Mandatory Categories

Who must appoint a Data Protection Officer (DPO)?

Last updated: May 2026

Under Amendment 13 to the Israeli Privacy Protection Law, the obligation to appoint a Data Protection Officer (DPO) applies to five categories of organizations. If you fall into one — required. If not — recommended. Here is the full breakdown.

01

Public bodies

Examples

Government ministriesLocal authoritiesRegional and local councilsMunicipal corporationsHealth funds (kupot cholim)Public hospitalsTax AuthorityNational Insurance Institute

Note: The full list is in the schedule to the law. A public body must appoint a DPO regardless of size.

02

Holders of personal data on behalf of public bodies

Examples

SaaS vendors serving municipalitiesOutsourcing providers to ministriesSoftware suppliers to health fundsExternal call centers for citiesTax advisors processing data for public bodies

Note: Even if the company is privately owned — the moment it processes data on behalf of a public body, it is in scope.

03

Data brokers

Examples

Data brokerage companiesDirect-mail systems that sell listsMarketing data aggregators selling to commercial clientsData-driven advertising platforms

Note: Two conditions: principal occupation is data brokerage, and more than 10,000 records held.

04

Systematic large-scale monitoring

Examples

Profiling and advertising platformsTransport and location appsSmart-IoT companiesLarge-scale employee monitoringCity-scale CCTV systemsAI for automated decisions about people

Note: Test: systematic + large scale. Spot-monitoring does not qualify.

05

Large-scale processing of sensitive personal data

Examples

Banks and credit companiesInsurance companiesLarge private healthcare systems (clinic chains, labs)Large educational institutionsHR systems at large organizationsFintech platforms

Note: "Special-sensitive data": health, mental, genetics, biometrics, religion, sexual orientation, criminal record, salary. "Large scale" — typically hundreds of thousands of records and up, but judgment applies.

Not sure? Use the calculator.

5 questions, under 3 minutes, and you’ll know whether you need a DPO. No email required.

Run the calculator

שאלות נפוצות

If my organization is not in any category — do we still have to do anything?

Yes. Every organization processing personal data must comply with the core principles of the law (purpose binding, minimization, information security, data-subject rights). Exemption from the DPO obligation is not exemption from the law. Many organizations choose to appoint a DPO voluntarily as part of the accountability principle.

How do you measure "large scale"?

The Authority considers: number of data subjects, data volume, type and sensitivity, retention duration, geographic scope, and processing frequency. There is no magic number — judgment applies.

Can a lawyer be the DPO?

Yes, with appropriate training and no conflict of interest with other duties. The Authority is clear: a lawyer who advised the organization on a specific action cannot also be the DPO overseeing that action.

Can the CISO also be the DPO?

Usually no. The CISO makes technical decisions that the DPO is supposed to oversee — a structural conflict. The Authority has taken a clear stance against combining the roles in any mid-sized or larger organization.

Can we replace a DPO mid-year?

Yes. There is no minimum term. Replacement is fine — just update internal records and notify the Authority where required.