# Amendment 13 to the Israeli Privacy Protection Law — Practical Guide 2026 > What Amendment 13 to the Israeli Privacy Protection Law is, who must appoint a DPO, what changed since 14-Aug-2025, sanctions and personal liability, PPA guidance (consent 2/2026, DPO appointment 7/2025), and what to do now. Comprehensive guide, updated for 2026. **Last updated:** 2026-05-17 **Canonical:** https://dpoisrael.com/en/learn/amendment-13/ **Locale:** en-IL --- Last updated: May 2026 **Amendment 13 to the Israeli Privacy Protection Law**, 1981, is the most comprehensive privacy reform in Israel since the original statute. It entered into force on **14 August 2025** and creates new duties for every organization that processes personal data in Israel — including the obligation to appoint a Data Protection Officer (DPO), administrative monetary penalties reaching millions of shekels, and personal criminal liability for decision-makers. This guide: what changed, who must appoint a DPO, what the Israeli Privacy Protection Authority’s guidance says, and what to do now. ![Amendment 13 readiness workspace with incident timeline, documents and evidence tracking](/generated/amendment-13-readiness.png) ## Amendment 13 — key facts - **Knesset approval:** 7 August 2024 - **Effective date:** 14 August 2025 - **DPO grace period ended:** 31 October 2025 - **Mandatory DPO categories:** 5 statutory categories - **Base monetary penalty:** Hundreds of thousands of ILS - **Aggravated penalty ceiling:** Millions of ILS - **Informed-consent guidance (final):** 25 February 2026 - **DPO-appointment guidance (draft):** 23 July 2025 - **Personal liability:** Criminal — for decision-makers - **Enforcement body:** Israeli Privacy Protection Authority (PPA) Source: Israeli Privacy Protection Law, 1981 (Amendment 13); Israeli Privacy Protection Authority, gov.il/en/departments/the\_privacy\_protection\_authority ## Table of contents 1. [01. What is Amendment 13?](#what) 2. [02. Who must appoint a DPO?](#who) 3. [03. What changed?](#changes) 4. [04. Penalties & risk](#penalties) 5. [05. PPA guidance](#guidelines) 6. [06. What to do now](#todo) 7. [07. 90-day checklist](#ninety) 8. [08. Sector notes](#sectors) 9. [09. Common mistakes](#mistakes) ## What is Amendment 13? Amendment 13 is the largest reform of the Israeli Privacy Protection Law, 5741-1981, since the original statute. The Knesset approved it on 7 August 2024; commencement was deferred one year to 14 August 2025 to allow organizations to prepare. The objective: modernize Israeli privacy law for the digital era, bring it closer to the principles of the GDPR, and give the Israeli Privacy Protection Authority real enforcement teeth. ## Who must appoint a Data Protection Officer (DPO)? The obligation applies to five categories: 1. **Public bodies** — government ministries, local authorities, regional and local councils, health funds (kupot cholim), public hospitals, and every body listed in the schedule to the law. 2. **Holders of personal data on behalf of public bodies** — SaaS vendors serving authorities, outsourcing providers to ministries, software suppliers to health funds, external call centers for cities. 3. **Data brokers** — entities whose principal occupation is the collection and sale of data, holding more than 10,000 records. 4. **Bodies performing systematic large-scale monitoring** — behavioral tracking, location data, profiling in eCommerce. 5. **Bodies processing sensitive personal data on a large scale** — banks, insurance companies, healthcare systems, and most large organizations processing medical, financial or minors’ data. Full breakdown and calculator: [who must appoint a DPO](/en/learn/who-needs-dpo). ## What changed? Highlights of the reform Eight key changes you must know: - **DPO obligation** — did not exist in Israeli law. Now mandatory. - **Narrowed database registration** — only data brokers and public bodies must register. Others are exempt from registration but not from the substantive duties. - **Purpose binding** — data collected for one purpose may not be processed for another. A meaningful change for organizations that practiced "collect now, decide later". - **Informed consent** — consent must be informed, explicit, and revocable. The Authority’s 2026 guidance interpreted this strictly. - **Administrative monetary penalties** — the Authority can impose fines from hundreds of thousands to millions of shekels, without prior court proceedings. - **Personal criminal liability** — a new offences chapter with personal liability for decision-makers. - **Expanded enforcement powers** — inspections, document production, sanctions, public naming of infringers. - **Reporting obligations** — significant security incidents must be reported within a short window. ## Penalties & risk This is the section that makes CEOs sweat. Amendment 13 introduces a broad administrative enforcement regime in Israel: - **Base administrative penalty** — tens to hundreds of thousands of shekels, scaled to severity. - **Aggravated penalty** — up to millions of shekels for large organizations and systemic violations. - **Personal criminal liability** — in serious cases, decision-makers (CEO, controllers) are personally exposed. - **Publication of infringers** — the Authority publishes a list of offenders, with reputational damage. - **Loss of customer trust** — a public data-breach event = direct hit to LTV and brand. ## PPA guidance — required reading The Israeli Privacy Protection Authority has published (and continues to publish) "gilui daat" guidance documents that clarify how it interprets the law. They drive enforcement: - **Informed consent** — final version published 25 February 2026. - **DPO appointment** — draft published 23 July 2025; final version forthcoming. - Additional guidance on DPIA, employee monitoring and more — incremental. Reading the guidance is essential — it is the authoritative source on how the law will be applied. ## What to do now — by organization size For an organization that has not yet started — first steps: 1. **Check the obligation** — must your organization appoint a DPO? [Use the calculator](/en/tool/quiz/needs-dpo) or [read the full categories](/en/learn/who-needs-dpo). 2. **Database mapping** — what personal-data assets exist? Who holds them? Who is the controller? 3. **Gap analysis** — where does the organization stand against Amendment 13? 4. **Appoint a DPO (if required)** — internal or external. [If external fits, here is the service](/en/services/dpo). 5. **Action plan** — a detailed plan to close gaps, with timelines and budget. ## 90-day Amendment 13 checklist The common mistake is starting with a policy document. In practice, you start with ownership, databases and risk. A useful 90-day plan looks like this: ### First week - Assign internal ownership: CEO, legal counsel, operations lead or a compact steering group. - Check whether the DPO obligation applies under the five statutory categories, not by intuition. - Collect the current list of systems, vendors and databases: CRM, finance, HR, website, CCTV, customer systems. ### First month - Run initial data mapping: data categories, purposes, permissions, vendors, retention and deletion. - Identify high-risk processing: medical or financial data, minors, monitoring, profiling, AI or cross-border transfers. - Decide whether you need an [outsourced DPO](/en/services/dpo), an internal appointment or project-based support. ### First quarter - Close foundation gaps: appointment letters, privacy notices, incident procedure, access controls, DPAs and critical vendors. - Create management reporting: what closed, what was deferred, who owns it and what risk remains open. - Build the annual program: training, DPIAs for sensitive projects, vendor review and document refresh. ## Where Amendment 13 hits different sectors Amendment 13 does not look the same in every organization. The same baseline duty translates into different operational risk by sector: - **Local authorities and municipal corporations** — almost always mandatory DPO, with resident, welfare, education, billing and tender data. See [DPO for local authorities](/en/sectors/local-authorities). - **Kibbutzim and cooperative societies** — members, welfare, clinic, education, expansion residents and subsidiaries inside a sensitive community structure. See [Amendment 13 for kibbutzim](/en/sectors/kibbutzim). - **Public-sector vendors** — a private company can still be a data holder for a public body and inherit a higher documentation burden. See [DPO for public-sector vendors](/en/sectors/public-vendors). - **SaaS and startups** — Amendment 13, GDPR, SOC 2 and enterprise questionnaires collide in the same sales cycle. See [DPO for SaaS and startups](/en/sectors/saas-startups). - **Nonprofits, healthcare and education** — limited budget does not cancel sensitive data: donors, patients, students, volunteers and employees. ## Common mistakes I keep seeing - **Paper appointment** — there is a DPO name, but no authority, time, deliverables or reporting path to management. - **Partial mapping** — only the “big” systems are mapped while Excel, WhatsApp, CCTV, forms and smaller SaaS vendors are ignored. - **Weak vendor contracts** — vendors process personal data without a DPA, role definition, incident SLA or audit right. - **No management ownership** — everyone assumes legal, IT or an external provider is handling it. In practice no one owns the plan. ## שאלות נפוצות ### When did Amendment 13 take effect? Amendment 13 entered into force on 14 August 2025, one year after Knesset approval. The non-enforcement window for DPO appointment ended on 31 October 2025. ### Does Amendment 13 abolish database registration? It narrows the registration obligation significantly. Only two database types must register: data brokers and public bodies. The rest are exempt from registration but not from the substantive law. ### How is Amendment 13 different from the GDPR? Amendment 13 is much closer to the GDPR than the previous regime — similar terminology (controller, processor, data subject), similar duties (DPO, DPIA, breach reporting) and similar penalty architecture. There are differences: no full right to be forgotten, "sensitive data" definitions diverge slightly, and the Israeli Privacy Protection Authority enforces under local regulations. ### What counts as "special-sensitive" data under Amendment 13? Medical condition, mental health, genetics, religious belief, political opinion, sexual orientation, criminal record, unique biometrics, and financial data. Processing such data on a large scale triggers the DPO obligation. ### What is a DPIA and when is it required? A DPIA (Data Protection Impact Assessment) is required when a processing activity poses a high risk to privacy: systematic large-scale processing, ongoing monitoring, AI for automated decision-making, or processing of sensitive data at scale. ## Understanding is not enough. Doing matters. Let’s talk about where your organization stands. [Book an intro call](/en/contact)