Are there Rules for Direct Marketing?

The Protection of Privacy Law, 5741-1981 uses the term ‘Direct Mailing’, which is defined as contacting by way of writing, printed matter, telephone, facsimile, in a computerized way or by other means, a person personally, based on the person’s belonging to a population group which is determined by one or more characteristics of persons whose […]

Do you have to Manage Security Incidents and Report Data Breaches?

Under the Protection of Privacy Regulations (Data Security) 5777-2017, a Security Incident is defined as an event that raises concern about a breach of the data integrity, an unauthorized use thereof, or use that exceeds authorization. Database owners have four obligations concerning Security Incidents:  They must document Security Incidents, based as much as possible on […]

Is Data Minimization a Mandatory Requirement?

Under the Protection of Privacy Regulations (Data Security) 5777-2017, database owners and holders are required to ensure that the information retained within the database does not exceed that which is required for the initial purpose of collection. The regulations establish a requirement on database owners and holders to perform an annual review and assess whether […]

Do You Need to Appoint an Information Security Officer?

The Protection of Privacy Law, 5741-1981 states that under certain circumstances, database owners or holders should appoint a person with the appropriate qualifications to be in charge of the information security of such a database. These circumstances include, for example, an entity that owns or holds more than five databases.  The information security officer’s roles […]

What Are the Roles of the Database Manager?

The Protection of Privacy Law, 5741-1981 requires that each database will be managed by a database manager. The database manager should be a natural person who is a senior employee of the owner or holder of the database and have the ability to operate independently. In addition, the database manager should be subject to a […]

Are there Registration Requirements?

Under the provisions of the Protection of Privacy Law, 5741-1981, most databases are required to be formally registered in the database registry. Among these, are databases that meet one of the following Conditions: The database contains data relating to more than 10,000 individuals. The database contains sensitive data (see: “What are the Definitions for Personal […]

Are There Rules Related to CCTV?

Images and footage captured by CCTV are regarded as “Data”, as defined in the Protection of Privacy Law, 5741-1981, pursuant to Guidelines No. 4/2012 of the Privacy Protection Authority, on the Use of Security and Surveillance Cameras and Databases of Recorded Images.  Accordingly, databases with camera footage are subject to the database registration statutory obligation […]

Are there Rules for Owning, Holding or Managing a Database?

Section 17 of the Protection of Privacy Law, 5741-1981 (the “Protection of Privacy Law”) sets a general obligation to secure the database by the database owner, holder, and manager. The Protection of Privacy Regulations (Data Security) 5777-2017, were enacted, by the virtue of the Protection of Privacy Law, adding context to this general obligation under […]

Do Israeli Privacy Laws Apply to Foreign Entities?

The Protection of Privacy Law, 5741-1981 does not include any explicit territorial applicability provisions. Israeli courts may apply Israeli laws if the affinity to Israel is sufficient. For example, in class actions filed in Israel against Booking.com, PayPal and Facebook, the Israeli court asserted jurisdiction over the claims despite foreign jurisdiction clauses in these companies’ […]

Are there Defenses Against Claims for Privacy Violation?

Chapter 3 of the Protection of Privacy Law, 5741-1981 lists eight defenses for a claim of a privacy violation in a civil or a criminal proceeding (See: “What Constitutes a Privacy Violation?”). The defenses include, for example, circumstances in which the defendant did not know and did not have to know, in good faith, that […]