We would like to draw your attention that on September 10, 2023, the Protection of Privacy Authority (the “PPA“) published, for public’s comments, a draft guideline regarding the role of the board of directors in fulfilling the corporation’s obligations according to the Protection of Privacy Regulations (Data Security) , 2017 (the “Regulations“).

The fundamental position of the PPA, according to the draft guideline, is that when personal information is processed as part of the core of the company’s activity, or in case there is a likelihood that its activity will create an increased risk to privacy (e.g., companies engaged in information trade, companies that process sensitive information (information regarding the modesty of a person’s personal life, medical information, genetic information, biometric information or information about special populations, etc.), as well as companies whose scope of information or the number of authorized personnel to the information in its possession corresponds to those who establish a high level of security in accordance with the Regulations), the board of directors is the appropriate and effective organ to decide who is responsible in the company for carrying out the requirements set out in the Regulations.

In these aspects, the board of directors’ roles include implementing supervisory, control, compliance and report procedures with respect to the execution of the Regulations’ obligations by the nominated organ, and to make policy decisions regarding the use of personal information in the company, and its management in material aspects.

According to the draft guideline, the board of directors itself has supervisory obligations under the Regulations:

1. Approval of the database definition document
2. Approval of the main principles in the organizational information security procedure.
3. Holding a discussion on the results of risk surveys and penetration tests, and approving the actions required to correct the discovered vulnerabilities.
4. Holding a quarterly or annual discussion, based on the level of security of the database according to the Regulations, of the information security incidents that occurred in the company.
5. Holding a discussion on the results of the periodic audit regarding compliance with the Regulations, which must be held once every two years.

The PPA emphasizes that the board of directors may, in appropriate cases and in accordance with the degree of privacy risk involved in the company’s activities, as well as by reasonable documentation of the reasons for the decision, delegate its powers and determine that another organ in the company will be responsible for the performance of its duties, while supervising their execution in practice.

Comments on the draft guideline can be submitted until October 22, 2023.

For the full text of the draft guideline (in Hebrew) >> click here

We are happy to address any questions or clarifications you may have on the topic.