š®š± Israel
Informations
Extracts :
Extract :
āThe data subjectā - the person on which the database contains
information;
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
The notification obligation is also not novel in Israeli data protection law. The novelty is that the notification obligation under Section 11 of the PPL applies only to the entity collecting the personal information prior to, or at the time of, collection and does not apply to a processor receiving personal information from a controller. Equally, the level of transparency in the Regulations is broader than under Section 11 of the PPL (for further information, see also: Israel: PPA's new opinion regarding disclosures and transparency). This addition will most probably be implemented primarily through imposing these requirements on the EEA transferor of the personal data, by incorporating them in its privacy notice, which in any event needs to list the third-party recipients of the data and cross-border transfer aspects. Otherwise, it is doubtful how an Israeli controller, who is not collecting the personal information di- rectly from EEA data subjects, will be able to notify each individual EEA data subject about the processing, whereby the implementation costs may well increase the cost of service.
In addition, the Regulations add to the legal definition of 'sensitive information' under Section 7 of the PPL (which is the Israeli equivalent of the GDPR's 'special categories of data'), only for data subjects whose personal information is transferred from the EEA, information about a person's origin, and information about trade union membership.
Irrespective of the Regulations, in relation to trade union membership, there is a difference between the Israeli and the EU legal systems: in Israel, trade union membership would not be deemed as sensitive personal information unless such membership reveals opinions or beliefs of the data subject. Nevertheless, a person's origin should indeed be regarded as sensitive personal information, also for an Israeli data subject (and such proposal is included in the Protection of Privacy Bill (Amendment No. 14), 2022 (Bill No. 14) (Amendment 14) that was introduced in the former Parliament, passed initial reading, and will be heard in continuity in the current Parliament).
To put things in perspective, it should be noted that the amended definition is relevant mostly to determine if the entity collecting such types of personal information is required under the PPL to register a database (Section 8(c)(2) of the PPL).
Databases with EEA and non-EEA personal information
In compliance with the purpose of their adoption, the Regulations apply to personal information transferred to Israel from the EEA.
Nevertheless, in the hearing held on April 23, 2023, on the approval of the Regulations by the Constitution, Law and Justice Committee of the Parliament, the chairman of the committee proposed to award the same rights to Israeli personal information if such personal information is maintained in the same database as personal information originating from the EEA. This proposal was a partial attempt to overcome the numerous objections raised against the draft Regulations, claiming that they create a different regime for Israeli data subjects who will not enjoy these additional rights and therefore rendering Israeli data subjects inferior. Therefore, the final text of the Regulations was amended to apply to any kind of personal information included in a database in Israel, which covers personal information transferred from the EEA, meaning also personal information originating in Israel. Personal information of Israeli data subjects not included in a database, together with personal information originating from the EEA, will not be subject to the rights under the Regulations (although some rights can be applied through the existing pur- pose limitation principle and the obligation to delete excess data).
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
1. Databases subject to medium level of security -
(1) A database whose main purpose is collecting data in order to
transfer it to a third party as part of regular professional activity,
including direct mailing services;
(2) A database whose controller is a public body as defined in Section
23 of the Law, even if the provisions of Paragraph (1) or (3) are
not complied with;
(3) A database which contains data which is one of the following:
(a) Information about a personās intimate life, including his
conduct in the private domain;
(b) Medical information or information regarding the personās
mental condition;
(c) Genetic information as defined in the Genetic Information
Law 5761-2000;
(d) Information about a personās political opinions or religious
beliefs;
(e) Information about a personās criminal records;
(f) Telecommunication data as defined in the Criminal Procedure
Law (Enforcement Powers - Telecommunication Data) 5768-
2007;
(g) Biometric information;
(h) Information about a personās assets, financial debts and
liabilities, financial situation or a change thereof, his ability to
meet financial undertakings and the extent these are met by
this person;
(i) A personās consumption habits that may denote information
as in Items (a) to (g) or regarding a personās personality,
beliefs or opinions.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
1. Databases subject to medium level of security -
(1) A database whose main purpose is collecting data in order to
transfer it to a third party as part of regular professional activity,
including direct mailing services;
(2) A database whose controller is a public body as defined in Section
23 of the Law, even if the provisions of Paragraph (1) or (3) are
not complied with;
(3) A database which contains data which is one of the following:
(a) Information about a personās intimate life, including his
conduct in the private domain;
(b) Medical information or information regarding the personās
mental condition;
(c) Genetic information as defined in the Genetic Information
Law 5761-2000;
(d) Information about a personās political opinions or religious
beliefs;
(e) Information about a personās criminal records;
(f) Telecommunication data as defined in the Criminal Procedure
Law (Enforcement Powers - Telecommunication Data) 5768-
2007;
(g) Biometric information;
(h) Information about a personās assets, financial debts and
liabilities, financial situation or a change thereof, his ability to
meet financial undertakings and the extent these are met by
this person;
(i) A personās consumption habits that may denote information
as in Items (a) to (g) or regarding a personās personality,
beliefs or opinions.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
1. Databases subject to medium level of security -
(1) A database whose main purpose is collecting data in order to
transfer it to a third party as part of regular professional activity,
including direct mailing services;
(2) A database whose controller is a public body as defined in Section
23 of the Law, even if the provisions of Paragraph (1) or (3) are
not complied with;
(3) A database which contains data which is one of the following:
(a) Information about a personās intimate life, including his
conduct in the private domain;
(b) Medical information or information regarding the personās
mental condition;
(c) Genetic information as defined in the Genetic Information
Law 5761-2000;
(d) Information about a personās political opinions or religious
beliefs;
(e) Information about a personās criminal records;
(f) Telecommunication data as defined in the Criminal Procedure
Law (Enforcement Powers - Telecommunication Data) 5768-
2007;
(g) Biometric information;
(h) Information about a personās assets, financial debts and
liabilities, financial situation or a change thereof, his ability to
meet financial undertakings and the extent these are met by
this person;
(i) A personās consumption habits that may denote information
as in Items (a) to (g) or regarding a personās personality,
beliefs or opinions.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
1. Databases subject to medium level of security -
(1) A database whose main purpose is collecting data in order to
transfer it to a third party as part of regular professional activity,
including direct mailing services;
(2) A database whose controller is a public body as defined in Section
23 of the Law, even if the provisions of Paragraph (1) or (3) are
not complied with;
(3) A database which contains data which is one of the following:
(a) Information about a personās intimate life, including his
conduct in the private domain;
(b) Medical information or information regarding the personās
mental condition;
(c) Genetic information as defined in the Genetic Information
Law 5761-2000;
(d) Information about a personās political opinions or religious
beliefs;
(e) Information about a personās criminal records;
(f) Telecommunication data as defined in the Criminal Procedure
Law (Enforcement Powers - Telecommunication Data) 5768-
2007;
(g) Biometric information;
(h) Information about a personās assets, financial debts and
liabilities, financial situation or a change thereof, his ability to
meet financial undertakings and the extent these are met by
this person;
(i) A personās consumption habits that may denote information
as in Items (a) to (g) or regarding a personās personality,
beliefs or opinions.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
1. Databases subject to medium level of security -
(1) A database whose main purpose is collecting data in order to
transfer it to a third party as part of regular professional activity,
including direct mailing services;
(2) A database whose controller is a public body as defined in Section
23 of the Law, even if the provisions of Paragraph (1) or (3) are
not complied with;
(3) A database which contains data which is one of the following:
(a) Information about a personās intimate life, including his
conduct in the private domain;
(b) Medical information or information regarding the personās
mental condition;
(c) Genetic information as defined in the Genetic Information
Law 5761-2000;
(d) Information about a personās political opinions or religious
beliefs;
(e) Information about a personās criminal records;
(f) Telecommunication data as defined in the Criminal Procedure
Law (Enforcement Powers - Telecommunication Data) 5768-
2007;
(g) Biometric information;
(h) Information about a personās assets, financial debts and
liabilities, financial situation or a change thereof, his ability to
meet financial undertakings and the extent these are met by
this person;
(i) A personās consumption habits that may denote information
as in Items (a) to (g) or regarding a personās personality,
beliefs or opinions.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
In addition, the Regulations add to the legal definition of 'sensitive information' under Section 7 of the PPL (which is the Israeli equivalent of the GDPR's 'special categories of data'), only for data subjects whose personal information is transferred from the EEA, information about a person's origin, and information about trade union membership.
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
1. Databases subject to medium level of security -
(1) A database whose main purpose is collecting data in order to
transfer it to a third party as part of regular professional activity,
including direct mailing services;
(2) A database whose controller is a public body as defined in Section
23 of the Law, even if the provisions of Paragraph (1) or (3) are
not complied with;
(3) A database which contains data which is one of the following:
(a) Information about a personās intimate life, including his
conduct in the private domain;
(b) Medical information or information regarding the personās
mental condition;
(c) Genetic information as defined in the Genetic Information
Law 5761-2000;
(d) Information about a personās political opinions or religious
beliefs;
(e) Information about a personās criminal records;
(f) Telecommunication data as defined in the Criminal Procedure
Law (Enforcement Powers - Telecommunication Data) 5768-
2007;
(g) Biometric information;
(h) Information about a personās assets, financial debts and
liabilities, financial situation or a change thereof, his ability to
meet financial undertakings and the extent these are met by
this person;
(i) A personās consumption habits that may denote information
as in Items (a) to (g) or regarding a personās personality,
beliefs or opinions.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
1. Databases subject to medium level of security -
(1) A database whose main purpose is collecting data in order to
transfer it to a third party as part of regular professional activity,
including direct mailing services;
(2) A database whose controller is a public body as defined in Section
23 of the Law, even if the provisions of Paragraph (1) or (3) are
not complied with;
(3) A database which contains data which is one of the following:
(a) Information about a personās intimate life, including his
conduct in the private domain;
(b) Medical information or information regarding the personās
mental condition;
(c) Genetic information as defined in the Genetic Information
Law 5761-2000;
(d) Information about a personās political opinions or religious
beliefs;
(e) Information about a personās criminal records;
(f) Telecommunication data as defined in the Criminal Procedure
Law (Enforcement Powers - Telecommunication Data) 5768-
2007;
(g) Biometric information;
(h) Information about a personās assets, financial debts and
liabilities, financial situation or a change thereof, his ability to
meet financial undertakings and the extent these are met by
this person;
(i) A personās consumption habits that may denote information
as in Items (a) to (g) or regarding a personās personality,
beliefs or opinions.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
In addition, the Regulations add to the legal definition of 'sensitive information' under Section 7 of the PPL (which is the Israeli equivalent of the GDPR's 'special categories of data'), only for data subjects whose personal information is transferred from the EEA, information about a person's origin, and information about trade union membership.
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
Notification obligation
A controller is required to inform data subjects whose personal information is transferred from the EEA, as soon as possible after receiving the personal information and no later than one month thereafter, that it is processing such data subject's personal data, including all of the following:
ā¢ the controller's and the database's manager identity, addresses, and contact information;
ā¢ purposes for which the personal information was transferred;
ā¢ the type of personal information transferred; and
ā¢ the data subject's rights of deletion under the Regulations, as well as access and correction rights under Sections 13 and 14 of the PPL.
The controller must also notify such data subject, as soon as possible and no later than upon transfer of the personal information, when the latter is transferred to a third party, including the identity and contact information of the third party or the types of third parties, purposes of the transfer, types of personal information transferred, and data subject rights. The notification may be satisfied through the entity exporting the personal information from the EEA.
A controller is exempt from the notification obligation if one of the exceptions listed in the Regulations apply (as required, and in a proportionate manner under the circumstances), which include that:
ā¢ the controller has a reasonable ground to assume that the data subject is aware of the details regarding the transfer of personal information; ā¢ the controller does not know the data subject's contact details;
ā¢ implementing the notification obligation involves an unreasonable burden on the controller;
ā¢ there is a statutory confidentiality obligation or a legal prohibition on disclosing the details under the Regulations;
ā¢ there is a statutory provision already governing disclosure of such details;
ā¢ the implementation of the notification obligation may harm the life or well-being of an individual; and
ā¢ the implementation of the notification obligation is more harmful to the rights of an individual than non-disclosure of the details under the Regulations.
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
Obligation to delete information upon request (right to be forgotten)
The Privacy Protection Law 5741-1981 (PPL) does not award a right to be forgotten, but rather a limited right to amend or delete personal information if it is incorrect, incomplete, unclear, or outdated (Section 14(a) of the PPL). According to the Regulations, a controller will be obligated to delete or anonymize (so that the data subject could not be identified with reasonable means) personal information upon the request of a data subject whose personal information is transferred from the EEA if:
ā¢ the personal information was created, received, accumulated, or collected contrary to the provisions of any applicable law; ā¢ the continued use of such personal information violates any applicable law; or
ā¢ the personal information is no longer needed for the original purposes.
A controller may refuse the deletion request if the personal information is used for one of the purposes listed in the Regulations (as required, and in a proportionate manner for such purpose), which include exercising freedom of speech or the public right to be informed, fulfilling a legal duty, performance of a legally authorized act, protecting a public interest including archive, scientific, or statistical research, managing a legal process or debt collection, fraud and theft prevention, prevention of other actions that may affect the accuracy or reliability of the personal information, and exercising obligations under an international agreement to which the Israeli Government is party.
Although the PPL does not include a right to be forgotten as such, the purpose limitation principle is part of the PPL (Sections 2(9) and 8(b) of the PPL). To that effect, its practical enforcement would be the deletion of personal infor- mation which is no longer needed for the original purposes. In addition, there are specific laws mandating the deletion of specific information in certain circumstances or after a certain time period (only available in Hebrew here).
Deletion of excess personal information
The controller is required to implement an organizational, technological, or another mechanism to ensure that it does not process personal information which is no longer required for the original purpose or for another legally permitted purpose, and to delete such excess information at the earliest time possible under the circumstances. The obligation does not apply if the personal information has been anonymized (so that the data subject cannot be identified with reasonable means) or if the personal information is used for one of the purposes listed above as exceptions to the right to be forgotten, excluding the case of fulfilling a legal duty or performance of a legally authorized act which does not apply here.
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
Obligation to delete information upon request (right to be forgotten)
The Privacy Protection Law 5741-1981 (PPL) does not award a right to be forgotten, but rather a limited right to amend or delete personal information if it is incorrect, incomplete, unclear, or outdated (Section 14(a) of the PPL). According to the Regulations, a controller will be obligated to delete or anonymize (so that the data subject could not be identified with reasonable means) personal information upon the request of a data subject whose personal information is transferred from the EEA if:
ā¢ the personal information was created, received, accumulated, or collected contrary to the provisions of any applicable law; ā¢ the continued use of such personal information violates any applicable law; or
ā¢ the personal information is no longer needed for the original purposes.
A controller may refuse the deletion request if the personal information is used for one of the purposes listed in the Regulations (as required, and in a proportionate manner for such purpose), which include exercising freedom of speech or the public right to be informed, fulfilling a legal duty, performance of a legally authorized act, protecting a public interest including archive, scientific, or statistical research, managing a legal process or debt collection, fraud and theft prevention, prevention of other actions that may affect the accuracy or reliability of the personal information, and exercising obligations under an international agreement to which the Israeli Government is party.
Although the PPL does not include a right to be forgotten as such, the purpose limitation principle is part of the PPL (Sections 2(9) and 8(b) of the PPL). To that effect, its practical enforcement would be the deletion of personal infor- mation which is no longer needed for the original purposes. In addition, there are specific laws mandating the deletion of specific information in certain circumstances or after a certain time period (only available in Hebrew here).
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
12. A database controller will restrict or deny the option to connect
portable devices to the database systems in a manner which is compatible
with the information security level applicable to the database, the data
sensitivity, the special risks to the database systems or to the data,
stemming from connecting portable devices and with the existence of
appropriate safeguards against such risks; a database controller who enables
using data from the database on a portable device or copying the data to a
portable device will take protection measures according to the special risks
related to the use of a portable device in that database; in this regard,
employing commonly used encryption methods will be deemed taking
reasonable measures to protect the data copied to a portable device.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
12. A database controller will restrict or deny the option to connect
portable devices to the database systems in a manner which is compatible
with the information security level applicable to the database, the data
sensitivity, the special risks to the database systems or to the data,
stemming from connecting portable devices and with the existence of
appropriate safeguards against such risks; a database controller who enables
using data from the database on a portable device or copying the data to a
portable device will take protection measures according to the special risks
related to the use of a portable device in that database; in this regard,
employing commonly used encryption methods will be deemed taking
reasonable measures to protect the data copied to a portable device.
13. (a) A database controller will ensure that the database systems are
managed and operated properly, as commonly acceptable in the operation
of such systems.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
(d) In case of a severe security incident -
(1) The database controller will immediately notify the Registrar
and report to the Registrar on the measures he took following the incident;
(2) The Registrar may order a database controller, except a
controller of the databases listed in Section 13(e) of the Law, and
after consulting with the head of the National Cyber Defense
Authority, to give a notice of the security incident to a data
subject who may suffer damage as a result of the incident.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
(a) A database controller will prescribe a written data security
procedure (āthe Procedureā) according to the database definitions document
and these Regulations. The Procedure will be binding upon each one of the
authorized users depending on the parts of the Procedure that are disclosed
to him in accordance with Sub-Regulation (b).
(b) A database controller will retain the Procedure in such a manner
that details from the Procedure will be disclosed to authorized users only to
the extent required for performing their role.
(c) The Procedure will include, inter alia, the following:
(1) Instructions concerning physical protection of the database
sites and their surroundings as per Regulation 6;
(2) Access authorizations to the database as well as to database
systems pursuant to Regulation 8;
(3) Description of the means intended to protect the database
systems and the manner of their operation for this purpose;
(4) Instructions to authorized users of the database and database
systems regarding the protection of data stored in the database;
(5) The risks to which the data in the database is exposed in the
course of the database controller's ongoing activities, including
those originating from the database systems structure as detailed
in Regulation 5(a), the manner in which these risks are identified
and dealt with, including by commonly used encryption
mechanisms to protect the data stored in the database or in the
database systems;
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
A controller is required to inform data subjects whose personal information is transferred from the EEA, as soon as possible after receiving the personal information and no later than one month thereafter, that it is processing such data subject's personal data, including all of the following:
ā¢ the controller's and the database's manager identity, addresses, and contact information;
ā¢ purposes for which the personal information was transferred;
ā¢ the type of personal information transferred; and
ā¢ the data subject's rights of deletion under the Regulations, as well as access and correction rights under Sections 13 and 14 of the PPL.
The controller must also notify such data subject, as soon as possible and no later than upon transfer of the personal information, when the latter is transferred to a third party, including the identity and contact information of the third party or the types of third parties, purposes of the transfer, types of personal information transferred, and data subject rights. The notification may be satisfied through the entity exporting the personal information from the EEA.
A controller is exempt from the notification obligation if one of the exceptions listed in the Regulations apply (as required, and in a proportionate manner under the circumstances), which include that:
ā¢ the controller has a reasonable ground to assume that the data subject is aware of the details regarding the transfer of personal information; ā¢ the controller does not know the data subject's contact details;
ā¢ implementing the notification obligation involves an unreasonable burden on the controller;
ā¢ there is a statutory confidentiality obligation or a legal prohibition on disclosing the details under the Regulations;
ā¢ there is a statutory provision already governing disclosure of such details;
ā¢ the implementation of the notification obligation may harm the life or well-being of an individual; and
ā¢ the implementation of the notification obligation is more harmful to the rights of an individual than non-disclosure of the details under the Regulations.
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
A controller is required to inform data subjects whose personal information is transferred from the EEA, as soon as possible after receiving the personal information and no later than one month thereafter, that it is processing such data subject's personal data, including all of the following:
ā¢ the controller's and the database's manager identity, addresses, and contact information;
ā¢ purposes for which the personal information was transferred;
ā¢ the type of personal information transferred; and
ā¢ the data subject's rights of deletion under the Regulations, as well as access and correction rights under Sections 13 and 14 of the PPL.
The controller must also notify such data subject, as soon as possible and no later than upon transfer of the personal information, when the latter is transferred to a third party, including the identity and contact information of the third party or the types of third parties, purposes of the transfer, types of personal information transferred, and data subject rights. The notification may be satisfied through the entity exporting the personal information from the EEA.
A controller is exempt from the notification obligation if one of the exceptions listed in the Regulations apply (as required, and in a proportionate manner under the circumstances), which include that:
ā¢ the controller has a reasonable ground to assume that the data subject is aware of the details regarding the transfer of personal information; ā¢ the controller does not know the data subject's contact details;
ā¢ implementing the notification obligation involves an unreasonable burden on the controller;
ā¢ there is a statutory confidentiality obligation or a legal prohibition on disclosing the details under the Regulations;
ā¢ there is a statutory provision already governing disclosure of such details;
ā¢ the implementation of the notification obligation may harm the life or well-being of an individual; and
ā¢ the implementation of the notification obligation is more harmful to the rights of an individual than non-disclosure of the details under the Regulations.
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
Obligation to delete information upon request (right to be forgotten)
The Privacy Protection Law 5741-1981 (PPL) does not award a right to be forgotten, but rather a limited right to amend or delete personal information if it is incorrect, incomplete, unclear, or outdated (Section 14(a) of the PPL). According to the Regulations, a controller will be obligated to delete or anonymize (so that the data subject could not be identified with reasonable means) personal information upon the request of a data subject whose personal information is transferred from the EEA if:
ā¢ the personal information was created, received, accumulated, or collected contrary to the provisions of any applicable law; ā¢ the continued use of such personal information violates any applicable law; or
ā¢ the personal information is no longer needed for the original purposes.
A controller may refuse the deletion request if the personal information is used for one of the purposes listed in the Regulations (as required, and in a proportionate manner for such purpose), which include exercising freedom of speech or the public right to be informed, fulfilling a legal duty, performance of a legally authorized act, protecting a public interest including archive, scientific, or statistical research, managing a legal process or debt collection, fraud and theft prevention, prevention of other actions that may affect the accuracy or reliability of the personal information, and exercising obligations under an international agreement to which the Israeli Government is party.
Although the PPL does not include a right to be forgotten as such, the purpose limitation principle is part of the PPL (Sections 2(9) and 8(b) of the PPL). To that effect, its practical enforcement would be the deletion of personal infor- mation which is no longer needed for the original purposes. In addition, there are specific laws mandating the deletion of specific information in certain circumstances or after a certain time period (only available in Hebrew here).
Reference :
Israel Data protection overview | DataGuidance
Information on Israel data protection
Extracts :
Extract :
3. Where there is a duty to appoint a data security officer, or where a
data security officer of the database has been appointed, the following
provisions shall apply:
(1) A data security officer will directly report to the database manager
or to an active manager of the database's controller or processor, as
appropriate, or to another senior official who directly reports to the
database manager;
(2) The data security officer will prepare a data security procedure
and have it approved by the database controller;
(3) The data security officer will prepare a plan for regular
monitoring in regard to compliance with these Regulations,
implement this plan and notify the database controller and the
database manager of his findings;
(4) The data security officer will not perform an additional role which
may put him at risk of conflict of interest while performing his role
according to these Regulations;
(5) Where a database controller assigns the data security officer tasks
that are additional to the duties listed in Paragraphs (2) and (3) for the
purpose of implementing these Regulations, they will be clearly
defined;
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
3. Where there is a duty to appoint a data security officer, or where a
data security officer of the database has been appointed, the following
provisions shall apply:
(1) A data security officer will directly report to the database manager
or to an active manager of the database's controller or processor, as
appropriate, or to another senior official who directly reports to the
database manager;
(2) The data security officer will prepare a data security procedure
and have it approved by the database controller;
(3) The data security officer will prepare a plan for regular
monitoring in regard to compliance with these Regulations,
implement this plan and notify the database controller and the
database manager of his findings;
(4) The data security officer will not perform an additional role which
may put him at risk of conflict of interest while performing his role
according to these Regulations;
(5) Where a database controller assigns the data security officer tasks
that are additional to the duties listed in Paragraphs (2) and (3) for the
purpose of implementing these Regulations, they will be clearly
defined;
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
3. Where there is a duty to appoint a data security officer, or where a
data security officer of the database has been appointed, the following
provisions shall apply:
(1) A data security officer will directly report to the database manager
or to an active manager of the database's controller or processor, as
appropriate, or to another senior official who directly reports to the
database manager;
(2) The data security officer will prepare a data security procedure
and have it approved by the database controller;
(3) The data security officer will prepare a plan for regular
monitoring in regard to compliance with these Regulations,
implement this plan and notify the database controller and the
database manager of his findings;
(4) The data security officer will not perform an additional role which
may put him at risk of conflict of interest while performing his role
according to these Regulations;
(5) Where a database controller assigns the data security officer tasks
that are additional to the duties listed in Paragraphs (2) and (3) for the
purpose of implementing these Regulations, they will be clearly
defined;
(6) A database controller will allocate to the data security officer the
necessary resources for carrying out his role.
4. (a) A database controller will prescribe a written data security
procedure (āthe Procedureā) according to the database definitions document
and these Regulations. The Procedure will be binding upon each one of the
authorized users depending on the parts of the Procedure that are disclosed
to him in accordance with Sub-Regulation (b).
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
2. (a) A database controller will specify in the database definitions
document (the ādatabase definitions documentā) at least the following
matters:
(1) A general description of the data collection and usage
activities;
(2) A description of the purposes for which the data is used;
(3) The types of data contained in the database, in accordance
with the list of data types in Item 1(3) of the First Schedule;
(4) Details regarding the transfer of the database or substantial
parts thereof outside the State borders or the use of the data
outside the State borders, the purpose of transfer, country of
destination, manner of transfer and the identity of the transferee;
(5) Data processing activities by a processor;
(6) The main risks concerning a breach of information security
and the manner in which they are dealt with;
(7) The name of the database manager, the database processor and
the data security officer, if appointed.
(b) The database controller will update the database definitions
document whenever a significant change has been made to the matters
detailed in Sub-Regulation (a) and will annually assess, by 31 December of
each year, the need for such an update due to technological changes within
the organization or security incidents as per Regulation 11.
(c) The database controller will review annually whether the data
stored in the database exceeds what is required for the database purposes.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
2. (a) A database controller will specify in the database definitions
document (the ādatabase definitions documentā) at least the following
matters:
(1) A general description of the data collection and usage
activities;
(2) A description of the purposes for which the data is used;
(3) The types of data contained in the database, in accordance
with the list of data types in Item 1(3) of the First Schedule;
(4) Details regarding the transfer of the database or substantial
parts thereof outside the State borders or the use of the data
outside the State borders, the purpose of transfer, country of
destination, manner of transfer and the identity of the transferee;
(5) Data processing activities by a processor;
(6) The main risks concerning a breach of information security
and the manner in which they are dealt with;
(7) The name of the database manager, the database processor and
the data security officer, if appointed.
(b) The database controller will update the database definitions
document whenever a significant change has been made to the matters
detailed in Sub-Regulation (a) and will annually assess, by 31 December of
each year, the need for such an update due to technological changes within
the organization or security incidents as per Regulation 11.
(c) The database controller will review annually whether the data
stored in the database exceeds what is required for the database purposes.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
2. (a) A database controller will specify in the database definitions
document (the ādatabase definitions documentā) at least the following
matters:
(1) A general description of the data collection and usage
activities;
(2) A description of the purposes for which the data is used;
(3) The types of data contained in the database, in accordance
with the list of data types in Item 1(3) of the First Schedule;
(4) Details regarding the transfer of the database or substantial
parts thereof outside the State borders or the use of the data
outside the State borders, the purpose of transfer, country of
destination, manner of transfer and the identity of the transferee;
(5) Data processing activities by a processor;
(6) The main risks concerning a breach of information security
and the manner in which they are dealt with;
(7) The name of the database manager, the database processor and
the data security officer, if appointed.
(b) The database controller will update the database definitions
document whenever a significant change has been made to the matters
detailed in Sub-Regulation (a) and will annually assess, by 31 December of
each year, the need for such an update due to technological changes within
the organization or security incidents as per Regulation 11.
(c) The database controller will review annually whether the data
stored in the database exceeds what is required for the database purposes.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
Extracts :
Extract :
17. (a) A database controller will retain the data collected when
implementing the provisions of Regulation 6(b), 8 to 11, 14, 15(a)(4) and
16, to the extent these Regulations apply to him, in a secure manner for 24
months.
Reference :
Privacy Protection Regulations (Instructions for Data that was Transferred to Israel from the European Economic Area), 5783-2023
Israel Official text of 2023 Amendment
| Name | Short name | Classification | Jurisdiction | Year of creation |
|---|
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|