The Knesset’s Constitution, Law and Justice Committee is currently in the final stages of discussions on the proposed Privacy Protection Law (Amendment No. 14), 2023 (the “Amendment”). The Amendment introduces a significant update to existing data protection law in Israel, including a new requirement to appoint a Data Protection Officer (DPO).
This proposal follows the Privacy Protection Authority’s (“PPA”) previous recommendation, which suggested that the voluntary appointment of a DPO is a best practice for organizations handling personal data. The Amendment aims to formalize this recommendation into law, reflecting the increasing importance of data privacy. Additionally, appointing a DPO aligns with international standards, such as the GDPR and such appointment can therefore streamline global operations and ensure adherence to the privacy laws of various jurisdictions.
Key aspects of the Amendment in connection with the appointment of a DPO include:
1. Expanded Scope of Organizations: The requirement to appoint a DPO will apply to organizations that are primarily engaged in the processing of sensitive information on a significant scale (such as banks, insurance companies, credit institutions, medical institutions, etc.). This requirement may also apply to organizations whose primary activities involve the systematic and regular monitoring of individuals, their behavior, location, etc. (e.g., cellular providers), as well as to owners and holders of databases intended for transfer to third parties as a business practice or for consideration (i.e., data brokers).
2. Responsibilities of the DPO: The proposed duties of the DPO include, inter alia, serving as a professional authority and knowledge center on privacy matters, advising the organization’s management and staff on privacy issues, developing and overseeing the implementation of a privacy training program, establishing and maintaining a continuous compliance monitoring program, handling data subject inquiries, and acting as a point-of-contact to the PPA. These roles and responsibilities are similar to those defined by the European Union’s General Data Protection Regulation (GDPR). This alignment highlights the global movement towards rigorous data protection standards.
3. Qualifications of the DPO: The DPO must possess the necessary knowledge and skills to perform its duties effectively, including an understanding of privacy protection laws and the organization’s activities and objectives. The DPO shall report directly to the CEO or another senior executive, and may be an external appointee.
Beyond the anticipated legal requirement, appointing a DPO is crucial for embedding privacy principles into organizational processes, ensuring compliance with privacy laws, and mitigating risks associated with personal data management. Moreover, the appointment of a DPO can enhance customers’ trust in connection with the organization’s privacy practices. The PPA emphasizes that such appointment demonstrates the organization’s proactivity in reducing the risk to personal data , and in facilitating optimal cooperation with regulatory authorities.
Our firm offers comprehensive DPO services to help businesses navigate the complexities of data protection requirements and enhance their data protection strategies. Our services include, inter alia, advising and training companies on their obligations under Israeli privacy law and the GDPR, drafting and updating data processing agreements, periodically reviewing and updating internal documents related to personal data processing (such as security procedures), updating the company’s privacy policy and notices, and providing guidance to Marketing, HR and R&D teams on privacy aspects of products, services, and HR management.
For more information about our DPO services, please contact us.
This update is intended to provide general and concise information only. It does not constitute a full or complete analysis of the issues discussed, and does not constitute a legal opinion or advice and therefore, should not be relied upon.
