PPA Publishes Final Guidance on the DPO Appointment Obligation Under Amendment 13

16 July, 2026


On July 15, 2026, the Israeli Privacy Protection Authority (the “PPA”) published its final guidance on the obligation to appoint a Data Protection Officer (“DPO”) under Amendment 13 to the Protection of Privacy Law – 1981 (the “Law”), superseding the draft guidance issued on July 23, 2025 (on which we previously reported). The DPO appointment obligation itself has been legally enforceable since August 14, 2025. Although the PPA exercised enforcement discretion during an initial grace period — which has now passed — DPO compliance is expected to be a focus of enforcement going forward, and the final guidance sets out the PPA’s official interpretive position, which it will apply when exercising its enforcement powers, including the imposition of administrative fines for failure to appoint a DPO or otherwise comply with the related provisions. Below, we highlight the key features of the finalized position and recommend concrete steps to help ensure your organization is prepared.

Key Developments to Note

Organizations Subject to the DPO Obligation: The Law requires the appointment of a DPO by (i) “public bodies,” including government ministries, state authorities, municipalities, health funds (kupot holim), hospitals, higher education institutions, labor unions, and external entities that process personal information on their behalf; (ii) data brokers and providers of direct marketing services or credit reference agencies, where the database contains information on at least 10,000 individuals; (iii) entities whose core activities involve systematic and ongoing monitoring of individuals on a significant scale (e.g., online search providers, high-volume mobile apps or websites engaged in profiling for targeted advertising or risk management, apps collecting physical location data, wearables used for health monitoring, IoT devices, and surveillance systems); and (iv) organizations whose main business involves processing large volumes of “Data of Special Sensitivity” (e.g., health, biometric, or financial data), a category particularly relevant to banks, insurance companies, hospitals, and health funds (kupot holim).

Aggregate Assessment for Data Processors (New Clarification): In a significant clarification, the final guidance provides that where a third-party processor services multiple database controllers, its exposure to Data of Special Sensitivity is assessed in the aggregate across all controllers it services, rather than on a per-controller basis. A processor servicing 1,000 separate databases holding Data of Special Sensitivity on 100 individuals each will therefore be deemed to process such data “on a large scale” (100,000 individuals in total) and must appoint a DPO — even where no single client relationship alone would trigger the obligation.

“Large Volume” and “Core Activities” – Non-Cumulative Test: The Law does not set a fixed numerical threshold for “large volume.” Organizations must instead assess the question case-by-case, weighing factors such as the number and proportion of affected individuals, the scope and variety of data types, the frequency and duration of processing, retention periods, and the geographic reach of activities. The final guidance clarifies that these factors are non-cumulative: a sufficiently large number of affected individuals alone can trigger “large scale” processing, and, conversely, other factors may support a “large scale” finding even where the number of affected individuals is relatively small. Because the PPA declined to publish fixed thresholds, organizations should exercise prudent judgment and, where uncertainty exists, seek professional guidance.

Voluntary Appointment and Quasi-Public Bodies: Even organizations not strictly required to appoint a DPO are encouraged to do so, as voluntary appointment can enhance compliance and build trust. The PPA specifically encourages “quasi-public” bodies — entities subject to some public-law principles but not meeting the Law’s formal “public body” definition — to consider voluntary appointment as a means of satisfying administrative and constitutional law requirements relevant to privacy (e.g., reasonableness and proportionality in personal-data processing). While the final guidance emphasizes the 10% reduction in administrative fines available to organizations which appointed a DPO, we do note that the Law itself only offers such reduction to entities under a statutory obligation to appoint a DPO.

Required Qualifications: A qualifying DPO must possess in-depth practical knowledge of Israeli privacy law and relevant sector-specific regulations, demonstrated through meaningful legal or regulatory experience (prior DPO or in-house privacy counsel work). While a DPO/privacy certification course (recommended to be at least 40 hours) is advisable, certification alone is not sufficient, and familiarity with foreign privacy frameworks does not substitute for Israeli-law expertise — a point of particular importance for multinational groups seeking to designate a foreign DPO to cover an Israeli entity. The DPO must also have sufficient information-security awareness to understand the organization’s data flows and technology, strong business and regulatory insight, and effective communication and interpersonal skills. Hebrew fluency is not an explicit statutory requirement, but proficiency in the organization’s working language is practically essential. The PPA has stated that it intends to use its enforcement powers to verify that appointees genuinely hold the requisite legal/regulatory privacy expertise.

Independence, Reporting Structure and Combined Roles: The DPO must act independently, free from conflicts of interest, and cannot simultaneously hold roles that determine the purposes of processing or otherwise compromise objectivity — the guidance identifies Head of Marketing, Head of Customer Success, CFO, IT Manager (and personnel subordinate to that role) and CTO as incompatible positions. The DPO should report directly to the CEO or to another senior executive who reports to the CEO. Assessing whether an existing internal role can be combined with the DPO function is a sensitive exercise that carries real regulatory risk, and organizations should approach it with caution. On combined roles, the final guidance clarifies that pairing the DPO role with the CISO role is not prohibited per se but requires careful, documented, case-by-case analysis, noting that a CISO does not necessarily possess the in-depth legal privacy expertise required, may lack the bandwidth in larger organizations, and may not satisfy the CEO-reporting requirement. Combining the DPO role with an in-house or external legal counsel role is likewise permissible in principle, provided no conflict of interest arises; the PPA recommends organizational measures (e.g., titled correspondence or a dedicated DPO email address) to distinguish the two capacities, and references CNIL guidance holding that an external lawyer serving as DPO may not represent the organization in litigation involving personal data. Given these risks, many organizations may find it prudent to engage an external DPO rather than layer the role on top of an existing senior position within the company.

Employment Structure and Resourcing: A DPO may be an internal employee or an external service provider but must be a specifically named natural person (an external DPO may be engaged through a services company, provided the individual is designated). Regardless of structure, the organization must provide sufficient time, resources, and access to information to enable effective performance of the role. There is no citizenship or residency requirement, but the DPO must be physically available in Israel to the extent required — again, a significant point for organizations wishing to use foreign DPO services to cover Israeli activities.

Core Responsibilities: The DPO advises management and staff on privacy compliance; oversees privacy policies, procedures, and training; manages data subject requests (including inspection, correction, direct-marketing opt-out, deletion, and erasure requests under Israel’s 2023 EEA-data-transfer regulations); serves as the primary point of contact with the PPA; participates in privacy risk assessments and incident response (including active — though not personally liable — involvement in breach reporting); conducts ongoing monitoring and auditing; and confirms that the organization’s data-security procedure and Database Specifications document have been prepared and approved at the appropriate organizational level (with a more active drafting role where no separate CISO has been appointed).

Recommended Actions

  • Assess Applicability — Determine whether your organization falls within one of the four triggering categories; processors should specifically assess aggregate exposure to Data of Special Sensitivity across all clients.
  • Verify Qualifications — Confirm that the designated individual possesses in-depth practical knowledge of Israeli privacy law (not merely information-security expertise or certification), given the PPA’s stated intent to enforce this requirement.
  • Tailor the Role — Calibrate the DPO’s mandate to the organization’s size, the volume and sensitivity of the data processed, and the complexity of operations.
  • Safeguard Independence — Ensure the DPO does not hold conflicting positions; where the DPO also serves as CISO or as legal counsel, document the supporting analysis and implement organizational measures (titles, dedicated email addresses, etc.) to manage potential conflicts. Where combining roles introduces meaningful risk, consider engaging an external DPO.
  • Provide Resources and Support — Allocate sufficient time, budget, and access to information and personnel for the DPO to perform effectively; direct reporting to the CEO (or to a direct report of the CEO) should be formally established.
  • Address Reporting and Transparency Obligations — Notify the PPA of the DPO’s identity and contact information where required (e.g., when submitting a notification for a database containing Data of Special Sensitivity on more than 100,000 individuals) and publish the DPO’s contact details, for example on the organization’s website.

Arnon’s DPO Services. As many Israeli organizations move to appoint DPOs for the first time, the importance of engaging a qualified, independent DPO — with the requisite Israeli-law expertise, sufficient bandwidth, and freedom from conflicts of interest — is becoming increasingly clear. Arnon’s privacy team works closely with hi-tech, life-sciences and regulated-industry clients to implement privacy-by-design standards and is uniquely positioned to serve as external DPO for our clients, particularly multinational organizations that are required to align and balance global privacy frameworks with Israeli legal requirements. Please contact us for more information about our DPO services.


The above content is a summary provided for informational purposes only and does not constitute legal advice. It should not be relied upon without obtaining further professional legal counsel.

Want to know more?
Contact us

Shiri Menache

Head of Marketing and Business Development

Matan Bar-Nir

Press Officer, OH! PR