Israel's privacy authority publishes data protection officer guidance draft

The Israeli Privacy Protection Authority released draft guidance on July 23, 2025, concerning Data Protection Officer (DPO) appointments across organizations required to comply with Amendment 13 to the Israeli Privacy Protection Law. The guidance enters public consultation until September 23, 2025, addressing implementation requirements that take effect August 14, 2025.

According to the authority, the obligation extends beyond initially anticipated organizations. Any entity processing personal data as a core business activity or utilizing derivative data deliverables including tracking, profiling, and risk scoring may require DPO appointment, even when initial law interpretation seemed unclear.

The guidance establishes five essential requirements for organizational compliance. First, applicability scope encompasses public entities and data brokers, with single criteria potentially meeting significant privacy impact thresholds. Second, DPOs must demonstrate qualifications, independence, and empowerment rather than mere nomination status.

Legal expertise in Israeli privacy law becomes mandatory, including familiarity with organizational industry patterns, data usage contexts, and regulatory landscapes. The authority promotes its model courses while strengthening requirements for understanding organizational data governance, risk assessments, and internal privacy processes.

Third, the role shapes privacy culture through compliance coordination and privacy-oriented awareness promotion. DPOs embed privacy by design principles into decision-making processes while leading training initiatives, risk assessments, and ongoing compliance activities. The position demands proactive and strategic approaches rather than reactive responses.

Fourth, positioning emphasizes independence and influence within organizational structures. Preference exists for internal employees over external service providers, providing better organizational familiarity with direct colleague and resource access. Flexibility allows appropriate departmental placement while emphasizing independence from conflicts of interest. Ideally, DPOs report directly to CEOs or senior executives with adequate staff support, budget allocation, and information access.

Fifth, Chief Information Security Officers cannot simultaneously serve as DPOs due to fundamental role differences. DPOs establish legal, ethical, and governance aspects of data protection including data subject rights, privacy risk evaluation, organizational policy development, and regulatory compliance. CISOs focus on technical controls and cyber risks including firewalls, intrusion detection, and encryption implementation.

The authority clarifies mandatory appointment categories under the law. Public entities including government ministries, state authorities, local governments, and other public function bodies face DPO requirements. Additionally, entities trading personal data where primary purposes involve collecting information for third-party distribution, whether commercially or freely, require appointments when databases exceed 10,000 individuals.

Organizations conducting systematic monitoring of individuals fall under obligations when core activities involve processing operations requiring systematic tracking due to nature, scope, or purposes. Examples include telecommunications providers and online search services engaged in location tracking, behavior analysis, or comprehensive profiling activities.

Entities processing special category personal data in significant volumes must appoint officers when core activities involve substantial sensitive information handling. The law explicitly mentions banks, insurance companies, hospitals, and health funds among required organizations, providing illustrative examples without limiting broader applicability.

Substantial volume processing requires case-by-case evaluation without fixed numerical thresholds. Assessment criteria include individual numbers whose data receives processing, population proportions, data scope and quantity, processing type diversity, operation duration and frequency, retention periods, and geographic processing scope.

The guidance details specific knowledge and skills requirements. DPOs need comprehensive Israeli privacy law understanding, including legislation, case law, regulations, and authority interpretations. Technical understanding of information security, organizational familiarity, and proper language proficiency support effective role execution.

Organizations must provide adequate resources and ensure DPO involvement in privacy-related decisions. Positioning requirements include senior executive reporting structures while avoiding conflict-creating additional responsibilities or inappropriate supervisory relationships.

Implementation responsibilities encompass professional expertise provision, compliance coordination, training development, oversight activities, individual request handling, and authority liaison functions. The role requires balancing organizational interests with privacy protection obligations through strategic compliance approaches.

The consultation period allows stakeholder feedback on proposed requirements before final implementation. Organizations anticipating obligations should begin preparation processes including candidate identification, resource allocation, and governance framework development.

This development reflects broader privacy accountability trends requiring organizational privacy leadership beyond minimum legal compliance. The guidance aims establishing consistent DPO standards while providing implementation flexibility for diverse organizational contexts and processing activities.

For the marketing community, these requirements significantly impact data-driven advertising operations. PPC Land previously reported on privacy challenges in modern marketing technology, emphasizing the critical need for robust data protection frameworks as artificial intelligence integration accelerates across advertising platforms.

The DPO guidance addresses growing regulatory scrutiny of marketing data practices. Recent European enforcement actions demonstrate authorities' increasing focus on comprehensive data access rights and processing transparency, trends now extending to Israeli privacy regulation.

Marketing organizations utilizing systematic monitoring, profiling, or large-scale personal data processing likely face DPO appointment requirements. This includes companies operating programmatic advertising platforms, customer data platforms, marketing automation systems, and comprehensive analytics solutions tracking user behavior across digital touchpoints.

The guidance's emphasis on technical understanding proves particularly relevant for marketing technology environments. DPOs must comprehend data lifecycle management, algorithmic decision-making processes, and cross-border transfer mechanisms that form modern advertising infrastructure foundations.

Organizations should evaluate current data processing activities against the guidance criteria. Companies engaged in behavioral targeting, lookalike audience development, attribution modeling, or personalization engines may trigger systematic monitoring requirements regardless of primary business purposes.

Privacy by design principles mandated for DPOs align with emerging marketing technology trends. Recent coverage of European blockchain guidance demonstrates authorities' expectations for technical privacy measures integrated from system design phases rather than compliance retrofitting.

The guidance's consultation period provides opportunity for marketing industry input on practical implementation challenges. Organizations should assess resource requirements, governance structure modifications, and potential operational impacts before August implementation.

Timeline

• July 23, 2025: Israeli Privacy Protection Authority publishes draft DPO guidance for public consultation
• August 14, 2025: Amendment 13 to Israeli Privacy Protection Law takes effect, mandating DPO appointments
• September 23, 2025: Public consultation period closes for DPO guidance feedback
• Previous coverage: European Data Protection Board privacy enforcement reaches €4.2 billion in fines across 6,680 actions
• Recent developments: German courts award compensation for data protection violations, establishing precedent for individual damages

Key Terms Explained

Data Protection Officer (DPO): A designated privacy professional responsible for ensuring organizational compliance with data protection laws and serving as the primary point of contact with supervisory authorities. According to the Israeli guidance, DPOs must possess comprehensive legal expertise in privacy law, technical understanding of data processing systems, and organizational knowledge to effectively coordinate compliance activities. The role requires independence from conflicting responsibilities and direct reporting to senior executive levels to maintain strategic influence over privacy decisions.

Amendment 13: The comprehensive update to Israel's Privacy Protection Law that introduces mandatory DPO appointments and modernizes data protection requirements. This legislative change represents the most significant privacy law revision since the original 1981 enactment, bringing Israeli standards closer to international frameworks like GDPR while addressing contemporary data processing challenges in digital business environments.

Systematic monitoring: Continuous and methodical tracking of individual behavior, location, or activities that requires specialized privacy protections due to its invasive nature. The guidance defines this as processing operations that, by their nature, scope, or purposes, necessitate regular observation of data subjects, including examples like telecommunications tracking, search engine profiling, and behavioral advertising systems that create comprehensive user profiles.

Privacy Protection Authority: Israel's independent regulatory body responsible for enforcing data protection laws and providing guidance on compliance requirements. The authority develops policy interpretations, investigates violations, and issues penalties while serving as the primary interface between organizations and privacy regulation enforcement, similar to European data protection authorities in their supervisory functions.

Personal data processing: Any operation performed on information relating to identified or identifiable individuals, encompassing collection, storage, analysis, sharing, or deletion activities. Under the Israeli framework, processing includes automated decision-making, profiling, and algorithmic analysis that affects individual rights, requiring careful legal basis establishment and proportionality assessments throughout the data lifecycle.

Legal basis: The lawful foundation required for processing personal data under privacy regulations, determining whether organizations can legitimately collect and use individual information. Israeli law, like GDPR, requires explicit legal justification for data processing activities, with different bases applying to various processing purposes including consent, legitimate interests, legal obligations, or public tasks.

Special category data: Sensitive personal information requiring enhanced protection measures due to potential discrimination or harm risks, including health records, biometric identifiers, political opinions, religious beliefs, and financial information. Organizations processing substantial volumes of special category data face mandatory DPO appointment requirements under the Israeli guidance, reflecting the heightened privacy risks associated with sensitive information handling.

Organizational compliance: The systematic implementation of policies, procedures, and technical measures ensuring adherence to applicable data protection laws and regulations. Effective compliance requires ongoing risk assessment, staff training, documentation maintenance, and regular auditing to demonstrate accountability while adapting to evolving legal requirements and business circumstances.

Privacy by design: A proactive approach requiring data protection measures to be integrated into system development from initial conception rather than added retroactively. The principle mandates considering privacy implications during technology design phases, implementing technical and organizational safeguards, and ensuring default privacy-protective settings that minimize data processing to necessary purposes and legitimate interests.

Cross-border transfers: The movement of personal data between different countries or jurisdictions, requiring specific safeguards to ensure continued protection when data leaves the original regulatory framework. Israeli organizations transferring data internationally must implement appropriate measures such as adequacy decisions, standard contractual clauses, or binding corporate rules to maintain privacy protection standards equivalent to domestic requirements.

Summary

Who: The Israeli Privacy Protection Authority published guidance affecting public entities, data brokers, systematic monitoring organizations, and special category data processors required to appoint Data Protection Officers.

What: Comprehensive draft guidance establishing DPO appointment criteria, qualifications, responsibilities, and organizational positioning requirements under Amendment 13 to the Israeli Privacy Protection Law.

When: Published July 23, 2025, for consultation until September 23, 2025, with Amendment 13 taking effect August 14, 2025.

Where: Israel, affecting organizations processing personal data under Israeli jurisdiction with broader implications for multinational companies operating in Israeli markets.

Why: Amendment 13 introduces DPO requirements as accountability measures ensuring organizational privacy compliance, reflecting international privacy law trends toward proactive data protection management rather than reactive compliance approaches.