains data which was made available for public inspection according to lawful authority.

7.2. Data transfers

Transfer of ownership of a database

The PPA's Transfer of Ownership Draft Guidelines presents its proposed position with respect to the duties of database owners and the rights of data subjects in situations where the ownership of a database is transferred to another legal person due to sale of the database, or of the merger or acquisition of the database owner. According to the Transfer of Ownership Draft Guidelines, such duties and rights include the following:

• the transferring database owner (the former owner) and the recipient database owner (the new owner) must notify the Registrar of such transfer of ownership;
• if the characteristics of the database recipient are different from those of the transferring database owner in a significant way that may adversely affect the rights of a data subject, then the data subject's consent must be obtained prior to the transfer of the data to the database recipient. If such data subject's consent was not obtained, the data about them should not be transferred to the database recipient and should be erased;
• if, due to the transfer of ownership in the database, the purposes of processing of, or the processing activities performed on, the data in the database must change, the data subject's consent must be obtained prior to the transfer of the data to the database recipient; and
• if, due to the transfer of ownership in the database, the purposes of processing and the processing activities do not change, generally notifying the data subjects of the transfer of ownership and contact details of the database recipient is sufficient.

Overseas transfers

The Transfer of Information Regulations state that data from a database in Israel must not be transferred to another country, except if the law of such country ensures a level of protection with respect to personal data that is no less stringent than that provided by Israeli law. On 1 July 2020, the PPA notified that its position is that the law of the European Union ensures such level of protection, and therefore transfer of personal data to countries that are or were members of the European Union is permitted, provided that those countries continue to comply with the provisions of the European Union law regarding protection of personal data.

Notwithstanding the foregoing, a database owner may transfer, or permit the transfer, of personal data to another country if:

• the data subject gave their consent to the transfer;
• the data subject's consent cannot be obtained and the transfer is necessary in order to protect the data subject's health or bodily integrity;
• the data is transferred to an entity under the control of the database owner and the database owner ensured the protection of the personal data post-transfer;
• the data is transferred to an entity that is obligated in an agreement with the database owner to hold the information in accordance with the conditions required in Israel;
• the data was made public according to lawful authority or was made available for public inspection according to lawful authority;
• the transfer of the data is imperative for the protection of public safety;
• the transfer of the data is mandatory pursuant to Israeli law; or
• the data is transferred to a country which is party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') or receives data under similar conditions.

On 1 July 2020, the PPA clarified that personal data may continue to be transferred to the United Kingdom after its withdrawal from the European Union, since the United Kingdom is party to Convention 108. This includes transfers of data to countries who enjoy an 'adequacy' status by the European Commission, or other transfers of data to non-EU countries which comply with the data transfer requirements of the GDPR (e.g., under Standard Contractual Clauses ('SCCs')).

If data is transferred, the database owner must obtain the recipient's written obligation that it takes measures appropriate to ensure the protection of the data and that it must not transfer the data to any person, whether in the same country as the recipient or otherwise.

7.3. Data processing records

The Privacy Law requires a database owner to establish a 'database definitions document', which includes the following matters: general description of the data collection and usage activities, purposes for which the data is used, types of data contained in the database, details regarding overseas transfer of the database, activities of the database holder, main security risks and how they are dealt with, name of the database manager, holder, and ISO.

7.4. Data protection impact assessment

In certain circumstances, a database owner may be required to conduct a data security risk assessment. Such risk assessment will be conducted at least once every 18 months.

In section 1.2 of the non-binding recommended framework for PIA (only available in Hebrew here) ('the PIA Framework'), the PPA recommends undertaking a PIA prior to the use of personal information, in the following circumstances: 

• early stages of projects/activities involving collection or processing of information;
• when adopting new systems or technologies for the collection or processing of sensitive personal information, especially on a large scale.

Notably, the PIA Framework also includes an outline for template PIA/DPIAs. 

7.5. Data protection officer appointment

A database owner may be required to appoint an ISO in certain circumstances. An ISO is defined as a person with the appropriate qualifications to be in charge of information security (Section 17B of the Privacy Law).

Appointment of a data protection officer ('DPO') is not required under the Privacy Law but is recommended by the PPA as best practice to organisations collecting and processing personal data.

However, there is a requirement to appoint an ISO by an entity meeting one of the following conditions:

• entities holding five or more databases requiring registration;
• public bodies; or
• banks, insurance companies, or companies involved in ranking or evaluating credit.

Regarding security supervisors, Section 6 of the Guidelines emphasise that the role of the DPO and security supervisor is not the same due to the legal basis of protecting compliance with privacy law for the former, and the element of information security in the latter, which refers to the range of organisational and technological measures taken to prevent unauthorised use of information.

Role of ISO

The security supervisor is responsible for the information security in the databases kept in the possession of the aforementioned bodies (Article 17B(b) of the Law) and must:

• directly report to the database manager or to an active manager of the database's controller or processor, as appropriate, or to another senior official who directly reports to the database manager;
• prepare a data security procedure and have it approved by the database controller;
• prepare a plan for regular monitoring in regard to compliance with the Regulations, implement this plan and notify the database controller and the database manager of his findings; and
• not perform an additional role which may put him at risk of conflict of interest while performing his role according to these Regulations.

Requirements

The database manager must inform the Registrar as to the identity of the ISO.

Failure to nominate an ISO when required to do so may result in criminal sanctions, including administrative fines. While the ISO is to be responsible for data security, the database owner, holder, and manager nevertheless are each held individually responsible under the Privacy Law for data security as well.

The Privacy Law does not require that the ISO should be an Israeli citizen or resident. An individual convicted of an offence involving moral turpitude or an offence stipulated in the Privacy Law may not be appointed as an ISO.

The Data Security Regulations further detail the duties of the ISO and of the database owner with respect to the ISO. The ISO shall receive resources from the database owner in order to carry out its duties and shall report directly to the database manager. The ISO shall not perform other duties if such other duties may result in a conflict of interest with its duties as an ISO. The ISO shall develop a data protection procedure, and have it approved by the database owner, and shall develop an ongoing monitoring program and notify the database owner and the database manager of its results.

Role of DPO

The main role of the DPO is to be entrusted with the implementation of the laws governing the protection of personal information in the organisation and to assist the organisation in fulfilling its responsibilities and obligation under the privacy laws (Section 1 of the DPO Guidelines).

In addition, it is recommended that the DPO form part of the senior management of the organisation, particularly in the context of organisations that are large or whose core activities revolve around the processing of personal information or where information is processed on a large scale (Sections 1, 2, and 6 of the DPO Guidelines).

Section 3 of the Guidelines specifies that the scope of the DPO's role will be determined according to the complexity of the data processing operations performed in the organisation and its size the duties of the DPO. However, in general, the DPO's duties include:

• formulating the organisation's privacy policy and bring it to the approval of senior management;
• involvement throughout the data processing life cycle in order to ensure that information processing activities are performed in a manner that minimises privacy risks;
• involvement in the design of information systems and related processes to ensure, as far as possible in advance, that they are built in a way that minimises risk of harm to data subjects, as part of the principles of Privacy by Design and Privacy by Default;
• reviewing organisation policy and procedures in the field of privacy and compliance with the Law, monitoring, auditing and updating procedures where necessary;
• conducting the Data Protection Impact Assessments ('DPIAs') and follow the implementation of recommendations;
• oversee the supervision of a privacy risk survey;
• handling data subject requests and complaints;
• preparing an annual work plan to be submitted for approval to senior management;
• submitting to senior management an annual activity report, including details of complaints, any violations of the Law and steps taken to rectify these;
• reporting supervisory actions and clarifications to senior management without delay;
• correcting deficiencies discovered during inspections;
• advise the security supervisory in the organisation on matters related to the protection of privacy and compliance with the Law; and
• training and awareness of employees in matters of the protection of privacy.

Requirements

Section 5 of the DPO Guidelines continue to state that it is desirable for relevant knowledge and training of the DPO to include:

• academic or equivalent training in, inter alia, law, accounting or information technology;
• in-depth knowledge of the laws of the protection of personal information in Israel;
• adequate understanding in the field of information technologies and security in general;
• familiarity with the data protection laws in Europe and the US; and
• familiarities with the business aspect of organisation management; and
• professional ethics.

The DPO is expected to cooperate with the PPA as required and should report to the PPA if it is found that there has been a material invasion of privacy in the organisation (Section 3 of the DPO Guidelines).

Powers of the DPO

Section 4 of the DPO Guidelines outline that, in order for the DPO to be able to fulfil their responsibilities in the best possible way, care must be taken in the following areas:

• ensuring that the DPO is involved in all matters relating to the protection of personal information in the organisation; and
• ensuring that all resources and powers required to fulfil the role are available to the DPO, including access to personal information and related processes, as well as the resources required to maintain expertise in the field.

Independence of the DPO

Sections 2 and 4 of the DPO Guidelines further state that, in order for the DPO to be able to fulfil their responsibilities in the best possible way, care must be taken in the following areas regarding their independence:

• the DPO can be appointed internally or externally, particularly for small-and-medium sized enterprises. However, for internal appointments, the employee must not be subject to a conflict of interest due to another role held in the organisation;
• ensuring that the DPO has institutional and professional independence; and
• defining procedures for replacing the DPO at the end of their employment.

Regarding database managers, Section 6 of the DPO Guidelines clarify that, where an organisation voluntarily appoints a DPO, they will be also be authorised to serve as the database manager.

7.6. Data breach notification

Database owner shall document any security incident, and in certain circumstances inform the PPA of such incident.

A database owner is responsible for documenting any incident that raises concerns as to the integrity of the data or any unauthorised use of the data. If a severe security event occurs, then the database owner shall inform the PPA immediately using the online form found here, and shall report the steps that were taken following such an event. The PPA may order the database owner to inform the data subjects that may be affected by the security event.

Sectoral obligations

In addition to the general obligation to notify a security event, entities in certain sectors are subject to more specific legislation that imposes on them additional duties.

Notably, the Supervisor of the Capital Market, Insurance and Savings Authority ('the Capital Market Supervisor') of the Ministry of Finance published a circular (only available in Hebrew here) regarding cyber risk management by financial institutions (such as insurance companies and investment banks). The circular requires financial institutions to, inter alia, report to the Capital Market Supervisor and to the Board of Directors of such institution any significant cyber event that resulted in the unavailability of systems containing sensitive data for over three hours or if there is any indication that sensitive data was accessed.

In addition, the Supervisor of Banks of the Bank of Israel ('the Banks Supervisor') published Circular No. C-06-2560 Re: Supply Chain Cyber Risk Management (24 April 2018) ('the Banks Supervisor Circular'). The Banks Supervisor Circular requires banks to, inter alia, report to the Banks Supervisor any cyber event that already occurred or any warning about a possible cyber event that may occur in the future.

7.7. Data retention

A data subject may request that data about them be erased from a database. Under the Data Security Regulations, a database owner must consider, on a yearly basis, whether the personal data included in its databases exceeds what would be considered necessary for such database owner. Effectively, this requires database owners to establish data retention policies.

7.8. Children's data

The PPA in its guidelines introduced its position that in case of a minor, a data subject under 18, there is an obligation to inform and get the informed consent of the minor's parent or guardian regarding the collection and use of personal data. Collection of personal data regarding a child, a data subject under 14, must require informed consent of the parent or guardian, and collection of sensitive data regarding a minor, a data subject under 18, must require informed consent of the parent or guardian.

7.9. Special categories of personal data

A database containing sensitive data must be registered with the Registrar and a higher level of security must be implemented with respect to such database.

7.10. Controller and processor contracts

Database owners must require any of its contractors that have access to personal data, to adhere to certain requirements and must monitor their compliance with such requirements.

According to the Data Security Regulations, an owner of a database engaging a contractor for the provision of a service that requires granting such contractor access to the database, must assess, prior to the engagement, the data protection risks involved in such engagement.

Considering the aforementioned risks, the Data Security Regulations require that the following matters must be explicitly regulated in the database owner's agreement with the contractor:

• the data which the contractor will be authorised to process and the purpose of such processing;
• the type of processing which the contractor will be authorised to perform;
• the database systems which the contractor will be authorised to access;
• the term of the contractor's engagement and how the data will be returned to the database owner at the termination of such engagement;
• directions as to how the contractor, a database holder, must perform its obligations pursuant to the Data Security Regulations and other obligations imposed by the database owner;
• the contractor's duty to have its personnel sign an undertaking regarding confidentiality and adherence to the agreement between the database owner and the contractor; and
• the contractor's duty to inform the database owner of any security event and to provide a report to the database owner, at least annually, regarding its performance of all the above.

The database owner must monitor the contractor's compliance with the terms of the agreement between the database owner and the contractor and with the Data Security Regulations, in the scope and to the extent appropriate considering the risks to data protection.

8. Data Subject Rights

8.1. Right to be informed

Prior to collection of personal data from data subjects, a database owner must inform them: if they are under a legal duty to provide the data, the purpose of collection, and details of any third party that will receive the data and for what purpose. It is also recommended that the database owner will inform the data subjects of their rights with respect to the personal data collected. The right to be informed exists regardless of the legal basis for collection (consent or legal obligation), regardless of the party who initiated the contact (i.e. it exists even if the data subject approached the database owner), and regardless of the method by which the collection is made (e.g. using internet bots and AI systems).

8.2. Right to access

A database owner may either allow a data subject access to any data about him/her kept in the database or refuse to allow such access to the extent permitted by law.

A data subject may inspect any information about them that is kept in a database, whether in person, or by a representative or guardian. The database owner must enable the inspection of the information in Hebrew, Arabic, or English, as requested by the data subject.

If a database is maintained by a database holder on behalf of a database owner, then the database owner must refer a data subject asking to access the information to the database holder and instruct the database holder to allow such inspection.

Pursuant to the Data Inspection Regulations, the data subject must pay the owner or holder of the database a fee of ILS 20 (approx. €5,80) for the inspection. Inspection must be permitted within 30 days of the request, although the Registrar may extend the period by an additional 15 days.

The Data Inspection Regulations allow the database owner to provide a print-out of the requested information as the equivalent of permitting inspection of the data, but the print-out must not be removed from the premises of the database owner or holder without permission.

A database owner or holder may refuse the request for inspection of data from a database if:

• the database is of one of the types of databases the Privacy Law determines will not be subject to inspection (e.g., a database of a security authority, tax authority, the database of the Israel Prison Service, data that the disclosure of may harm Israel's security or foreign relations or is prohibited by the provisions of any legislation); or
• the database is a service bureau that processes and stores data for its customers, so long as the database owner or holder refers the data subject to the owner of the data on whose behalf the processing or storage services are performed.

The data subject must be notified if their request to inspect data is refused within 21 days of the request, although the Registrar may extend the period by an additional 15 days.

In the event the request is denied, the data subject requesting the data may file a suit in accordance with the procedures set forth in the Data Inspection Regulations.

A database owner may refrain from providing data to a data subject for their inspection if:

• the data relates to the data subject's physical or mental health, and the database owner believes that such data may endanger the life of, or cause severe harm to the data subject's physical or mental health, then the database owner must provide the data to a physician or psychologist on behalf of the data subject; or
• it will breach a legal privilege applicable to the data, as prescribed under any legislation or ruling, unless the data subject is the legal person for whose benefit the privilege is enacted.

8.3. Right to rectification

A database owner must respond to a data subject's request to rectify or erase any data about their kept in the database.

The Privacy Law provides that if a data subject inspects data about their and finds that it is inaccurate, incomplete, unclear, or not up to date, the data subject may request from the database owner or holder that such data be amended or deleted. This is, however, not an absolute right, and the database owner may refuse to accommodate such erasure request.

If the database owner agrees to the request, the amendments to the data or its erasure must be communicated to anyone who received the data from the database owner within the preceding three-year period. The data subject must be notified if their request to rectify or erase the data is refused within 30 days of the request, although the Registrar may extend the period by an additional 15 days.

A data subject may demand, in writing, from the owner of a database used for direct mailing that the information about him/her be deleted from such a database.

8.4. Right to erasure

Please see section on the Right to rectification.

8.5. Right to object/opt-out

The Privacy Law allows a data subject to object to the processing of data only by means of a civil suit based on the claim that the processing violates the data subject's right to privacy. However, there is no established concept of a general right to object processing once the personal data has been provided for processing without violation of privacy (e.g., with the consent of the data subject). As of today, it is generally understood that data subjects in Israel do not have a right to withdraw their consent for processing.

In the PPA's Transfer of Ownership Draft Guidelines (which are still subject to change), a data subject's consent to processing must be obtained prior to the transfer of the data about such data subject to the new owner of the database.

A database holder and a database manager may be subject to administrative fines, and to civil and/or criminal liability.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

The Administrative Fine Regulations authorise the Registrar to impose administrative fines of ILS 2,000 (approx. €578) on an individual for:

• using, holding, or managing an unregistered database which requires registration;
• delivering false information in a database registration application;
• failing to deliver documents or an affidavit to the Registrar, on an annual basis, by a holder of at least five databases which require registration; and
• managing or possessing a database used for direct mail services without properly tracking the sources of the information used.

Administrative fines of ILS 3,000 (approx. €867) may be imposed for:

• managing or possessing a database used for direct mail services without designation of such use in the database registration;
• managing or possessing a database used for direct mail services without properly notifying data subjects or responding to requests for removal;
• failing to deliver information or delivering false information in a notice soliciting information that will be included or used in a database;
• failing to comply with data subjects' inspection rights;
• granting access to a database to a legal person not authorised under a written agreement between the database holder and database owner; and
• failing to appoint an ISO for databases which are so required by law.

An administrative fine of ILS 5,000 (approx. €1,445) may be imposed for using information from a database for purposes differing from those for which the database was registered.

A five-fold fine for every type of breach listed above must be imposed on a corporation. For continuing breaches, one-tenth of the fine can be imposed for each day of such continuance of the breach after a warning of the breach has been served.

Those found to have committed the aforementioned types of breaches may be charged with criminal liability and subjected to a one-year term of imprisonment. These are strict liability offences, as neither criminal intent nor negligence need to be proven.

Those found to be in breach may be subjected to five years imprisonment for disclosing data obtained by virtue of their position as an employee, manager, or holder of a database, except for disclosure for the purposes of performing one's duties, compliance with the Privacy Law, or under a court order in connection with legal proceedings. Violations of general privacy obligations (i.e., not specifically related to databases), such as publishing or handing over information that was obtained through breach of certain provisions of the Privacy Law or publishing of a matter that relates to a data subject's intimate life or state of health, may entail five years imprisonment provided that such violations were conducted with malicious intent (a relatively high standard under Israeli criminal law).

A breach of privacy is actionable as a civil wrong pursuant to the Privacy Law, and a claimant may obtain monetary compensation or injunctive relief. A court may award damages amounting to ILS 50,000 (approx. €14,445) without proof of damages for breach of privacy rights, and if such breach was intentional the damages may be doubled. Such statutory damages apply only to individual claims and cannot be the basis for class-action damages. In addition to providing that a breach of privacy is actionable as a civil wrong, the Privacy Law also specifies that an act of omission in breach of certain of its provisions may give rise to a tortious claim under the Torts Ordinance 2009 (New Version). This provision was added in order to ensure that even omissions, such as a failure to ensure data security, would also be actionable as a civil wrong. As a civil wrong, in certain cases such as business-consumer relationships, violation of privacy could be actionable as a class action under the Israeli Class Action Law, 2006 (only available in Hebrew here).

No civil or criminal action may be brought for breaches that cause no substantive harm. In addition, the Privacy Law provides the following defences from liability:

• the violation of privacy was done through a protected publication under the Israeli Libel Law, 1965 (only available in Hebrew here);
• the infringing party performed the violation in good faith under one of the following circumstances:
  • it did not know and was not supposed to know about the potential violation;
  • it was committed in circumstances under which the infringer has a legal, moral, social, or professional duty to do so;
  • it was committed in order to protect a legitimate interest of the infringer;
  • it was committed in the lawful ordinary course of business of the infringer and was not publicly disclosed; or
  • it was committed through the photography or publication of photographs taken in public places in which the plaintiff appeared incidentally; or
• there was a public interest justifying the violation, and if it was performed by publication, the publication was truthful.

9.1 Enforcement decisions

Notable cases of enforcement by the PPA:

• The PPA investigated and determined that two political parties and a service provider of those parties breached the Privacy Law as a result of a security incident that caused data concerning 6.5 million Israelis eligible to vote in the elections to be publicly available online. The PPA explained that the political parties, as database owners, are responsible for compliance with the Privacy Law by the parties themselves and by their service provider, a database holder. The PPA ceased the service provider's operation until it has corrected the PPA's findings and implemented appropriate measures to protect personal data and sensitive data in its possession.
• The PPA, together with the police, investigated private investigators following complaints by data subjects regarding unauthorised access to personal data about them held by insurance companies. The private investigators obtained certain personal data about the data subjects fraudulently and then used it to impersonate the data subjects and obtain sensitive data from the insurance companies. The investigation file was transferred to the prosecution for its review and determination.
• The PPA investigated a credit card company and determined that it breached the Data Security Regulations as a result of a security incident where an employee of the company stole a smartphone to which the company's customers sent all sorts of required documents via WhatsApp. In the aftermath, the company stopped the practice of using WhatsApp to send documents. The PPA determined that the company breached the Data Security Regulations by, inter alia, not limiting physical access to the smartphone and not using a password or fingerprint to limit technical access to the smartphone.