Media Centre

Client Update – Appointment of a Data Protection Officer

4 November 2020

Dear Clients and Friends,

We would like to draw your attention that on October 29, 2020, the Israeli Privacy Protection Authority (the “PPA“) has published a document calling on organizations to appoint a Database Protection Officer (“DPO“), who will be responsible for implementing the applicable laws for protection of personal data within the organization.

The PPA states in the document (published for public comments), that while the Israeli law (as a general rule) does not include an obligation to appoint an official which will be in charge of the protection of privacy in the organization (except in a few cases, such as the obligation to appoint a DPO under the Israeli Credit Data Law), voluntary appointment of DPO amounts to Best Practice for organizations that collect and process personal data. In the PPA’s view, the appointment of a DPO will improve the level of compliance in the organization with the data protection Laws and regulations, which will constitute an indication of the existence of an action that reduces the risk to privacy and will even allow optimal cooperation with the PPA. In addition, the appointment of a DPO in any case may be required for Israeli organizations operating in foreign countries, where there is a legal obligation to appoint a DPO (for example, an Israeli organization which is subject to the GDPR).

The PPA notes that the DPO can be appointed from within the organization, i.e. an employee of the company, or an external appointment. In case of an internal appointment, the organization must ensure that the DPO is not subject to a conflict of interest due to another role in the organization, and where a large organization is concerned or when the organization’s core business involves the processing of personal data or in cases in which personal data is processed in a large scale, it is appropriate that a senior officer of the organization shall be appointed as the DPO. In case of a medium or small organization, where the core business does not involve the processing of personal data, an external DPO, who is not an employee of the organization, may be appointed. The PPA states that in order for the DPO to best fulfill his/her duties, it is recommended that the DPO will be part of the senior management of the organization.

The PPA’s document outlines the roles of the DPO, which will be determined by the complexity of the data processing operations performed in the organization and its size. The PPA recommends a range of roles and authorities to be assigned to the DPO, including, designing data systems; conducting impact and risk surveys; preparing annual work plans; overseeing the compliance with the provisions of the Israeli Privacy Protection Law; monitoring compliance with policies and procedures related to personal data in the organization; handling data subjects requests or complaints regarding the processing of personal data and the right to privacy; DPO’s activity as a center of knowledge and guidance regarding compliance with the provisions of the privacy legislation, etc.

The PPA emphasizes the importance of the authorities and independence granted to the DPO in order to perform his/her role at best. Among other things, the organization must ensure that the DPO is involved in all the matters related to the protection of personal data in the organization; that all the resources and authorities required in order to fulfill the role are granted; that the DPO’s institutional and professional independence is maintained and that the DPO does not serve another role in the organization if this creates a conflict of interest.

In addition, the PPA’s document defines the relevant knowledge and training required for an individual serving as a DPO. In the PPA’s view, the DPO’s training and areas of knowledge should include, inter alia, appropriate academic background (for example, law degree or data technology proficiency), in-depth knowledge of the Israeli data protection laws and regulations, and familiarity with data protection laws in Europe and in the US, familiarity with the business aspect of the organization management and professional ethics rules.

In addition, the PPA distinguishes between the role of the DPO and the role of the Data Security Appointee (“Security Appointee”) in the organization (a role defined in the Israeli Protection of Privacy Law, 1981). According to the PPA, while the Security Appointee is in charge of the organization’s compliance with the relevant standards and procedures for data security, and the implementation of all measures related to the prevention of data misuse, the role of the DPO is broader and relates to the design and formulation of work processes and procedures in the organization related to the management, processing and use of personal data (the aforementioned also includes professional guidance of the Security Appointee regarding the implementation of the security requirements).

We note that at this stage, the document published by the PPA is not binding and is currently in the status of a draft open for public comments, which can be submitted to the PPA until November 29, 2020.

To read the draft document in its full form (in Hebrew) >>  click here

Please do not hesitate to contact us if you have any questions or require any clarification regarding the above.

Sincerely
Herzog Fox & Neeman

 

Nurit Dagan | Partner
The Commercial departmentDagan@herzoglaw.co.il

 

Ohad Elkeslassy | Partner

The Commercial department

Elkeslassyo@herzoglaw.co.il

 

Search by +