DPO DPO Israel
Open as Markdown
Pillar Guide

Amendment 13 to the Israeli Privacy Protection Law — without the fog

Last updated: May 2026

Amendment 13 to the Israeli Privacy Protection Law, 1981, is the most comprehensive privacy reform in Israel since the original statute. It entered into force on 14 August 2025 and creates new duties for every organization that processes personal data in Israel — including the obligation to appoint a Data Protection Officer (DPO), administrative monetary penalties reaching millions of shekels, and personal criminal liability for decision-makers. This guide: what changed, who must appoint a DPO, what the Israeli Privacy Protection Authority’s guidance says, and what to do now.

Amendment 13 readiness workspace with incident timeline, documents and evidence tracking

Table of contents

  1. 01. What is Amendment 13?
  2. 02. Who must appoint a DPO?
  3. 03. What changed?
  4. 04. Penalties & risk
  5. 05. PPA guidance
  6. 06. What to do now
  7. 07. 90-day checklist
  8. 08. Sector notes
  9. 09. Common mistakes

What is Amendment 13?

Amendment 13 is the largest reform of the Israeli Privacy Protection Law, 5741-1981, since the original statute. The Knesset approved it on 7 August 2024; commencement was deferred one year to 14 August 2025 to allow organizations to prepare.

The objective: modernize Israeli privacy law for the digital era, bring it closer to the principles of the GDPR, and give the Israeli Privacy Protection Authority real enforcement teeth.

Who must appoint a Data Protection Officer (DPO)?

The obligation applies to five categories:

  1. Public bodies — government ministries, local authorities, regional and local councils, health funds (kupot cholim), public hospitals, and every body listed in the schedule to the law.
  2. Holders of personal data on behalf of public bodies — SaaS vendors serving authorities, outsourcing providers to ministries, software suppliers to health funds, external call centers for cities.
  3. Data brokers — entities whose principal occupation is the collection and sale of data, holding more than 10,000 records.
  4. Bodies performing systematic large-scale monitoring — behavioral tracking, location data, profiling in eCommerce.
  5. Bodies processing sensitive personal data on a large scale — banks, insurance companies, healthcare systems, and most large organizations processing medical, financial or minors’ data.

Full breakdown and calculator: who must appoint a DPO.

What changed? Highlights of the reform

Eight key changes you must know:

  • DPO obligation — did not exist in Israeli law. Now mandatory.
  • Narrowed database registration — only data brokers and public bodies must register. Others are exempt from registration but not from the substantive duties.
  • Purpose binding — data collected for one purpose may not be processed for another. A meaningful change for organizations that practiced "collect now, decide later".
  • Informed consent — consent must be informed, explicit, and revocable. The Authority’s 2026 guidance interpreted this strictly.
  • Administrative monetary penalties — the Authority can impose fines from hundreds of thousands to millions of shekels, without prior court proceedings.
  • Personal criminal liability — a new offences chapter with personal liability for decision-makers.
  • Expanded enforcement powers — inspections, document production, sanctions, public naming of infringers.
  • Reporting obligations — significant security incidents must be reported within a short window.

Penalties & risk

This is the section that makes CEOs sweat. Amendment 13 introduces a broad administrative enforcement regime in Israel:

  • Base administrative penalty — tens to hundreds of thousands of shekels, scaled to severity.
  • Aggravated penalty — up to millions of shekels for large organizations and systemic violations.
  • Personal criminal liability — in serious cases, decision-makers (CEO, controllers) are personally exposed.
  • Publication of infringers — the Authority publishes a list of offenders, with reputational damage.
  • Loss of customer trust — a public data-breach event = direct hit to LTV and brand.

PPA guidance — required reading

The Israeli Privacy Protection Authority has published (and continues to publish) "gilui daat" guidance documents that clarify how it interprets the law. They drive enforcement:

  • Informed consent — final version published 25 February 2026.
  • DPO appointment — draft published 23 July 2025; final version forthcoming.
  • Additional guidance on DPIA, employee monitoring and more — incremental.

Reading the guidance is essential — it is the authoritative source on how the law will be applied.

What to do now — by organization size

For an organization that has not yet started — first steps:

  1. Check the obligation — must your organization appoint a DPO? Use the calculator or read the full categories.
  2. Database mapping — what personal-data assets exist? Who holds them? Who is the controller?
  3. Gap analysis — where does the organization stand against Amendment 13?
  4. Appoint a DPO (if required) — internal or external. If external fits, here is the service.
  5. Action plan — a detailed plan to close gaps, with timelines and budget.

90-day Amendment 13 checklist

The common mistake is starting with a policy document. In practice, you start with ownership, databases and risk. A useful 90-day plan looks like this:

First week

  • Assign internal ownership: CEO, legal counsel, operations lead or a compact steering group.
  • Check whether the DPO obligation applies under the five statutory categories, not by intuition.
  • Collect the current list of systems, vendors and databases: CRM, finance, HR, website, CCTV, customer systems.

First month

  • Run initial data mapping: data categories, purposes, permissions, vendors, retention and deletion.
  • Identify high-risk processing: medical or financial data, minors, monitoring, profiling, AI or cross-border transfers.
  • Decide whether you need an outsourced DPO, an internal appointment or project-based support.

First quarter

  • Close foundation gaps: appointment letters, privacy notices, incident procedure, access controls, DPAs and critical vendors.
  • Create management reporting: what closed, what was deferred, who owns it and what risk remains open.
  • Build the annual program: training, DPIAs for sensitive projects, vendor review and document refresh.

Where Amendment 13 hits different sectors

Amendment 13 does not look the same in every organization. The same baseline duty translates into different operational risk by sector:

  • Local authorities and municipal corporations — almost always mandatory DPO, with resident, welfare, education, billing and tender data. See DPO for local authorities.
  • Kibbutzim and cooperative societies — members, welfare, clinic, education, expansion residents and subsidiaries inside a sensitive community structure. See Amendment 13 for kibbutzim.
  • Public-sector vendors — a private company can still be a data holder for a public body and inherit a higher documentation burden. See DPO for public-sector vendors.
  • SaaS and startups — Amendment 13, GDPR, SOC 2 and enterprise questionnaires collide in the same sales cycle. See DPO for SaaS and startups.
  • Nonprofits, healthcare and education — limited budget does not cancel sensitive data: donors, patients, students, volunteers and employees.

Common mistakes I keep seeing

  • Paper appointment — there is a DPO name, but no authority, time, deliverables or reporting path to management.
  • Partial mapping — only the “big” systems are mapped while Excel, WhatsApp, CCTV, forms and smaller SaaS vendors are ignored.
  • Weak vendor contracts — vendors process personal data without a DPA, role definition, incident SLA or audit right.
  • No management ownership — everyone assumes legal, IT or an external provider is handling it. In practice no one owns the plan.

שאלות נפוצות

When did Amendment 13 take effect?
Amendment 13 entered into force on 14 August 2025, one year after Knesset approval. The non-enforcement window for DPO appointment ended on 31 October 2025.

Does Amendment 13 abolish database registration?
It narrows the registration obligation significantly. Only two database types must register: data brokers and public bodies. The rest are exempt from registration but not from the substantive law.

How is Amendment 13 different from the GDPR?
Amendment 13 is much closer to the GDPR than the previous regime — similar terminology (controller, processor, data subject), similar duties (DPO, DPIA, breach reporting) and similar penalty architecture. There are differences: no full right to be forgotten, "sensitive data" definitions diverge slightly, and the Israeli Privacy Protection Authority enforces under local regulations.

What counts as "special-sensitive" data under Amendment 13?
Medical condition, mental health, genetics, religious belief, political opinion, sexual orientation, criminal record, unique biometrics, and financial data. Processing such data on a large scale triggers the DPO obligation.

What is a DPIA and when is it required?
A DPIA (Data Protection Impact Assessment) is required when a processing activity poses a high risk to privacy: systematic large-scale processing, ongoing monitoring, AI for automated decision-making, or processing of sensitive data at scale.

Understanding is not enough. Doing matters.

Let’s talk about where your organization stands.

Book an intro call