Data Advocacy for Israel

The laws that govern the right to privacy in Israel are the Basic Law: Human Dignity and Liberty, 5752 -1992; the Protection of Privacy Law, 5741-1981 and the regulations promulgated thereunder (the ‘PPL’) and the guidelines of the Israel Privacy Authority.

Subject to certain exceptions, database registration, is required to the extent one of the following conditions are met1:

the database contains information in respect of more than 10,000 data subjects;
the database contains sensitive information;
the database includes information on persons, and the information was not provided by them, on their behalf or with their consent;
the database belongs to a public entity; or
the database is used for direct marketing services.

Appointment of a Data Protection Officer is required by an entity meeting one of the following conditions:

a possessor of five databases that require registration;
a public body as defined in Section 23 to the PPL; or
a bank, an insurance company or a company engaging in rating or evaluating credit.

Failure to nominate a Data Protection Officer when required to do so may result in criminal sanctions, including administrative fines.  The PPL does not require that the Data Protection Officer should be an Israeli citizen or resident.

The collection, processing, or use of Personal Data is permitted subject to obtaining the informed consent of the data subjects. Such consent should adhere to purpose, proportionality, and transparency limitations. As such, consent should be obtained for specific purposes of use, the processing and use of Personal Data should be proportionate to those purposes, and data subjects should have the right to inspect and correct their personal information. The data subject’s consent must be reobtained for any change in the purpose of use.

Any request for consent from a data subject to have his or her Personal Data stored and used within a database must be accompanied by a notice indicating the following:

  • whether there is a legal requirement to provide the information;
  • the purpose for which the information is requested;
  • the recipients of the data; and
  • the purpose(s) of use of the data.

Personal Data, as defined under the PPL, means data regarding the personality, personal status, intimate affairs, state of health, economic position, vocational qualifications, opinions, and beliefs of a person.

Sensitive Data, as defined under the PPL, means data on the personality, intimate affairs, state of health, economic position, opinions, and beliefs of a person; and other information if designated as such by the Minister of Justice with the approval of the Constitution, Law and Justice Committee of the Knesset.  No such determination has been made to date.

The transfer of Personal Data abroad is subject to the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 (“Transfer Regs”), pursuant to which Personal Data may be transferred abroad only to the extent that:

  • The laws of the country to which the data is transferred ensure a level of protection no lesser than the level of protection of data provided for by Israeli Law; or
  • One of the following conditions is met:
  • The data subject has consented to the transfer;
  • the consent of the data subject cannot be obtained, and the transfer is vital to the protection of his or her health or physical wellbeing;
  • the data is transferred to a corporation under the control of the owner of the database from which the data is transferred, provided that such corporation has guaranteed the protection of privacy after the transfer;
  • the data is transferred to an entity bound by an agreement with the database owner to comply with the conditions governing the use of the data as applicable under Israeli Laws, mutatis mutandis;
  • data was made available to the public or was opened for public inspection by legal authority;
  • transfer of data is vital to public safety or security;
  • the transfer of data is required by Israeli Law; or
  • data is transferred to a database in a country:
  • which is a party to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data; or
  • which receives data from the Member States of the European Community under the same terms of acceptance1, or
  • In relation to which the Registrar of Databases announced, in an announcement published in the Official Gazette (Reshumot), that it has authority for the protection of privacy after reaching an arrangement for cooperation with that authority.
  • When transferring personal data abroad, the database owner is required to enter into a data transfer agreement with the data recipient, pursuant to which the recipient undertakes to apply adequate measures to ensure the privacy of the data subjects and guarantees that the data shall not be further transferred to any third party.

Additionally, the transfer of databases is subject to the IPA Draft Guidelines No. 3/2017, which under certain circumstances, such as the database recipient having a conflict of interest, might require opt-in consent of data subjects as a condition to transferring databases.

The PPL does not specifically address online privacy, cookies and/or location data, all of which are governed by the general restrictions detailed above, including the requirements imposed on processing databases and direct marketing and the consent, purpose and proportionality restrictions.

The PPL governs information “about a person”; as such, depending upon the circumstances at hand, any non-identifiable and anonymous information (which cannot be reidentified) may reasonably be interpreted as falling outside the confines of the PPL limitations.

The Israel Privacy Authority (“IPA”), was established in September 2006, as determined by Israel’s Government decision no. 4660, dated 19.01.2006.