How-To
DPO Appointment Letter
The DPO appointment letter is the document that formally declares a Data Protection Officer's appointment under Amendment 13. It is essential for every subsequent action: reporting to the Authority, audit documentation, Enterprise questionnaire response, and public tender response. This guide: the 8 required fields, who signs, how to publish internally, and when to notify the Authority.
Required fields
8 essential fields
Each field needs to be present, accurate, and signed. The Authority will compare your letter against the database definition document and your professional liability policy.
| Field | Detail |
|---|---|
| Organization name and legal ID | Official name, business / company / NGO registration number, legal entity type |
| DPO name and professional ID | Full name, ID number, relevant certifications (Authority-approved DPO course, attorney, etc.) |
| Appointment start date | Formal start date. Retroactive appointment is not recommended |
| Scope of authority | Explicit declaration of DPO authority under Amendment 13 — database access, management meetings, Authority representation |
| Professional independence | Statement that the DPO will not receive instructions about the content of their work, and will not be professionally harmed for opinions given |
| Direct management reporting | Explicit statement that the DPO reports directly to management — not via a middle manager |
| Official contact details | Email, phone. These are the details sent to the Authority and published internally |
| Database owner signature | Signature of CEO / chair / secretary — a senior figure in the organization |
Distribution and publication
Who is notified, how, and when
| Who | How |
|---|---|
| All organization employees | Internal email + posting on intranet/notice board. Send documentation kept. |
| Israeli Privacy Authority | DPO details transferred to the Authority as part of database registration or future filings, if required |
| Website privacy policy | Add DPO contact details to the public privacy policy |
| Data subjects (customers / members) | The right to contact the DPO must be available in the privacy policy |
| Vendors with DPA | Update DPA addenda with new DPO contact as the point of contact |
Conflict of interest
5 required declarations in the addendum
Conflict-of-interest declaration appended to the appointment letter. Recurs explicitly in public tenders and Authority requirements.
| Declaration | Detail |
|---|---|
| Other role in the organization | The DPO does not make processing decisions they are meant to oversee (CEO, CIO, GC are disqualified) |
| Family/personal ties to officers | Declaration that no family / personal relationship creates a conflict of interest |
| Roles outside the organization | Other DPO appointments — if any, whether they create a conflict with work at this client |
| Financial interests | No holdings in competitor / organization-vendor companies that could create a conflict |
| Update commitment | Commitment to update the organization immediately if conflict-of-interest status changes |
Frequent questions about the DPO appointment letter
Is a written appointment letter mandatory?
Yes. Amendment 13 requires an orderly appointment. An oral declaration will not satisfy the Authority during an audit, and will not satisfy anyone requesting DPO documentation. Recommendation — written document + signature + distribution documentation.
Who signs?
The database owner (typically CEO) or committee chair / kibbutz secretary in a municipality / kibbutz. The DPO also signs acceptance of the appointment + a separate conflict-of-interest declaration.
When do you notify the Authority?
Amendment 13 does not require automatic notice of every appointment. But on database registration with the Authority, during an audit, or during a security incident — DPO details are transferred. A 2025 Authority opinion suggested a direction of independent reporting in the future.
What if the DPO is replaced?
New appointment + new internal publication + privacy policy update + vendor update. Document the end date of the previous DPO.
Do you have a template?
Yes. We have a bilingual (Hebrew/English) appointment letter template meeting Amendment 13 + 2017 Regulations requirements. As part of DPO as a Service, the appointment letter is included in the standard cost.
Difference between an appointment letter and a "database definition document"?
Appointment letter = personal document about a person (the DPO). Database definition document = document about a specific database. Both are required, but they are different things.
Need a professional appointment letter template?
As part of DPO as a Service — the appointment letter and all related documents are included.
Service details