English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Language
English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Home
About us
About us
CV at a glance
Global reach
Pro Bono
What we do
Practice area
The team
Knowledge center
Insights & News
Client updates
Credentials
Doing business in Israel
Join us
Contact
Barnea Blog
© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Client updates
15 December 2024
by Avishay Klein
Liav Shapira
         
Antitrust and Competition
Banking & Finance
Capital Markets
Corporate
Employment
High Tech
Infrastructure
Internet
Litigation
NPO
Private Clients
Real Estate
Regulation
Tax

Expansion of Privacy Protection Regulations regarding data from the EEA

As of January 1, 2025, the Israeli Privacy Protection Regulations (Instructions for data being transferred to Israel from the European Economic Area) will also apply to data being stored or processed in Israel or in other countries, such as the US and the UK, if these databases also contain data transferred from Europe. In other words, this means that as soon as a database in Israel or another country also contains personal information transferred from Europe, all data in the database must comply with the regulations’ requirements – not just the data that came from Europe, but also the local data or data that came from other countries.

These regulations, which were enacted about a year and a half ago, came into effect in August 2023 in the wake of the European Union Commission’s process of renewing the adequacy status that the EU granted to Israel in 2011. When the regulations came into effect, specific obligations were imposed on owners of databases in Israel receiving personal data from the European Economic Area (EU member countries, as well as Iceland, Norway and Liechtenstein). Essentially, the regulations adopted elements of the European General Data Protection Regulation (GDPR)  and applied them specifically to data originating in Europe.

However, up until January 2025, the regulations have been differentiating between European citizens’ data transferred to Israel or stored in Israeli databases, which were protected by the regulations, and data about Israelis or citizens of other countries, which were not subject to the regulations. As of January 2025, the level of protection that up until now was reserved only for data coming from the EEA will also apply to non-European data as long as they are being processed in an integrated database containing European data, regardless of its source. This innovation eliminates the differentiation that had been in effect up until now and obligates database controllers to implement measures ensuring that all data in the database comply with the same stringent standards.

 

Exclusions from the regulations

These regulations will not apply to particular circumstances – for example: if the data in the database came directly from a data subject in the EEA (and not from a third party) or if the data transfer is required for law enforcement purposes.

Furthermore, the regulations impose obligations only on database owners (and on database controllers pursuant to Amendment 13 to the Privacy Protection Law) and not on database holders; i.e.: the regulations will not apply to an Israeli company that acts merely as a database holder for a company in an EEA country.

 

The expanded obligations

The regulations impose various obligations adopted from the GDPR with respect to data being processed in databases in Israel:

  • Obligation to delete data: if a data subject so requests, database controllers are obligated to delete data unlawfully obtained or no longer necessary for the purposes for which they were collected, apart from particular exceptions that allow the database controller to continue retaining the data.
  • Obligations pertaining to the duration of data retention and deletions of unnecessary data: database controllers are obligated to implement mechanisms to ensure that the database does not retain data that are no longer necessary for the purposes for which they were collected and to delete such data as soon as possible.
  • Obligations pertaining to data accuracy: database controllers are obligated to ensure that data in the database is correct, complete and up-to-date, and must take action to correct or delete data not complying with these requirements.
  • Obligation to inform data subjects: database controllers are obligated to inform data subjects through the transferor of the data: about the identity and contact details of the database controller; about the purposes of the data transfer and use; about the type of data being transferred; and about data subjects’ right to demand the correction or deletion of their data.

 

The regulations impose more comprehensive obligations than those prescribed in section 11 of the Privacy Protection Law, since they essentially adopt the GDPR standard and expand the scope of information included in the obligation to inform data subjects, the data provision framework and the requirements when transferring data to third parties, including with regard to the type of data and the reason for their transfer. The regulations thus impose higher levels of transparency and disclosure on database controllers in Israel – which means that Israeli companies may need to update their privacy policies and internal procedures.

 

Recommendations for Israeli companies with international operations

We recommend that Israeli companies processing personal data originating in EEA countries should implement the following measures:

  • map all data in the database and their sources, in order to ascertain the company’s status in relation to the data (controller or only holder), and then perform a legal examination in order to ascertain whether the regulations apply to all or a portion of the company’s databases in Israel;
  • perform a risk survey in order to ascertain the obligations applying to the company in relation to the relevant databases;
  • if the regulations apply to all or a portion of the company’s databases:

○   revise the company’s privacy policy and internal procedures to ensure compliance with the regulations’ requirements, including procedures regarding data subjects’ rights;

○   revise contracts with external service-providers that have access to the protected data;

○   implement control mechanisms to ensure compliance with the regulations’ requirements.

 

Israeli companies managing databases that contain data originating in EEA countries should implement the above necessary measures as soon as possible, and should revise their organizational and technological processes in order to facilitate compliance with the regulations’ requirements.

Our Privacy, Data Protection, Cyber and AI Department is at your service to answer any questions and help you make the necessary adjustments.

***

Dr. Avishay Klein is a partner at Barnea Jaffa Lande and heads the firm’s Privacy and Data Protection, Cyber and Artificial Intelligence Department.

Adv. Liav Shapira is an associate in the department.

 

Tags: Privacy | Privacy Protection Law