# DPO for Public-Sector Vendors Israel | SaaS, IT & Outsourcing for Authorities

> DPO services for vendors of public bodies in Israel: SaaS, IT, outsourcing, and service centers serving HMOs, municipalities, government ministries, universities and other public bodies. You are a "data holder" under Amendment 13 — and must have a DPO even if privately owned. Help meeting public procurement requirements.

**Canonical:** https://dpoisrael.com/en/sectors/public-vendors/  
**Locale:** en-IL

---
Data holders = DPO required

# DPO for Public-Sector  
Vendors.

**SaaS, IT, outsourcing** and service center companies supplying HMOs, municipalities, government ministries, universities and municipal corporations — you are **"data holders"** under **Amendment 13**. The obligation is yours, even if the organization is private. Outsourced DPO as a Service tailored to public procurement requirements, privacy survey response, DPA signing, and audit response.

## Public Vendor — what to know

- **Status:** Data holder — DPO required under Amendment 13
- **Procurement requirements:** DPA, security spec, insurance, declarations
- **Incident notification:** Sometimes within 24 hours to public body
- **Typical insurance:** 1-5 million ILS professional + cyber
- **User cleanup:** Every 4 months in some tenders
- **Typical retainer:** 5,500-16,000 ILS/month by size
- **GRC option:** Large vendors move to combined package
- **Status validity:** Valid as long as active public client exists

## Eight vendor types needing DPO

### SaaS vendor to a municipality

Resident management system, billing system, planning system. Access to tables with hundreds of thousands of residents — clear holder.

### IT outsourcing to a ministry

Server operations, access management, monitoring. Even without seeing content directly — still considered a holder under Amendment 13.

### External service center for a municipality

Resident inquiry handling, property tax charges, welfare inquiries. Hearing calls, viewing databases — holder.

### Software vendor to HMOs

Medical records system, lab systems, billing systems. Special-sensitive data = high security level.

### Tax advisors working with public bodies

Tax consulting for academic institutions, large NGOs receiving government funding, municipal corporations.

### Accessibility solution vendors

Software/hardware vendors integrating into public systems, especially with data on people with disabilities.

### Survey and research companies

Companies running surveys for ministries, State Comptroller, or councils. Respondent databases = holders.

### Healthcare logistics vendors

Companies transporting medications, medical equipment, or samples. See patient data on shipping documents.

## 8 public body compliance requirements

01

### Formal DPO appointment

Direct Amendment 13 requirement. Many vendors missed they count as holders — exactly what public procurement reviews today.

02

### Data Processing Agreement (DPA)

Public procurement requires vendors to sign DPA before engagement. We write DPAs meeting public requirements without choking the business.

03

### Documented security agreements

Vendor information security specification, protection level, certifications, control overview.

04

### Conflict-of-interest declaration

Declaration that no conflict exists between vendor and public body or its employees.

05

### Professional liability + cyber insurance

Public body tenders usually require 1-5 million ILS policies. We also help with policy selection.

06

### Incident notification

Vendor notification duty to the public body for every incident — sometimes within 24 hours, faster than standard requirements.

07

### Inactive user cleanup

Specific requirement seen in several tenders: cleanup of inactive users every 4 months, documented.

08

### Data return / deletion at termination

Structured process for data return / deletion at end of engagement. Deletion documentation.

## 7 documents every vendor must hold

| Document | Detail |
| --- | --- |
| Data Processing Agreement (DPA) | Master contract addendum, Hebrew or Hebrew-English |
| Database definition document | Documentation of every public-body database we hold |
| Security specification | Description of technical and organizational controls |
| Conflict-of-interest declaration | Signed by vendor owner and relevant managers |
| Insurance certificate | Valid, with appropriate coverage amounts |
| Security incident procedure | Documented public-body notification process |
| Termination procedure | Data deletion / return, and execution documentation |

## Frequent questions from public-sector vendors

### When is a vendor considered a "holder" under Amendment 13?

When processing personal data **on behalf of** the data controller (in this case, the public body). Includes scenarios where the vendor doesn’t see content (e.g., DBA on encrypted system) — if technical access exists, the vendor is a holder.

### We are infrastructure only — we don’t touch data

Even then — if data **could** be accessible to you, you are a holder. Required protection level depends on holder type, but base DPO obligation remains.

### Isn’t having a CISO and an in-house lawyer enough?

No. Amendment 13 requires a **separate DPO role** with independence, authority, and specific privacy knowledge. Even with excellent CISO and outstanding lawyer — neither fulfills the DPO duty.

### How do public procurement teams check us?

In every tender and contract renewal: privacy questionnaire (30-100 questions), eligibility document requests, DPA review, and in large tenders — interviews with your DPO. We help meet every stage.

### What if our existing contract has no DPA?

Recommended to **approach the public body** and sign a retroactive DPA addendum. Many contracts we’ve seen had no DPA, and this isn’t necessarily contract termination — but it is a legal risk to close.

### We work with many public bodies — DPA per each?

Two approaches: (a) your standard DPA you require every body to sign; (b) tailored DPA per body. First is more efficient but less flexible. Typically we recommend standard DPA + body-specific addendum.

### Do you have sector experience?

Yes. We work with SaaS, IT, and outsourcing companies serving authorities, HMOs, and ministries. Both [public tender support](/en/services/public-tenders) and [vendor privacy](/en/services/vendor-privacy) are relevant to your situation.

### How much does it cost?

Small vendor (1-5 public clients) — 5,500-9,500 ILS/month. Mid vendor (5-20 public clients) — 10,000-16,000 ILS/month. Large vendor — GRC package instead of standard DPO.

## Vendors of authorities / HMOs / government — let's close the gap.

30-minute call, status check, adaptation plan for existing contracts.

[Book a call](/en/contact)