# Who Must Appoint a Data Protection Officer (DPO) under Amendment 13? > Five categories required to appoint a DPO under Amendment 13 to the Israeli Privacy Protection Law: public bodies, holders of data on behalf of public bodies, data brokers, systematic large-scale monitoring, and large-scale processing of sensitive data. Examples, exceptions and a free calculator. **Last updated:** 2026-05-14 **Canonical:** https://dpoisrael.com/en/learn/who-needs-dpo/ **Locale:** en-IL --- Last updated: May 2026 Under **Amendment 13 to the Israeli Privacy Protection Law**, the obligation to appoint a **Data Protection Officer (DPO)** applies to five categories of organizations. If you fall into one — required. If not — recommended. Here is the full breakdown. ## Five mandatory DPO categories — quick answer - **1. Public bodies:** Ministries, municipalities, regional councils, health funds, public hospitals - **2. Holders:** Anyone processing data on behalf of a public body (SaaS, outsourcing) - **3. Data brokers:** Principal occupation = data trading + over 10,000 records - **4. Systematic monitoring:** At large scale — profiling, location tracking, AI decisioning - **5. Large-scale sensitive data:** Medical, financial, minors, biometric, genetic, beliefs Source: Israeli Privacy Protection Authority guidance on DPO appointment, July 2025 01 ## Public bodies Government ministriesLocal authoritiesRegional and local councilsMunicipal corporationsHealth funds (kupot cholim)Public hospitalsTax AuthorityNational Insurance Institute **Note:** The full list is in the schedule to the law. A public body must appoint a DPO regardless of size. 02 ## Holders of personal data on behalf of public bodies SaaS vendors serving municipalitiesOutsourcing providers to ministriesSoftware suppliers to health fundsExternal call centers for citiesTax advisors processing data for public bodies **Note:** Even if the company is privately owned — the moment it processes data on behalf of a public body, it is in scope. 03 ## Data brokers Data brokerage companiesDirect-mail systems that sell listsMarketing data aggregators selling to commercial clientsData-driven advertising platforms **Note:** Two conditions: principal occupation is data brokerage, and more than 10,000 records held. 04 ## Systematic large-scale monitoring Profiling and advertising platformsTransport and location appsSmart-IoT companiesLarge-scale employee monitoringCity-scale CCTV systemsAI for automated decisions about people **Note:** Test: systematic + large scale. Spot-monitoring does not qualify. 05 ## Large-scale processing of sensitive personal data Banks and credit companiesInsurance companiesLarge private healthcare systems (clinic chains, labs)Large educational institutionsHR systems at large organizationsFintech platforms **Note:** "Special-sensitive data": health, mental, genetics, biometrics, religion, sexual orientation, criminal record, salary. "Large scale" — typically hundreds of thousands of records and up, but judgment applies. ## Not sure? Use the calculator. 5 questions, under 3 minutes, and you’ll know whether you need a DPO. No email required. [Run the calculator](/en/tool/quiz/needs-dpo) ## שאלות נפוצות ### If my organization is not in any category — do we still have to do anything? Yes. Every organization processing personal data must comply with the core principles of the law (purpose binding, minimization, information security, data-subject rights). Exemption from the DPO obligation is not exemption from the law. Many organizations choose to appoint a DPO voluntarily as part of the accountability principle. ### How do you measure "large scale"? The Authority considers: number of data subjects, data volume, type and sensitivity, retention duration, geographic scope, and processing frequency. There is no magic number — judgment applies. ### Can a lawyer be the DPO? Yes, with appropriate training and no conflict of interest with other duties. The Authority is clear: a lawyer who advised the organization on a specific action cannot also be the DPO overseeing that action. ### Can the CISO also be the DPO? Usually no. The CISO makes technical decisions that the DPO is supposed to oversee — a structural conflict. The Authority has taken a clear stance against combining the roles in any mid-sized or larger organization. ### Can we replace a DPO mid-year? Yes. There is no minimum term. Replacement is fine — just update internal records and notify the Authority where required.