Draft Opinion by the Privacy Protection Authority: Appointment of a Data Protection Officer (DPO)

Summarize with ChatGPT

On 23 July 2025, the Israeli Privacy Protection Authority published a significant draft opinion regarding the duty under Amendment 13 to the Privacy Protection Law, to appoint a Data Protection Officer (DPO) in organizations, which came into force on August 14, 2025.

The draft is open for public comments until September 23, 2025, but it already carries clear and practical regulatory implications, as the Authority stated that the interpretation set forth therein will guide it in exercising its statutory powers.

Considering that for the first time, Amendment 13 introduces the duty to appoint a DPO, there is significant need for guidance and interpretation by the Authority regarding the new statutory provisions. The draft reflects the Authority’s consideration of the relevant issues. Although it does not always provide full certainty on all subjects or practical interpretation, the draft addresses the criteria for when the duty to appoint a DPO arises, the qualifications required of the DPO, the role and responsibilities of the DPO, as well as their organizational positioning and potential conflicts of interest.

The key points of the draft opinion are as follows:

1. Who is under a duty to appoint a DPO?

Under Sections 17B1(a)(1) – (4) of the Law, the duty to appoint a DPO applies to:

• Public bodies (as defined by the Law), as well as any Processor for a public body.

In this context, the Authority clarifies that a Processor for a public body includes any external entity that stores or accesses personal data of a public body and, is therefore required to appoint a DPO. In practice, this may extend the duty to IT technology companies and back-office service providers, that provide services to government ministries, authorities, or government companies – even where such activity is merely supportive. It is therefore recommended to review service agreements with public sector clients to assess the need to appoint a DPO.

• Entities engaged in trading of personal data (data brokers)

These are entities that collect personal data for the purpose of transferring it to others as part of their business or for consideration, including direct marketing services, and only if the database contains personal data of more than 10,000 individuals. The Authority further clarifies that “as part of a business or for consideration” are interpreted as alternative conditions. Thus, the duty arises if the purpose of the database is to transfer data to third parties as part of the entity’s ordinary course of business, even if the transfer is for no consideration, or alternatively, if data is transferred to third parties for consideration, even if not in the ordinary course of business. Moreover, the Authority interprets the term “trade in personal data” broadly, referring to the position of the U.K. Information Commissioner’s Office (ICO), which includes credit rating agencies within this category of organizations engaged in trading information, thereby subjecting them to the duty to appoint a DPO.

• Entities whose core activity involves processing personal data with regular and systematic monitoring

This is the ‘soft’ or ‘catch-all’ duty, similar to its GDPR counterpart, requiring the appointment of a DPO where three qualitative criteria are met: (a) organizations whose primary activity includes the processing of personal data, or inherently involves such processing; (b) The nature, scope, or purpose of the processing necessitates regular and systematic monitoring of individuals, including tracking their behavior, location, or activities; (c) On a significant scale. The Law explicitly stipulates examples (which are not necessarily helpful) where the provision applies also to cellular communications providers and suppliers of online search services. Given these are broad legal terms, the Authority addressed them in elaboration:

The Authority clarifies that “primary activity” exists when processing personal data constitutes a central component in achieving the business or organizational objectives of the database Controller or Processor or, is an inherent part of the organization’s core activities (even if not essential for achieving them).

The Authority states that the test of “regular and systematic monitoring” is an objective test examining whether the entity’s central activities in fact involve such monitoring, regardless of whether this was the database’s stated purpose.

Representative examples provided by the Authority include:

– Tracking user activity in applications and websites, e.g., frequency of use, actions performed and timing.

– When the purpose of the processing is profiling individuals to create behavioral, interests or preference-based profiles for a host of purposes such as targeted advertising, personalization of content and services, risk management (credit scoring, insurance underwriting, fraud detection and more).

– Providing location-based services collecting data via mobile applications.

– When the service involves use of health-monitoring apps and wearable computing devices.

• For operating connected devices (IoT), e.g., smart vehicles and home appliances.
• When use is made of CCTV footage databases.
• Internet service providers.

In addition, the Authority clarifies that this is a non-exhaustive list and that organizations uncertain about applicability to them may reach out to consult with the Authority.

In our view, the Authority’s examples significantly broaden the scope of the duty, thereby requiring many organizations to appoint a DPO.

As for the term “significant scale” – there is no absolute quantitative threshold and the assessment must consider all relevant circumstances in each instance on its merits, including the scope and quantity of the data; the range/diversity of types of data processed; the duration and frequency of processing activities; data retention periods; and the geographic scope of the processing activities. It is emphasized that these factors are not necessarily cumulative. It is surprising to see the Authority’s statement – that to the extent other considerations are in-play, the balance will tilt towards an interpretation of there existing a ‘significant scale’ even when the number of data subjects is not high.

• Entities whose activity involves large-scale processing of sensitive data

These are organizations whose primary activity involves processing particularly sensitive personal data (as defined in Amendment 13) on a significant scale, such as banks, insurance companies, hospitals, and HMOs.

The Authority clarifies that it refers to organizations whose primary activity involves such processing, and not merely processing that is incidental despite being on a significant scale, e.g., employee data for HR purposes, where they are not directly tied to the organization’s core objectives.

The draft opinion, in its current form, still leaves considerable uncertainty regarding the precise conditions requiring organizations to appoint a DPO. Accordingly, to mitigate regulatory exposure, it is recommended that organizations document their decision-making process regarding the appointment or non-appointment of a DPO and consider recording formal reasoning in board or management minutes.

2. What are the threshold qualification requirements for a DPO?

The Authority requires that the DPO possess the knowledge and skills necessary to fulfil his/her role, through being acquainted with the value of privacy protection, having teamwork capabilities, being persuasive and having the ability to lead processes, and it proceeds to address the criteria stipulated in the Law:

• Comprehensive knowledge of Israeli privacy laws – having full and comprehensive command of privacy protection laws in Israel, including court and labor tribunal decisions on matters related to the right to privacy. While the Law does not stipulate the need for formal certification, the Authority highlights the expectation for having undergone at least 40 hours of dedicated training, preferably supplemented by prior experience or formal certification.
• Technological competence – having sufficient understanding of technology and information security to implement “privacy by design” principles in the planning of the organizational systems and its use of privacy enhancing technologies (PETs) and being actively involved in analyzing the implications posed by use of new technologies and in assessing the privacy risks arising therefrom.
• Familiarity with the organization’s activities and objectives – having a deep understanding of the organization’s objectives, sector, environment, and data processing practices to be able to identify potential risks and tailor information processing policies to the unique organizational needs, as well as effectively implementing the Law in work processes.

2. What are the DPO’s responsibilities

According to the Authority’s position, the DPO is defined as a key position-holder in the organizational data governance, and his/her role can be described as a compliance coordinator, who must also promote the protection of privacy and information security beyond the legal minimum whilst implementing an organizational “privacy culture” that considers privacy in all work processes involving personal data.

The Authority addresses each of the DPO’s functions elaborately.

• Professional authority and advisory – the DPO must be proactive and guide all departments across the organization that process personal data, from management decisions on policy to system design, third-party data transfers and destruction of data. The Authority highlights that while the Law does not mandate adherence to the DPO’s opinion, it must be given serious consideration, treated as an opinion by a function that must be consulted with, and deviations from the DPO’s opinion must be reasoned.
• Training – the DPO must prepare a training program and oversee its execution. The Authority recommends that the DPO conduct the training personally, subject to the organization’s size.
• Ongoing monitoring – the DPO must prepare an annual compliance audit plan and ensure its execution, it being recommended that the DPO is involved in its de facto execution. The DPO must report his/her audit findings to the organization’s management and recommend remediation actions to overcome any compliance gaps found during the audit. The Authority further clarified that the monitoring of data security regulatory compliance remains the responsibility of the Chief Information Security Officer (CISO), and not the DPO’s.
• Data security procedures and database definitions – the DPO must, in the very least, ensure the existence of management-approved and board recognized data security policies. The Authority recommends that the DPO actively participate in preparing and updating the document defining the database.
• Handling requests and inquiries by data subject – the DPO must in the very least ensure the proper and professional handling of data subject inquiries and requests pertaining to the exercise of their right to privacy.
• Point of contact with the Authority – the DPO will be the Authority’s point of contact for obtaining the DPO’s position or professional opinion prior to making decisions or handing preliminary rulings relating to the organization for which he/she serves as DPO.

4. The DPO’s organizational status

The Authority clarifies that the DPO may be engaged as an external service provider, however, it recommends internal appointment within the organization to ensure his/her in-depth familiarity with the organization, including understanding the organizational structure and its fields of activity, as well as facilitating his/her availability and accessibility as necessary.

The Authority proceeds to clarify that only a natural person may serve as a DPO, although the contractual engagement may be through a company employing such natural person.

The Authority states that each organization may determine the DPO’s place in the organizational hierarchy, provided legal requirements are met, including direct reporting to the CEO or to a function directly subordinate to the CEO, adequate resources and conditions are allocated to the DPO, and the absence of conflicts of interest on the DPO’s part.

While there is no duty to proactively report to the Authority, the Authority may reach out to the DPO directly requiring he/she report opinions provided in the scope of his/her role. This presents a sensitive issue, since in general, the DPO’s work is not privileged in the same way as legal opinions, and this should be taken into consideration.

5. When does a concern for a conflict of interest arise?

In the context the potential rise of a conflict of interest, the Authority adopts the approach of the French privacy authority, CNIL, according to which “the DPO cannot hold functions (or report to position holders) with decision-making authority or responsibility over formulating policies on processing personal data in the organization, including the adoption of processing purposes and significant decisions on methods and measures of processing data”.

More concretely, the Authority addresses the following positions in the organization:

• General Counsel – the Authority does not prohibit placing the DPO as part of the organization’s legal department, however, it stresses the differences in the function of the general counsel (to solely ensure legal compliance) and the function of the DPO (entrusted with promoting the protection of privacy beyond the legal minimum).
• Senior executives – generally, anyone with the authority or responsibility for formulating and determining the data processing policies in the organization, and specifically, its purposes and means – cannot serve as DPO. As a rule of thumb, it is stated that the DPO should not be the organization’s marketing director, clients’/customers’ manager, CFO, CISO or CTO.
• Chief Information Security Officer (CISO) – although not expressly prohibited, the Authority highlights the legal and implementation complexity in combining the role of DPO with the role of CISO given the substantial difference between these two roles – considering the distinct know-how and skills required for each role, and the potential conflict of interest between the roles (e.g., heightened security measures significantly impacting privacy), and differing reporting lines within the organization such that the CISO is not directly subordinate to an office holder, unlike the DPO. Furthermore, in large organization, the heavy responsibilities of the CISO may prevent him/her from properly performing as DPO.

How can we be of assistance?

Our firm’s Privacy, Cyber & IT Department is at your disposal and available to assist in assessing the applicability of the requirement to the organization, identifying suitable candidates, supporting appointment processes, devising work plans and audits, and establishing monitoring and training mechanisms.

Nothing in the above constitutes legal advice and is provided for general informative purposes only.