DPO DPO Israel
Open as Markdown
Data holders = DPO required

DPO for Public-Sector
Vendors.

SaaS, IT, outsourcing and service center companies supplying HMOs, municipalities, government ministries, universities and municipal corporations — you are "data holders" under Amendment 13. The obligation is yours, even if the organization is private. Outsourced DPO as a Service tailored to public procurement requirements, privacy survey response, DPA signing, and audit response.

Examples

Eight vendor types needing DPO

SaaS vendor to a municipality

Resident management system, billing system, planning system. Access to tables with hundreds of thousands of residents — clear holder.

IT outsourcing to a ministry

Server operations, access management, monitoring. Even without seeing content directly — still considered a holder under Amendment 13.

External service center for a municipality

Resident inquiry handling, property tax charges, welfare inquiries. Hearing calls, viewing databases — holder.

Software vendor to HMOs

Medical records system, lab systems, billing systems. Special-sensitive data = high security level.

Tax advisors working with public bodies

Tax consulting for academic institutions, large NGOs receiving government funding, municipal corporations.

Accessibility solution vendors

Software/hardware vendors integrating into public systems, especially with data on people with disabilities.

Survey and research companies

Companies running surveys for ministries, State Comptroller, or councils. Respondent databases = holders.

Healthcare logistics vendors

Companies transporting medications, medical equipment, or samples. See patient data on shipping documents.

Requirements

8 public body compliance requirements

01

Formal DPO appointment

Direct Amendment 13 requirement. Many vendors missed they count as holders — exactly what public procurement reviews today.

02

Data Processing Agreement (DPA)

Public procurement requires vendors to sign DPA before engagement. We write DPAs meeting public requirements without choking the business.

03

Documented security agreements

Vendor information security specification, protection level, certifications, control overview.

04

Conflict-of-interest declaration

Declaration that no conflict exists between vendor and public body or its employees.

05

Professional liability + cyber insurance

Public body tenders usually require 1-5 million ILS policies. We also help with policy selection.

06

Incident notification

Vendor notification duty to the public body for every incident — sometimes within 24 hours, faster than standard requirements.

07

Inactive user cleanup

Specific requirement seen in several tenders: cleanup of inactive users every 4 months, documented.

08

Data return / deletion at termination

Structured process for data return / deletion at end of engagement. Deletion documentation.

Documents

7 documents every vendor must hold

DocumentDetail
Data Processing Agreement (DPA) Master contract addendum, Hebrew or Hebrew-English
Database definition document Documentation of every public-body database we hold
Security specification Description of technical and organizational controls
Conflict-of-interest declaration Signed by vendor owner and relevant managers
Insurance certificate Valid, with appropriate coverage amounts
Security incident procedure Documented public-body notification process
Termination procedure Data deletion / return, and execution documentation

Frequent questions from public-sector vendors

When is a vendor considered a "holder" under Amendment 13?
When processing personal data on behalf of the data controller (in this case, the public body). Includes scenarios where the vendor doesn’t see content (e.g., DBA on encrypted system) — if technical access exists, the vendor is a holder.

We are infrastructure only — we don’t touch data
Even then — if data could be accessible to you, you are a holder. Required protection level depends on holder type, but base DPO obligation remains.

Isn’t having a CISO and an in-house lawyer enough?
No. Amendment 13 requires a separate DPO role with independence, authority, and specific privacy knowledge. Even with excellent CISO and outstanding lawyer — neither fulfills the DPO duty.

How do public procurement teams check us?
In every tender and contract renewal: privacy questionnaire (30-100 questions), eligibility document requests, DPA review, and in large tenders — interviews with your DPO. We help meet every stage.

What if our existing contract has no DPA?
Recommended to approach the public body and sign a retroactive DPA addendum. Many contracts we’ve seen had no DPA, and this isn’t necessarily contract termination — but it is a legal risk to close.

We work with many public bodies — DPA per each?
Two approaches: (a) your standard DPA you require every body to sign; (b) tailored DPA per body. First is more efficient but less flexible. Typically we recommend standard DPA + body-specific addendum.

Do you have sector experience?
Yes. We work with SaaS, IT, and outsourcing companies serving authorities, HMOs, and ministries. Both public tender support and vendor privacy are relevant to your situation.

How much does it cost?
Small vendor (1-5 public clients) — 5,500-9,500 ILS/month. Mid vendor (5-20 public clients) — 10,000-16,000 ILS/month. Large vendor — GRC package instead of standard DPO.

Vendors of authorities / HMOs / government — let's close the gap.

30-minute call, status check, adaptation plan for existing contracts.

Book a call