Our firm offers expert guidance and services to help your business navigate and comply with the recent changes to the Israeli Protection of Privacy Law (Amendment 13), which was approved by the Knesset on August 5, 2024. This comprehensive amendment brings Israeli regulations in line with global privacy laws like the GDPR and imposes new obligations and stricter penalties on businesses.
Effective August 2025, the Amendment significantly expands the enforcement powers of the Israeli Privacy Protection Authority (PPA), including the ability to issue financial sanctions and statutory damages for violations related to data protection. Given the scope of these changes, compliance is crucial to mitigate the risk of substantial fines and class action suits.
Key Changes and Compliance Requirements:
- Increased Financial Penalties: The PPA can now impose fines reaching millions of NIS depending on the severity of the violation, number of affected individuals, and other factors. For instance, failure to register or report a database could result in fines between NIS 150,000 to 300,000, while failure to provide adequate privacy disclosures may lead to penalties calculated per user, and breach of the Data Security Regulations can result in fines up to 640,000 NIS.
- Statutory Damages: Courts can now award up to NIS 10,000 per violation without requiring proof of damage, increasing the risk for companies that do not comply with database management and data processing obligations.
- Broadened Definitions of Personal Data: The Amendment revises key terms, introducing “Personal Data” and “Highly Sensitive Data,” which encompass a wider range of information, such as medical records, biometric identifiers, and electronic networks traffic data. Companies must adjust their data management practices accordingly, particularly with regard to cookie policies and tracking tools. As well as, a “Controller” will be an entity that determines alone or jointly with another the purpose and means of data processing, and a “Holder” will be a third-party that Processes information on its behalf (i.e., a “Processor”), where the term “Processing” was added to “Use” and includes, aligned with the GDPR, broad set of operations related to personal data, including the storage, disclosure, access and transfer.
- New Reporting Obligations: The Amendment significantly minimizes the scope of the obligation to register databases with the PPA, however introduced a new obligation of “reporting” to the PPA if they process Highly Sensitive Data on more than 100,000 individuals.
- Mandatory Appointment of a Data Protection Officer (DPO): Organizations processing large volumes of sensitive data or personal data, on a “large scale”, or systematically monitoring individuals will now be required to appoint a DPO, similar to the GDPR’s requirements. A “Significant Scale Data Processing” under the Amendment will be determined based on, the number of data subjects whose data is being processed, their proportion in a specified population, the data volume, the range of data types, the duration and frequency of processing activities, retention period, and the geographical area of processing activities, very similar to the GDPR requirements. Appointing a DPO will also apply to data brokers and public bodies.
The DPO will be responsible for ensuring compliance with the Privacy Law, ensuring security means are established and, will serve as a professional authority and knowledge center. The DPO shall prepare annual plans for ongoing monitoring of compliance with the Privacy Law and applicable regulations and will be the POC for the PPA. The DPO must have the necessary knowledge and skills to perform its duties effectively, including an understanding of Privacy Law and regulation, and the organization’s activities and objectives. The PPA further clarified that appointing a DPO will reduce the fine fees, if and to the extent applicable and emphasizes that such appointment demonstrates the proactivity in reducing the risk to personal data, and cooperation with regulatory authorities. Appointing a DPO will ensure privacy principles are considered in the organization, ensuring compliance with privacy laws, and mitigating risks associated with personal data management. Moreover, due to the GDPR, more and more companies require service providers to have a DPO which indicates the entities compliance with global privacy practices.
Our Services:
At Sibolet, we offer end-to-end services to ensure compliance with the amended Privacy Law. Our team specializes in both Israeli privacy regulations and global standards, including GDPR, US Privacy laws including, HIPAA, CCPA and other state and federal laws. Here’s how we can help:
- Data Protection Officer (DPO) Services: We provide expert DPO services, helping you establish privacy policies, manage data subject requests, and ensure your data processing activities align with legal requirements. We also prepare and maintain all necessary documentation, including Data Processing Agreements (DPAs) and data mapping forms (such as “database definition” documents as required under Israeli law and “records of processing” ROPA under GDPR Article 30).
- Privacy Audits and Training: We conduct privacy audits to identify areas of risk and ensure your organization is meeting its obligations. We also offer staff training to keep your team informed on privacy best practices and regulatory changes.
- Vendor Risk Assessments and Contract Reviews: We assist in reviewing and updating vendor contracts to ensure compliance with data protection regulations, including ensuring the contracts address required security standards. We further guide our client on vendor assessments, including assessment prior to the engagement or during the engagement (such as yearly certification and report, due diligence questionnaires, etc.) as specifically required under Israeli Data Security Regulations and the GDPR.
- Policy Updates: From drafting privacy policies and cookie consent notices, data subject request forms, and reviewing internal procedures and policies to ensure such policies include all provisions required under Data Security Regulations, we help you stay ahead of the requirements.
- Ongoing Compliance Monitoring: Our team provides continuous support, keeping you updated on regulatory developments.
With the looming deadline and increased enforcement powers granted to the PPA, it’s critical to assess your current data management practices, review your registration and reporting obligations, and update your privacy policies. The potential fines and risks associated with non-compliance are significant, so now is the time to act.
We invite you to contact our team to discuss how we can assist your business in implementing the necessary changes and ensuring full compliance with Amendment 13 of the Israeli Protection of Privacy Law.
