If your business somehow stores the information of customers, employees or users, even if it is generic and fairly simple information such as a list of emails or users on the site, then as of August, 2025, Amendment 13 to the Israeli Privacy Protection Law does make reduce the requirement to register a database, but also requires compliance with rules that stringent the requirements regarding data protection and privacy protection, requires the appointment of a proper privacy protection officer and also imposes fines in case of violations.
The amendment emphasizes, first and foremost, the need to maintain two fundamental principles - adherence to the contiguity of the purpose and an increased duty of disclosure. The holder of private information is required to inform the data owner and obtain its informed consent to the collection and use of the information, while disclosing the purpose for which the information was collected and the uses made thereof. In addition, the principle of purpose linkage requires that after obtaining the consent of the data owners to collect it, the information will not be used other than for the purpose for which it was collected in the first place, unless with the explicit permission of the data owner.
The amendment also significantly expands the powers of the Israel Privacy Protection Authority, such as the authority to conduct investigations and administrative proceedings and to conduct proactive audits, and grants the Court the authority to impose fines (which do not require actual damage) on violators in the amount of up to ILS 10,000, for example, in cases where the principle of proximity of purpose has been violated, the right to review information has not been exercised, or information has not been deleted following a person's request. In addition, the amendment includes a long list of fines for various violations, ranging from ILS 15,000 for violating a material right of a data subject (for example, an organization that refused to allow the data owner the right to review information about him) to ILS 320,000 for information security violations in a database that is required to a high level of information security. In addition, personal fines have been added and may be imposed on office holders in amounts of up to ILS 150,000, as the case may be.
In the amendment, the overbroad requirement to register a database was abolished and new rules were established. Thus, for example, public entities or entities with a database of more than 10,000 people which main purpose is to collect personal information for the purpose of transferring it to a third party as a way of doing business or in exchange for consideration are still required to register the database, while others are only required to notify the Privacy Authority of the existence of the database and provide the contact details of the organization's Privacy Protection Officer.
Alongside the easing of the requirements for registering the database, a requirement was added, similar to European legislation to appoint a privacy protection officer in organizations, which was significantly expanded and applies to any organization that processes private information to a significant extent, while there are also requirements regarding the identity of the officer, who is required to have in-depth knowledge of privacy protection laws, familiarity with the organization's activities, understanding of the required information security technologies, and without conflict of interest with any other position in the organization.
In light of the above, it is vital to be accompanied by a law firm with technological, corporate and commercial knowledge, and familiarity with privacy protection laws. Similar to Afik & Co., such a firm may also be able to provide the services of an external privacy protection officer and save fines and unnecessary administrative procedures, as well as avoid personal liability of managers and officers.