📢 Just weeks before Amendment 13 to the Protection of Privacy Law takes effect (August 14, 2025), the הרשות להגנת הפרטיות Privacy Protection Authority has published a detailed draft opinion on the duty to appoint a Data Protection Officer (DPO).
Some key elements from the opinion, with our practical insights:
🔹 Mandatory DPO Appointment NOT just for High-Risk Entities
➡️ The law applies the appointment duty to public bodies, data brokers, organizations conducting systematic monitoring, and those processing sensitive data at scale. However, as we expected, the PPA broadens the duty to any online profiling activities, CCTV, IOT, and other digital services.
💬 In practice, arguably, the DPO mandatory appointment applies to just about any digital service. Organizations must urgently assess their data practices to conclude if they need to appoint a DPO.
🔹 DPO Must Have Deep Legal Expertise
➡️ Required knowledge includes specifically deep knowledge in Israeli privacy law, case law, sectoral regulations, and constitutional principles. The PPA’s sponsored DPO course constitutes a basic training, but does not replace the requirement for deep knowledge in the law.
💬 This is a legal compliance role—not just a technical one. Practitioners without proper legal background would find it very hard to meet this requirement.
🔹 Technological Literacy Is Essential
➡️ DPOs must understand data flows, system architecture, and privacy-enhancing technologies.
💬 DPOs should know how to prepare information security policies. Attorneys who whish to be DPOs – self or formal cyber and IT training is a must.
🔹 The DPO role does not carry personal liability for non-compliance with the DPO’s instructions.
➡️The DPO’s main role is advice, training, supervision, and control.
💬 DPOs should be subject to the the corporation’s Directors and Officers insurance and indemnity arrangements.
🔹 The DPO Must Be Independent and Resourced
➡️ The law mandates direct reporting to the CEO and prohibits conflicts of interest.
💬 This ensures the DPO can operate with authority and autonomy.
🔹 The CISO cannot be the DPO as well
➡️ The roles are distinct and may conflict if combined.
💬 Organizations must carefully evaluate role separation to avoid undermining either function.
🔹 DPO Duties Are Extensive
➡️ Includes advising management, training staff, monitoring compliance, handling data subject requests, and liaising with the Authority.
💬 This requires a proactive, cross-functional leader—not a symbolic appointment.
📌 Bottom Line:
Amendment 13 is a game-changer. Organizations must act now to identify qualified candidates, define the DPO’s scope, and ensure the role is properly embedded in governance structures.
👉 Feel free to reach out to our ClearPath.Global and Or-Hof Law for further guidance and discuss how we can support your organization in aligning with the new legal landscape.
A Leading Technology, Data Protection & Cyber Law Firm
