Amendment 13 to the Israeli Privacy Protection Law is Here!

Avishay Klein, Nadine Liv, Eviatar Rich, Liav Shapira
Barnea Jaffa Lande & Co.
Contact
LinkedIn
Facebook
X
Send
Embed

Amendment 13, which significantly updates privacy laws in Israel, has come into effect! If you still don’t know what to do to comply with the requirements, we’ve prepared a guide to help you address the main issues (not all of them) right now!

In our guide, you’ll find simple tips you can implement in your organization. Taking these steps will help you significantly improve your compliance with Israeli privacy law requirements.

Database Definition Documents

The foundation of the Privacy Protection Law is the database definition documents, which require organizations to examine and map the data processing activities they perform and that are under their control, to document them, and to conduct an annual review of this documentation.

Database definition documents have been required since the enactment of the Data Security Regulations in 2017, but their importance now increases significantly with enhanced sanctions for violators. This is primarily due to the amendment reducing the obligation to register databases for most organizations (except public bodies and databases used for data trading), a shifting emphasis to internal regulatory processes, the increase in accountability for database controllers (formerly database owners), and the expected increase in enforcement by the regulator in the field—the Privacy Protection Authority (PPA).

Therefore, organizations are expected to independently manage documentation that includes a series of data relating to the data processing activities for each database.

We estimate these documents will become one of the central enforcement focuses of the Privacy Protection Authority.

How to start?

  • Identify the types of data processing activities for which the company is the data controller, and include these in the database definition documents. Do you already have a mapping of data processing activities you prepared to comply with other regulations (such as the GDPR)? Excellent! This is a solid starting point for characterizing the types of data in the database, noting the processing purposes, and identifying suppliers involved in these activities.
  • Decide on the division into separate databases. Most organizations have databases for employees and candidates, customers/users and prospective customers, suppliers, cameras (if any), and more, depending on the nature of each organization’s activities and the personal data it manages.
  • For each database, document the following details: type of data collected, their sources, purposes of collection and storage, entities participating in data processing (usually suppliers), if all such entities have signed confidentiality and information security agreements, data storage location and country where the data is processed (in SaaS activities, this will usually be on the company’s or supplier’s cloud servers), data deletion periods and policies, data security risks, and the measures taken to secure the data.
  • Check if the company already has registered databases and examine if these databases still require registration after the amendment. Where applicable, you can request to delete the registration if it is not required. You must also ensure you are not obligated to proactively notify the PPA about the database. If the database contains a large volume of sensitive personal data, you will need to submit your definition document to the PPA with the notification.

This might sound complicated, but after the initial mapping, it will become a routine process in your organization! Completing such documentation enhances privacy protection and awareness in your organization and improves compliance with privacy requirements in Israel and globally! The process of mapping data processing activities is also required under European legislation and is necessary to implement data security and protection processes.

Disclosure and Transparency Obligations When Collecting Personal Data

Amendment 13 expands the disclosure and transparency obligations for those collecting personal data, requiring them to detail the following to data subjects (the individuals about whom the personal data is collected):

  • Is the data subject required to provide the personal data (by law), or is the provision of personal data voluntary and consent is required to receive the service provided?
  • What is the purpose for requesting the personal data? It’s important to detail all purposes for the personal data’s use, so the individuals providing the personal data know what to expect.
  • Who controls the personal data? Usually, this refers to your company name as the controller of the database in which the personal data is collected, as well as the contact details for reaching you. If someone else (such as a supplier) collects the personal data for you, they should include your details.
  • Where does the personal data go? Here you need to detail the entities that may receive the personal data and the reasons for this transfer. This usually includes key suppliers providing the service for you or with you, advertising services, business partners, and more.
  • What rights are available to the data subject? Israeli law requires allowing every data subject to exercise their right to access their personal data and to correct it if it is incorrect or inaccurate. You must inform the data subject about these rights when collecting the personal data.

When should all this information be provided? Immediately upon the request for personal data. This means you cannot wait until after the personal data is already in your possession and then update retrospectively (or not at all). Moreover, you must ensure that whoever provides you with personal data has access to this information. Disclosure should be made in any type of personal data collection – agreements, websites, applications, mailing list registration, etc.

Privacy Policy – Where? For Whom?

A privacy policy is one of the ways to fulfill notice and disclosure obligations when collecting personal data, and it’s not limited just to websites!

You should present a detailed yet clear and easy-to-understand privacy policy (not just for lawyers), which also includes all the details included in the disclosure obligation. This means you need to prepare a privacy policy addressed to employees, job candidates, and, where relevant, customers and suppliers, detailing the types of personal data collected, the purposes of use, to whom the data will be transferred, and more. This of course also includes services and tools embedded in your website or application for characterization, maintenance, customization, marketing, analysis, and more (including cookies).

Already have a privacy policy?

As mentioned, Amendment 13 expands the disclosure obligations, so it’s important to review existing documents and ensure they are suitable.

Where to display the policy?

The policy should be visibly accessible in a document, agreement, website, or page where the personal data is collected, in a way that allows those providing the personal data to review it prior to submission.

What does this mean in practice?

In an agreement or any physical document, you can detail the personal data collection terms and privacy policy in the same document. On websites, the common option is to make the policy accessible at the bottom of the website page via a “cookie banner,” so users can easily access the policy and obtain the legally required information.

When collecting personal data through an online form, it’s important to ensure the privacy policy is accessible via a link near the data submission button.

Rights and Their Implementation

The Israeli Privacy Protection Law grants data subjects two main rights – the right to access personal data about them and the right to correct the personal data if found to be incorrect. Amendment 13 increases the fines that can be imposed for non-implementation of these rights. It also allows individuals to file a personal lawsuit (including class actions in certain cases) without proof of damage for compensation of up to NIS 10,000 per violation or partial implementation of their rights.

Therefore, it is important that the company’s data processing activities allow for the exercise of data subjects’ rights, both in terms of communication with applicants and serious consideration of their requests, and in terms of the ability to locate and retrieve personal data and correct it when necessary.

We recommend ensuring you are prepared to meet these requirements, as the risk due to their violation has significantly increased with Amendment 13. Specifically, we recommend:

  • Allocating a dedicated channel for such requests, so that anyone who approaches the company regarding these issues will not “fall between the cracks” and can receive the required response from you, within the legal time frame.
  • Formulating an internal policy on how to handle such requests, including assigning a responsible stakeholder, detailing a process to verify applicants’ identity, locating the personal data, and formulating the response to the request.
  • Ensuring your information systems are built to allow you to locate the relevant personal data of a specific individual relatively easily and within a reasonable time, to enable you to respond to such requests.

Implementing these processes will significantly reduce a company’s risk and ensure data subjects can exercise their legal rights.

 

Where to Start?

Set an orderly work plan that addresses the main issues and appoint a responsible stakeholder to implement the plan, thus ensuring optimal readiness for compliance with the law.

We suggest focusing your efforts on human resource procedures and establishing a privacy policy for employees, identifying key suppliers you rely on in your activities, creating a policy on the placement and use of CCTV, managing marketing mailing lists, and more.

We also recommend engaging representatives from all relevant departments to ensure the best fit for the organization’s needs.

The topics addressed here do not cover all the obligations under the Privacy Protection Law and the amendment. (For more information about the amendment’s provisions, see our update.) There are additional processes that should be completed to ensure full compliance with the law. However, these specific steps are central to significantly improving the company’s compliance with the legal provisions.

Additional steps to consider include appointing a data privacy protection officer (DPO), assessing the need for board of director oversight – in those organizations required by law and based on the nature of their databases (including through the preparation of database definition documents) – and conducting a gap analysis for data security as required by the Data Security Regulations, among others.

Amendment 13 fundamentally changes privacy laws in Israel and increases enforcement possibilities. We recommend that organizations that have not yet prepared for the new requirements conduct a quick and focused process to ensure compliance with at least the core provisions of the law.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Barnea Jaffa Lande & Co.

Written by:

Barnea Jaffa Lande & Co.
Barnea Jaffa Lande & Co.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Barnea Jaffa Lande & Co. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide