# DPO for Local Authorities Israel | Cities, Regional Councils & Municipal Corporations

> Data Protection Officer services for Israeli local authorities: cities, regional councils, local councils, local committees, municipal corporations. Public body = automatic DPO obligation. Amendment 13 compliance, public DPO/CISO tender support, SaaS vendor management, and city CCTV oversight.

**Canonical:** https://dpoisrael.com/en/sectors/local-authorities/  
**Locale:** en-IL

---
Statutory — public body = automatic DPO

# DPO for Local Authorities  
and municipal corporations.

**Local authorities**, regional councils, local councils, local committees and municipal corporations are **public bodies** under Amendment 13 — DPO obligation applies automatically, regardless of size. Outsourced **DPO for local authority**, State Comptroller compliance, SaaS vendor management, and city CCTV oversight.

## DPO for Authority — quick facts

- **Status:** Public body — automatic DPO obligation
- **Vendor selection:** Public tender (Mandatory Tenders Law)
- **Typical retainer:** 4,000-14,000 ILS/month by size
- **Tender duration:** 36-60 months in framework tenders
- **Typical databases:** 10-30 (residents, welfare, education, health, CCTV)
- **Security level:** High (2017 Regulations)
- **Cluster option:** Available for smaller councils
- **Eligibility:** DPO course + 12-month public-sector experience

## 10 typical municipal databases

| Database | Sensitivity | Note |
| --- | --- | --- |
| Residents & voters | Basic-Medium | Name, ID, address, marital status, children, resident status |
| Property tax & collection | Medium | Properties, charges, payment plans, arrears |
| Welfare & social services | Special-sensitive | Family file, personal aid, domestic violence, children at risk |
| Municipal education | High | Schools, kindergartens, boarding schools. Data on minors, parents, assessments |
| Public health | Special-sensitive | Mother-and-child clinic, pregnancy counseling, public health monitoring |
| Planning & construction | Medium | Permits, objections, personal documents |
| City CCTV | Medium-High | Public-space cameras, license plate recognition, facial recognition |
| Municipal corporations | Varies | Water, sewage, housing — each separate database with separate DPO |
| Vendors and subcontractors | Medium | Contracts, vendor databases, procurement management |
| Municipal employees & elected officials | Medium | Employee files, salaries, pensioners, elected officials |

## Authority regulatory framework

### Amendment 13 — public body

Local authorities, regional councils, and local councils are **public bodies**. Automatic DPO obligation, regardless of size.

### 2017 Security Regulations

Authority with 100,000+ resident records = high security level. Municipalities with welfare/health databases = high security level even in small cities.

### Freedom of Information Law

Parallel regulation that integrates with privacy. DPO sometimes partners on disclosure/non-disclosure decisions regarding residents.

### Spam law and Communications Law

Resident mailing, SMS messages, WhatsApp groups — fall under dedicated communications laws.

### State Comptroller requirements

State Comptroller has audited municipalities on privacy for years. Reports specifically reference DPO obligation and information security framework.

### Public DPO tenders

Authority must select DPO via public tender (per the Mandatory Tenders Law). Not a "friend call" — a tender with eligibility criteria.

## Municipal DPO tenders — recent examples

| Tender | Date | Type | Note |
| --- | --- | --- | --- |
| Ramat Gan Municipality 21/2026 | Deadline 20.05.2026 | Pure DPO | Public tender for Data Protection Officer services |
| Ganei Tikva Municipality 2/2026 | Closed 30.04.2026 | Combined CISO+DPO | Required dedicated professional staff + collaboration |
| Arraba Municipality 32/2025 | Closed 25.12.2025 | Pure DPO | Dedicated outsourced service |
| Sharon/Negev Clusters 6/25 | Extended to 23-24.06.2025 | Cluster framework | 36 months, up to 5 winners, 4% management fee |

## Frequent questions about DPO for local authorities

### Is a small municipality required to have a DPO?

Yes. Amendment 13 does not differentiate big from small. **Every public body** must appoint a DPO. One relief: a small regional council can appoint a shared DPO with another council, or participate in a cluster framework. "Doing nothing" is not an option.

### We have a CIO / internal auditor / general counsel — can we pile the role on them?

No, due to structural conflict of interest. The Authority’s 2025 guidance explicitly disallowed such combinations in authorities. CIO makes operational decisions DPO is supposed to oversee. Internal auditor has a different role. GC handles the entire organization and cannot provide independent privacy opinion.

### How do you choose a DPO for a local authority?

Via public tender, per Mandatory Tenders Law. Typical eligibility: 12-60 months privacy consulting experience, relevant education (law / IT / accounting), an Authority-approved DPO course, public sector experience, and professional liability insurance. [See tender response support](/en/services/public-tenders).

### How much does a DPO cost for a local authority?

In tenders we see — retainer ranges 4,000-14,000 ILS + VAT per month, depending on authority size, number of municipal corporations, and scope. Students Union tender set a cap of 5,000 ILS + VAT. Afula procurement saw bids in the 1,000-7,000 ILS range.

### What about municipal corporations (water, sewage, housing)?

Each municipal corporation is a separate legal entity, usually a public body in its own right. **Requires separate DPO**, or shared DPO with the authority covered by internal agreement. Most municipal corporations we see have missed this obligation.

### What about city CCTV / license plate recognition?

Public-space CCTV is processing at scale, and recognition systems (faces / plates) are **automated decisions**. Required: [DPIA](/en/services/dpia), public signage, defined and proportionate purpose, defined retention, security controls.

### Are there special requirements for an Authority DPO?

Yes. Per Authority guidance, an Authority DPO needs: (1) Approved DPO course; (2) 12+ months privacy experience in a public body; (3) Education in law / accounting / technology; (4) Conflict-of-interest declaration; (5) Professional liability insurance.

## Mayor, CIO, Treasurer — let's talk.

30-minute call. I'll explain where the authority stands vs. Amendment 13 and first steps.

[Book a call for your authority](/en/contact)