A Practical Guide to Board Responsibility and DPO Appointment Under Amendment 13

Amendment 13 to the Israeli Privacy Protection Law is expected to come into effect in mid-August 2025. The amendment prescribes, inter alia, organizations’ obligation to appoint a data protection officer. The Privacy Protection Authority recently published a draft directive on implementing this obligation. The draft is not final and is open for public comments.

The Privacy Protection Authority’s directive serves to clarify Amendment 13 and states that, for companies in which processing personal information is essential to their activities or companies whose activities pose heightened risks of privacy violations, the board of directors must oversee the company’s compliance with the requirements of the Privacy Protection Law and accompanying regulations.

The purpose of this guide is to provide a practical understanding of the obligation to appoint a data protection officer pursuant to Amendment 13 and to clarify the responsibilities of the board of directors and the interfaces between various functions in organizations in this regard.

1. What is the scope of a data protection officer’s role?

A data protection officer (DPO) is the functionary responsible for ensuring an organization safeguards personal information in conformity with the provisions of the Privacy Protection Law and accompanying regulations. Inter alia, the DPO must take action to improve data security, mitigate risks of potential violations of data subjects’ privacy, ensure the implementation of adequate control mechanisms according to the privacy risks involved in the organization’s activities, assess and control activities, etc. The appointment of a DPO is a demonstration of the principle of accountability, i.e., an organization’s responsibility to implement statutory provisions addressing the use of personal information and present and prove compliance with these requirements.

2. Which organizations must appoint a DPO?

The obligation to appoint a DPO applies to any organization that fulfills one of the criteria in the Privacy Protection Law:

• Public entities: government ministries, local authorities, HMOs, hospitals, labor organizations, and any entity that performs a public function by law or the Privacy Protection Order.
• Third-party information processors for public entities: companies that process information for public entities and are therefore considered “holders” of personal information.
• Organizations engaging in information trading: controllers of databases containing information on more than 10,000 individuals, whose main purpose is collecting personal information in order to transfer it to others as part of their business activities or for a fee, or if they provide information regularly as part of their business activities. (Companies that merely hold such a database do not need to appoint a DPO.)
• Organizations that perform systematic monitoring: controllers or holders of databases whose principal business is engaging in information processing activities requiring ongoing and systematic wide-scale monitoring of people, including tracking users’ online behavior, collecting location data, creating profiles in the e-commerce and online advertising sectors, managing financial risks, collecting information from smart devices, and operating databases of surveillance cameras and ISPs.
• Organizations that process a significant volume of sensitive information: databases that also perform extensive processing of “highly sensitive information” as defined in the law (inter alia, information relating to health status, political opinions, data on salaries and financial activities, location and traffic data, etc.). The law explicitly states that banks, insurance companies, hospitals, and HMOs must appoint a DPO, but this is not a closed list.

The law only vaguely defines the term “significant volume.” In its draft directive, the Privacy Protection Authority interprets the scope of the obligation to appoint a DPO broadly and states that there is no single quantitative threshold, and that the term and the appointment obligation must be examined according to the totality of the circumstances and considerations relating to each case on its own merits.

The main criteria relevant to this examination include the number of people whose information is being processed, the scope of the information, the types and sensitivity of the information, the duration and frequency of the processing operations, the duration of the data retention, and the geographical scope of the processing operations. In other words, even if a particular company does not process information about a large number of people, or processes information that is not highly sensitive, it might be obligated to appoint a DPO depending upon various other circumstances.

3. Should an organization appoint a DPO even if not obligated to do so by law?

The Privacy Protection Authority recommends that any organization that collects and processes personal information consider appointing a DPO, even if not obligated to do so by law, as a proper and recommended practice, based on the presumption that appointing a DPO contributes to improving compliance with privacy protection laws, strengthens trust among customers and business partners, and enhances the organization’s reputation. The law also supports this by allowing a 10% reduction in the financial sanction imposed on an organization due to statutory violations if it has a DPO.

4. What are a DPO’s main spheres of responsibility?

The law defines several main spheres of responsibility:

• Providing guidance and training: The DPO is responsible for acting as a source of knowledge and professional authority for the organization’s management and employees (regarding both binding provisions of privacy protection laws and principles for improving privacy protection throughout all stages of the information life cycle), raising awareness about privacy protection in the organization, designing training programs, and overseeing their implementation.
• Monitoring and control: The DPO is responsible for keeping abreast of legislative and regulatory amendments and ensuring the organization’s policies and procedures are revised accordingly, preparing a statutory compliance monitoring program and ensuring its implementation, reporting findings to the organization’s management, and issuing recommendations with regard to rectifying deficiencies.
• Ensuring data subjects’ rights: The DPO serves as the organization’s contact person for data subjects and is responsible for ensuring that data subjects’ requests to exercise their rights are handled (such as perusal, correction, deletion, and removal from a direct mailing list).
• Acting as the organization’s liaison with the Privacy Protection Authority: The law defines the DPO as an organization’s official liaison with the Privacy Protection Authority. The DPO is responsible for receiving queries from the Privacy Protection Authority, reporting data security incidents, and ensuring the organization’s compliance with the statutory requirements.

5. What qualifications must a DPO possess?

The law and the Privacy Protection Authority’s draft directive prescribe that a DPO must be highly qualified.

The DPO must possess knowledge relevant to the role: A DPO must possess in-depth knowledge and understanding of privacy protection laws, including horizontal and sectoral regulatory policies, as well as relevant case law. In addition, a DPO must be knowledgeable enough in data security and information technologies to be able to analyze ways in which use of technologies could cause privacy violations in the organization. The Privacy Protection Authority emphasizes that the DPO must be capable of presenting evidence of knowledge and understanding in the requisite topics.

The DPO must be highly familiar with the organization: The DPO must be familiar with the organization’s spheres of activities and the privacy risks inherent in them, the sectoral regulations applying to the organization, the organization’s corporate structure, the data processing processes in the organization, and the data subjects’ characteristics. The DPO must also be involved in the processes of examining privacy risks and adapting processes to the principles of “privacy by design.” Finally, the DPO must be capable of adapting the data processing policy to business needs, while complying with the statutory provisions and safeguarding data subjects’ privacy.

The DPO must be independent and have standing in the organization: Organizations must allocate resources to DPOs necessary for the performance of their role. The DPO must have an independent position at a managerial echelon or subordinate to a senior managerial echelon and be able to act without fear of conflicts of interest during performance of the role.

6. May organizations appoint an external consultant to the role of DPO?

Yes, the law allows organizations to appoint external service providers as DPOs. The advantages of an external appointment is that it eliminates concerns of dependence and reduces the risk of conflicts of interest. The disadvantage is that an external DPO is less familiar with the organization’s characteristics and the organs managing it. Whether making an internal or external appointment, organizations must ensure they allocate DPOs the time, resources, and independence they need to perform their duties, and that they do not impose any additional role on a DPO or subordinate the DPO to another officer that could give rise to concerns of conflicts of interest.

7. May organizations appoint CISOs as DPOs (dual roles)?

The Privacy Protection Authority’s position is that, in most instances, this is inappropriate and may create legal complexities and inherent conflicts of interest, even though it is not explicitly prohibited by law. This is particularly true in situations when measures are needed to improve data security (such as monitoring employees’ or customers’ activities) that could contradict the principles of privacy protection, or when spheres of responsibility overlap that could make it difficult to strike a proper balance between considerations.

In large organizations or in organizations processing a significant volume of personal information, there is also a heightened risk of insufficient resources being allocated when the same person performs both roles.

8. What are boards of directors’ responsibilities for privacy protection and appointing a DPO?

The Privacy Protection Authority’s directive states that when processing personal information is a key component of a company’s operations or when its operations pose significant risks of privacy violations, the board of directors must ensure the company operates in compliance with the provisions of the Privacy Protection Law and its accompanying regulations.

The board of directors’ responsibilities include formulating, adopting, and implementing data protection policies; defining responsible officers; receiving current updates; and discussing material issues, such as database definition documents, data security procedures, the results of risk surveys, data security incidents, and periodic audits.

9. Can boards of directors delegate privacy protection oversight and control authorities to another organ in the company?

Yes. In instances when the board of directors believes that another person in the company, such as a senior manager possessing relevant expertise, will be able to perform the required tasks professionally and efficiently, it may delegate authorities to that person to carry out the oversight and control functions required pursuant to the Privacy Protection Law. Examples of this may be companies in which spheres of responsibility are clearly divided between the board of directors and ad hoc committees, or companies with professionals possessing appropriate expertise and experience.

Nevertheless, the board of directors must continue actually overseeing the performance of tasks and document its resolution to delegate the authority, including the rationale for doing so, in order to ensure accountability and transparency.

10. If organizations appoint a DPO, does the appointment affect the board of directors’ responsibilities?

The appointment of a DPO does not release the board of directors from its responsibility for ongoing supervision of compliance with the requirements of the law and regulations when obligated to do so. The obligation to appoint a DPO is broader than the board of directors’ oversight responsibilities in applicable instances, but the appointment of a DPO may help the board of directors perform its duties and oversee their execution more efficiently.

11. How should organizations prepare for the inception of Amendment 13 to the Privacy Protection Law and, in particular, how should they ensure that they fulfill the obligation to appoint a DPO and inform the board of directors?

We recommend the following measures:

Mapping and initial analysis

• Ascertain if the organization fulfills one of the criteria obligating the appointment of a DPO pursuant to the statutory provisions and the Privacy Protection Authority’s directive.
• Ascertain if the organization must inform the board of directors and ensure the board of directors is aware of its responsibilities in this regard.

Formulate a work plan 

If appointing a DPO is obligatory, perform a risk review and formulate a work plan that includes completing the database definition documents, defining spheres of responsibility, selecting a suitable candidate (internal or external), allocating resources, and arranging work and control processes.

Present findings and recommendations to management and the board of directors 

Present the findings of the examination to management and the board of directors, including a recommendation about appointing a DPO, even if the organization is under no formal obligation.

Revise policy and procedures

Revise the organization’s privacy protection policy and procedures according to the new requirements and ensure that the board of directors approves and oversees their implementation (if required).

Training and raising awareness 

We recommend providing training to relevant functionaries and raising awareness in the organization of the expected changes and the importance of privacy protection.

Documentation and control 

Document all preparatory stages, including board resolutions, the appointment of the DPO, and the implementation of procedures, and regularly monitor compliance with the requirements.

These measures will help your organization fulfill the statutory requirements, mitigate risks, and ensure accountability and transparency vis-à-vis the board of directors and the Privacy Protection Authority.

12. 
    

    When is the deadline for compliance with Amendment 13?

The deadline for fulfilling all requirements of Amendment 13 to the Privacy Protection Law, including the appointment of a DPO, is August 14, 2025. Considering the volume of significant changes, the increased enforcement measures, and the sanctions imposed by the amendment, we recommend preparing for compliance as soon as possible.

***

Dr. Avishay Klein is a partner and heads our firm’s Privacy, Data Protection, Cyber and Artificial Intelligence Department.

Adv. Masha Yudashkin and Adv. Liav Shapira are associates in our firm’s Privacy, Data Protection, Cyber and Artificial Intelligence Department.

Barnea Jaffa Lande’s Privacy, Data Protection, Cyber and Artificial Intelligence Department is one of the most prominent and leading practices in Israel. It provides comprehensive, innovative legal advisory services to technology companies, institutional entities, and corporations from various sectors in Israel and abroad. The department’s support includes DPO services as required by law.