Protection of Privacy Law (PPL) 5741-1981 Israel

    Overview

    Israel's Protection of Privacy Law (PPL) 5741-1981, as amended by several regulations, is one of Israel's foundational data protection laws and governs the protection of personal data. It establishes data privacy requirements and responsibilities for managing and processing personal information, mandating data security, and defining obligations for data controllers and processors. The law aims to balance privacy protection with the needs of public and private entities to use personal data. It has undergone multiple amendments, such as Amendment 13 in 2024, which introduced new requirements for data controllers, statutory damages, and clarified direct marketing regulations to address evolving digital and data security concerns.

     

    Regulation Summary

    Timeline
    What Businesses Are Affected
    • Organizations and individuals in Israel that collect, store, or process personal data.
    • Public bodies such as government departments and institutions.
    • Private entities managing databases exceeding specific thresholds or handling sensitive data.
    • Entities transferring data internationally.
    Exemptions
    • Data processing for personal or household use.
    • Activities related to national security, defense, or public safety.
    Responsibilities for Businesses
    • Database Registration: Register databases containing personal information of over 10,000 individuals or sensitive data with the Registrar of Databases.
    • Informed Consent: Obtain explicit consent from individuals before collecting or using their data.
    • Data Security: Appoint a security supervisor for significant databases and implement measures to protect data integrity and confidentiality.
    • Appoint a Data Protection Officer (DPO): Required for registration receivables (e.g., data brokers and public bodies), databases engaged in monitoring (e.g., telecoms), and databases primarily processing highly sensitive data (e.g., health organizations).
    • Data Sharing Restrictions: Limit data sharing to purposes explicitly permitted under the law.
    • Respond to Data Subject Requests: Comply with requests for access, correction, or deletion of personal data within 30 days. Extensions may apply for complex cases.
    Specific Responsibilities for Website Owners
    • Provide clear and accessible notices about data collection practices.
    • Inform users of their rights and how to exercise them.
    • Ensure compliance with cookie and tracking regulations.
    • Facilitate user requests for access, correction, or deletion of personal data.
    Additional Requirements
    • Data Transfers: Ensure equivalent protection standards for data transferred abroad.
    • Sensitive Data: Apply heightened safeguards for sensitive personal data, including health and biometric information.
    • Public Body Obligations: Record and notify the Registrar of any regular information sharing activities.
    Data Subject Rights

    Individuals have the right to:

    • Access their personal data held by an organization.
    • Request correction or deletion of inaccurate or outdated data.
    • Object to data processing in specific circumstances.
    • Be informed about how their data is processed and shared.
    Enforcement
    • Supervisory Authority: The Registrar of Databases, under the Ministry of Justice, oversees compliance.
    • Penalties: Violations can lead to fines up to ₪50,000 (~USD 14,500), imprisonment of up to five years, or statutory damages for breaches.
    • Civil Actions: Data subjects can file lawsuits for privacy violations.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596