Amendment 13 to the Israeli Privacy Protection Law: Guidance for Insurance Agents and Agencies

The Israeli Privacy Protection Law was recently amended, and, like all organizations, insurance agencies must comply with its provisions.

A supervisory report conducted by the Privacy Protection Authority (PPA) in the insurance sector in 2022 found significant failures in compliance with Israeli privacy laws. The findings indicated deficient data security practices, a lack of binding procedures and organizational controls, and a failure to meet notice requirements to clients and in marketing communications.

This guide aims to help insurance agents and agencies, who handle personal and sensitive data in a highly regulated environment, understand the steps they should now take.

What is Amendment 13, and why is it relevant to insurance agents?

Amendment 13 significantly updated the Israeli Privacy Protection Law, granting the PPA broad enforcement powers, including administrative fines and financial sanctions.

The amendment also updated the obligations of data controllers toward data subjects (individuals whose data is collected) and granted data subjects a personal right of action, alongside compensation without proof of damage for violations of privacy rights.

What personal data do insurance agents hold?

Insurance agencies, as part of their routine operations, collect and manage vast amounts of personal and sensitive data about their clients. Such data primarily includes personal identifying details, including full name, ID number (and sometimes a photocopy thereof), residential address, and more. Particularly sensitive data may also be collected, including medical and mental health information, financial details (including income and assets), and information on marital status and sometimes even sexual orientation.

What sanctions apply if we fail to meet the amendment’s requirements?

Given previous enforcement actions, we expect insurance agencies to remain under the PPA’s scrutiny. Non-compliance with the amended law may result in substantial fines and financial sanctions. For example, refusing to allow individuals to view or correct their data may result in a monetary sanction of ILS 150,000, while violating notice requirements when collecting data may result in monetary sanctions of ILS 50-100 per data subject. Additionally, non-compliance with data security regulations may result in fines of up to ILS 320,000.

How can we ensure compliance with the law’s main requirements?

To ensure compliance with the key provisions of the Privacy Protection Law, we recommend these five simple steps:

1. Examine data collection processes and create database definition documents by mapping and categorizing the data you collect and specifying the types of collected data, the purposes of collection, the relevant service providers, and the security risks.
2. Review all forms and tools used for data collection to ensure they comply with the law’s notification and transparency requirements. This includes verifying that every method of data collection (website, forms used for collection, agreements) displays a clear and accessible privacy policy, detailing the purposes of use, the entities to whom the data will be transferred, and the client’s rights (access and correction).
3. Implement data security measures, including establishing security procedures consistent with your database definition documents, managing access permissions, applying appropriate technological and organizational safeguards, and ensuring the data’s physical and environmental protection.
4. Ensure that all vendors involved in processing data on your behalf have signed confidentiality and data security agreements. These agreements must include provisions limiting vendors’ processing and access to the data, thereby ensuring the confidentiality and security of the data in your possession.
5. Conduct a data security gap analysis for your databases, as required by data security regulations, to identify potential risks in the company’s operations.

What are database definition documents?

Database definition documents provide a detailed mapping of the types of data contained in each database, the purposes of its collections and use, the relevant security risks, and the individuals or entities responsible for its management. Preparing these documents requires organizations to examine, map, and document the data processing activities they perform or control. This process also enables a comprehensive review of the organization’s compliance with the requirements of the Privacy Protection Law.

Although database definition documents are internal, the obligation to prepare them applies to anyone who processes personal data as a data controller. The PPA may request these documents as part of enforcement actions, data breach investigations, or other regulatory proceedings.

We anticipate the management and maintenance of these documents will become one of the PPA’s primary enforcement focuses.

What information must we provide to clients and insured individuals regarding the collection of their data, and when must we present it to them?

The duty of disclosure and transparency stipulated in the law requires the entity collecting personal data to detail the following information to data subjects:

• Is providing the data mandatory? Clarify if the data subject must provide the data (for example, due to a legal obligation) or if providing the data is voluntary and only necessary to receive the requested service.
• Purposes of data collection and use: Clearly specify all purposes for collecting and using the data. It is important to include every intended purpose so that the individuals providing the data know what to expect.
• Identity of the data controller: Specify who controls the data, i.e., the name of your company or organization as the database controller. The notice must also include contact details through which clients can reach you.
• Data recipients (third parties): Identify the entities that may receive the data and explain the reasons for such transfer. This typically includes key vendors providing services on your behalf or in partnership with you, advertising services, business partners, and more.
• Data subjects’ rights: Inform data subjects of their right to access personal data held about them and to request correction if the data is inaccurate or incomplete.

This information must be presented at or near the time the data is collected, enabling the data subject to review the details before providing consent.

In addition, in accordance with the right of access established by law, you must allow clients and insured individuals to access the personal data you have collected about them, if they submit a request to do so. However, the law provides an exception for medical or mental health information. You may withhold this information if it could harm the individual’s health or endanger their life.

Is an agency considered a data controller when handling an employee’s insurance policy?

If the agency receives the data after the employee has provided consent and directly signed an agreement with it, the agency will likely be considered the data controller.

A data controller is the entity that determines the purposes and means of using the data and is legally responsible for its handling. Therefore, if the receipt of data from an employer is part of managing the insured’s affairs and follows an agreement between the agency and the insured, the agency will likely be considered the data controller.

However, if the data is received as part of a service provided to the employer, the agency’s status under the Privacy Protection Law must be examined in relation to the employer.

As a rule, when you perform substantive actions involving the data or exercise discretion regarding the purposes and means of its use, classification as merely a data processor is not appropriate.

Conversely, if the agency receives from an employer a list of employee names solely for the limited purpose of contacting them to offer services, the agency may be considered only a data processor.

Must we appoint a data protection officer (DPO)?

Amendment 13 to the Privacy Protection Law requires organizations to assess their obligation to appoint a data protection officer (DPO), based on the law’s requirements and the characteristics of their databases. This assessment is conducted, among other things, through the preparation of database definition documents and the performance of a data security gap analysis.

The DPO serves as the point person within the organization for ensuring compliance with the Privacy Protection Law and its accompanying regulations. Among other duties, the DPO must work to promote and strengthen data security, reduce privacy risks, ensure proper control mechanisms are in place according to the organization’s risk profile, and conduct ongoing monitoring and assessments. The requirement to appoint a DPO under the Privacy Protection Law applies to organizations that meet certain criteria, for example, those that process data on behalf of a public body or that process a large volume of particularly sensitive data.

Given the highly sensitive nature of the personal data handled by insurance agents, you should carefully examine if your activities necessitate the appointment of a DPO.

The PPA recommends that any organization collecting and processing personal data consider appointing a DPO as a matter of best practice, even when not legally required to do so. Such an appointment strengthens compliance with privacy regulations, builds trust among clients and business partners, and enhances the organization’s professional reputation.

In addition, organizations that appoint a DPO may be eligible for a 10% reduction in a financial sanction imposed under the law.

Must an agency appoint a chief information security officer (CISO)?

Amendment 13 establishes clear criteria requiring the appointment of a CISO. These apply to a data controller or processor of at least five databases that require registration, public bodies, and large financial institutions. The CISO is responsible for managing the organization’s data security and cybersecurity and must act to promote and improve data security while reducing risks of potential harm to data subjects’ privacy. A CISO must act according to the role’s definition as set out in the regulations. The law permits employing the CISO as an external service provider as well.

We are a small family business. Are we entitled to any exemptions?

The obligations included in the Privacy Protection Law apply to all organizations, according to the type of data processed. However, the law allows for a reduction in financial sanctions for micro and small businesses (turnover of up to ILS 10 million).

We use third-party data security services. What steps should we take now to protect the data transferred to third-party vendors?

As the data controller, the agency is responsible for the actions of the data processor. The obligations that apply to the agency derive from the level of security applicable to it pursuant to the Privacy Protection (Data Security) Regulations, 2017. You must ensure that the data security service provider meets the legal requirements, that your contract with them includes explicit mention of their obligations and contains the data security policy by which the agency operates, and that technical controls are regularly carried out to protect the data and define the duty to report on data breach incidents.

Amendment 13 to the Privacy Protection Law has fundamentally transformed Israel’s privacy framework and significantly expanded the enforcement powers of the PPA. These changes expose insurance agencies to real regulatory sanctions, and the financial risk of non-compliance is greater than ever. 

Given the sensitive nature of the data they manage, insurance agencies will likely remain one of the key sectors under the PPA’s regulatory scrutiny. 

Our team would be happy to help you prepare and avoid penalties, by implementing the new legal obligations and ensuring adherence with the mandatory procedures.

***

Dr. Avishay Klein is a partner and head of the Privacy, Cyber & AI Department.

Adv. Masha Yudashkin is an associate in the Privacy, Cyber & AI Department.

Our firm’s Privacy, Cyber & AI Department is one of the leading and most prominent practices in Israel. We provide comprehensive and innovative legal counsel to technology companies, institutional bodies, and corporations from diverse sectors in Israel and abroad.

The department specializes in the practical implementation of privacy and data protection laws, with a focus on business objectives, reducing legal risk, and designing privacy programs tailored to clients’ specific needs.