Key aspects of database management under the Protection of Privacy Law, 5741-1981, and privacy regulations, include:
- Privacy notice: The person requesting personal data for the purpose of processing such personal data in a database shall accompany such a request with a privacy notice (See: “What Must a Privacy Notice Include?”).
- Registration: Databases of public bodies and data brokers are required to be formally registered in the database registry (See: “Are There Any Database Registration Requirements?”) .
- Notification: Database controllers may be required to provide the Privacy Protection Authority (PPA) with a notification containing various details (see: “Are There Database Notification Requirements?”).
- Appointments: Database controllers need to appoint a privacy protection officer under certain conditions (see: “Do I Need to Appoint a Privacy Protection Officer?”), and an information security officer (see: “Do I Need to Appoint an Information Security Officer?”).
- Individuals’ rights: Individuals have various rights relating to personal data held in the database (See: What Individuals’ Rights Are Protected Under Israeli Privacy Laws?”)
- Information security: Database controllers and holders have an obligation to secure personal data. The Protection of Privacy Regulations (Data Security) 5777-2017 include detailed data security requirements (see also: “Do you have to Manage Security Incidents and Report Data Breaches?”)
- Confidentiality: The Protection of Privacy Law, 5741-1981 establishes a confidentiality obligation regarding data held in the database.
- Transborder data flows: The Privacy Protection (Transfer of Data to Databases Abroad) Regulations, 5761-2001 set rules regarding the transfer of data outside of Israel.
- Vendor management: The Protection of Privacy Regulations (Data Security) 5777-2017, provide rules for a database controller entering into an agreement with an external service provider in order to receive a service that involves granting the external service provider access to the database.
The Protection of Privacy Law, 5741-1981 sets obligations on the person requesting personal data for the purpose of processing such personal data in a database. Such personal data requests shall be accompanied by a notice stating the following:
- If the person is subject to a legal obligation to provide the data, or if the provision of the data depends on the person’s will and consent and the consequence of non-consenting;
- The purpose for which the data is requested;
- The name and contact details of the database controller;
- To whom the data will be delivered and the purposes of delivery;
- The existence of the right to review the personal data in accordance with and the right to request correction of personal data in accordance with the Protection of Privacy Law, 5741-1981 (See: “What Individuals’ Rights Are Protected Under Israeli Privacy Laws?”)
The Protection of Privacy Law, 5741-1981 sets a general obligation to secure the database by the database controller and holder. The Protection of Privacy Regulations (Data Security) 5777-2017, were enacted, by the virtue of the Protection of Privacy Law, 5741-1981, adding context to this general obligation under the law, by providing a set of security controls that must be implemented and reviewed by the database owner and holder.
The set of security controls includes provisions regarding the appointment of an information security officer (See: “Do You Need to Appoint an Information Security Officer?”), physical security, logical security, mobile devices, access control, required internal documents and procedures (See: “What is the Information Security Procedure?”), engagement with outsourcing service providers, the management of a security incident and data breach notification obligation (See: “Do you have to Manage Security Incidents and Report Data Breaches?”), and other information security controls.
This section also provides an obligation to appoint a privacy protection officer (See: “Do You Need to Appoint a Privacy Protection Officer?”)
Additional requirements in relation to personal data management and protection include the provision of a privacy notice (See: “What Must a Privacy Notice Include?”), exercising individuals’ rights (see “What Individuals’ Rights are Protected Under Israeli Privacy Laws?”), registering databases (See: “Are their Registration Requirements? ”) and direct mailing management (see: “Are there Rules for Direct Marketing?”).
Please note: The information provided in this content is for informational purposes only and does not constitute legal advice. It is not intended to create an attorney-client relationship. If you have any questions, please contact us at: [email protected]