Major Amendment To Privacy Law In Israel

In Israel, it has long been established that employees have a legitimate expectation of privacy in the workplace. Effective as of 14 August 2025, a new amendment (‘Amendment 13') to the Protection of Privacy Law introduces a significant shift in the legal landscape, particularly for employers and other organisations that process personal data.

This reform brings Israel's privacy framework closer to global standards such as the EU GDPR. For employers, this means heightened responsibility in their role as data controllers, with clear obligations to ensure the lawful, transparent, and secure handling of employee personal data.

Expanded transparency obligations

In addition to existing requirements regarding the legal basis, purposes of use, and third-party disclosures, employers must now also provide enhanced privacy notices to employees and candidates. The enhanced notices must include the following elements:

• The identity and contact details of the data controller.

• Where processing is based on consent (as is common in Israel), a clear explanation of the consequences of refusing to provide consent.

• A summary of employee rights under the law regarding their personal data.

It is therefore advisable for employers to review and update employment agreements, privacy notices and other documents, including those provided to job applicants, to meet these new transparency standards.

Database registration is no longer the default

The requirement to register databases with the Privacy Protection Authority (PPA) has been significantly narrowed. Registration is now required only in specific cases (typically not applicable to standard employment databases), reducing administrative burdens and aligning with international best practices. However, pursuant to a new obligation, organisations must notify the PPA if they process highly sensitive personal data on a significant scale, though this is unlikely to affect typical employment databases.

Data Protection Officer (DPO) requirements

Organisations whose core activity involves large-scale data processing or systematic monitoring must appoint a DPO. This role is responsible for (among other things):

• Ensuring compliance with privacy laws.

• Promoting internal privacy awareness.

• Overseeing risk assessments and audits.

• Acting as the contact person with the PPA.

According to the PPA's current position, most routine HR activities, such as handling employee personal data, do not require a DPO. However, there may be a statutory obligation to appoint one in your organisation – it is crucial to seek local advice here.

Expanded enforcement

The PPA has been granted expanded enforcement powers, including:

• Significant administrative fines - the exact amount depends on the nature, scope, and scale of the infringement.

• Statutory damages - Employers may face statutory damages of up to NIS 10,000 for certain violations of the PPL (e.g. failing to notify individuals regarding data practices or not correcting personal data).

• The ability to petition courts for an order to cease unlawful data processing.

Takeaway for employers

While Israel's legal privacy framework now more closely resembles European standards, the statutory provisions are specific to Israel. Given the significance of these changes and the strong enforcement environment, we strongly recommend consulting with local counsel specialising in labour and privacy law to assess exposure and implement appropriate safeguards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.