Overview
Amendment 13 to Israel’s Privacy Protection Law (the “Law”), which came into effect today )August 14, 2025) marks a significant and broad change to Israeli privacy law and practice. Among its reforms, the amendment introduces a mandatory requirement for many organizations to appoint a Data Protection Officer (DPO), aligning Israeli practice with leading international standards and reflecting the growing importance of privacy governance. The following update provides a summary of the new requirements and recommended next steps, based on the latest draft guidance from the Privacy Protection Authority (“PPA”). Please note that, as the PPA published the draft guidance shortly before Amendment 13 came into effect, it has announced that it will not enforce the obligation to appoint a DPO until October 31, 2025.
Which Organizations Must Appoint a DPO?
The Law sets out clear criteria for organizations required to appoint a DPO. The obligation applies to:
- Public Bodies:
All entities considered “public bodies” under the Law, including government ministries, state authorities, municipalities and other entities performing public functions are included. This category of “public bodies” also includes organizations that are expressly identified as public bodies under relevant regulations, such as health funds, hospitals, higher education institutions and labor unions. The obligation further extends to external entities that process personal information on behalf of a public body. - Data Brokers:
Entities whose main business involves collecting personal data for the purpose of transferring it to others, whether for consideration or not, are also included. This category covers data brokers and providers of direct marketing services, but only if they manage databases containing information on at least 10,000 individuals. - Entities Engaged in Systematic and Ongoing Monitoring:
Organizations whose core activities involve systematic and ongoing monitoring of individuals, such as tracking behaviors, locations, or activities on a significant scale, are also subject to the requirement. This includes operators of online platforms, mobile apps, wearable devices, and providers of smart devices or surveillance systems. - Organizations Processing Large Volumes of Sensitive Data:
Entities whose main business includes processing large volumes of “Data of Special Sensitivity” as defined by Law (e.g., health, biometric, or financial data) are also required to appoint a DPO. This requirement is particularly relevant for banks, insurance companies, hospitals, and health funds, but may also apply to other organizations whose core activities involve processing such data. However, the requirement does not apply where the processing of Data of Special Sensitivity is only for secondary or ancillary purposes, such as employee administration unrelated to the organization’s main objectives.
Definition of “Large Volume” and “Core Activities”
The Law does not set a fixed numerical threshold for what constitutes a “large volume” of data. Instead, organizations must assess on a case-by-case basis, considering factors such as the number of individuals affected and their percentage of a demographic, the scope and types of data processed, the frequency and duration of processing, and the geographic reach of the organization’s activities. “Core activities” are those that are central to achieving the organization’s main business or operational objectives, rather than incidental or secondary functions. The PPA also did not publish numerical thresholds and as such in many situations there remains a lack of clarity on when a DPO needs to be appointed.
Voluntary Appointment
Even organizations not strictly required to appoint a DPO are encouraged to consider doing so. Voluntary appointments can enhance compliance, build trust, and may entitle the organization to regulatory benefits, such as reduced financial penalties in case of privacy violations .
Required Qualifications for the DPO
- Expertise in Privacy Law – In depth knowledge of Israeli privacy law and relevant sector specific regulations, demonstrated through practical experience in the field. While completion of relevant training or certification programs is recommended, it is not mandatory.
- Information Security Awareness – Familiarity with information security practices and a clear understanding of the organization’s data flows.
- Business and Regulatory Insight – Strong grasp of the organization’s business operations and its regulatory environment.
- Communication and Collaboration – Excellent communication and interpersonal skills, with the ability to work effectively across departments and engage with senior management.
Independence and Reporting Structure
- The DPO must act independently, free from conflicts of interest, and should not hold another position in the organization which entails determining the purposes of data processing or that could compromise his/her objectivity. Generally speaking, the DPO cannot also hold the position of head of marketing, Head of Customer Success, CFO, IT Manager, or CTO.
- The DPO should report directly to the CEO or another senior executive to ensure appropriate authority and organizational influence.
Employment Structure
- The DPO may be appointed as either an internal employee or an external service provider, but the role must be filled by an individual (not a company).
- Regardless of the employment arrangement, the organization is required to provide the DPO with sufficient time, resources, and access to information to enable effective performance of their duties.
Core Responsibilities of the DPO
- Provide guidance to management and staff on privacy compliance and best practices.
- Oversee the development and implementation of privacy policies and procedures across the organization.
- Coordinate and deliver privacy training and awareness programs for employees.
- Manage and respond to data subject requests, such as those relating to access, correction, or deletion of personal data.
- Serve as the primary point of contact with the PPA.
- Participate in privacy risk assessments and incident response, including managing data breaches and security incidents.
- Conduct ongoing monitoring and auditing to ensure compliance with privacy obligations.
Recommended Next Steps
- Assess Applicability – Determine whether your organization is required to appoint a DPO under the Law.
- Tailoring the Role – Adjust the DPO’s responsibilities based on the organization’s size, the volume and sensitivity of the data processed, and the complexity of business operations.
- Resources and Support – Ensure the DPO is provided with adequate resources, support, and access to relevant information and personnel to effectively carry out their duties.
- Avoiding Conflicts of Interest – Safeguard the DPO’s independence by ensuring they do not hold other positions that could compromise their objectivity, and that they do not report to individuals responsible for decisions about data processing.
Reporting and Transparency – Notify the Privacy Protection Authority of the DPO’s identity and contact information in specific cases, such as when registering a database containing Data of Special Sensitivity on more than 100,000 individuals. The DPO’s contact details should be published, such as on the company’s website.
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
