Media Centre

Draft Position Paper by the Privacy Protection Authority Regarding the Appointment of DPO

Nurit Dagan Ohad Elkeslassy Gabriel Cohen Olga Pery

24 July 2025

On July 23, 2025, the Privacy Protection Authority (the “PPA“) published a draft position paper for public consultation regarding the appointment of a Data Protection Officer (DPO) (the “Officer” and the “Draft,” respectively). This requirement was introduced as part of Amendment No. 13 to the Privacy Protection Law, 1981 (the “Law“), which is set to come into force on August 14, 2025.

The purpose of the Draft is to clarify the PPA’s position and interpretation concerning the scope of the appointment obligation, the types of entities required to appoint a DPO, as well as the role, qualifications, and organizational standing of the Officer. The interpretation presented in the Draft will guide the PPA in exercising its powers on the matter, subject to the fact that this is a draft document.

Below is a summary of the main points of the Draft:

 

A. Entities Required to Appoint a DPO

  • Public Bodies: Any controller or holder of a database that qualifies as a public body (e.g., government ministries, authorities, health maintenance organizations, etc.) is required to appoint a DPO, even if the database is exempt from registration.
    This obligation does not apply to security bodies as defined under the Law.

 

  • Entities Engaged in Data Trading: A controller of a database whose primary purpose is the collection of personal information for the purpose of transferring it to others as a business practice or for consideration (i.e., data brokers in the broad sense), including providers of direct marketing services, and where the database contains personal data on more than 10,000 individuals, is required to appoint a DPO.

 

  • Entities Conducting Ongoing and Systematic Monitoring of Individuals:
    A controller or holder of a database whose principal business activities include or involve data processing operations that, by their nature, scope, or purpose, require the ongoing and systematic monitoring of individuals, including tracking or systematic observation of a person’s behavior, location, or actions on a significant scale (for example, mobile communication providers and online search engine operators), is subject to the obligation to appoint a DPO. The term “ongoing and systematic monitoring” is relevant to tracking user activity on applications and websites (such as frequency of use, types of actions performed, and timing thereof), and the processing of personal data for the purpose of creating profiles of an individual’s characteristics, behaviors, interests, or preferences, for purposes such as targeted advertising, content personalization, or risk management.

 

The term “significant scale”, which is also a condition in the next category, is assessed based on a range of circumstances and varying considerations. The Law specifies several criteria, including the number of data subjects, the volume of data, the duration and frequency of processing activities, and others. These criteria need not be met cumulatively, and their inclusion in the Law is intended to clarify the purpose of the term. Additional considerations beyond those listed may also be taken into account.

 

  • Entities Processing Particularly Sensitive Data: A controller or holder of a database whose primary activity involves the significant scale processing of “particularly sensitive information” (e.g., medical or financial information) is subject to the obligation to appoint a DPO.
    This refers to the processing of personal data that constitutes a core component in achieving the main business or organizational objectives of the controller or holder, or forms an inherent part of the organization’s core activities. According to the Law, this requirement applies to banks, insurance companies, hospitals, and health maintenance organizations.

 

  • Cases of Uncertainty and Voluntary Appointment: The PPA recommends that even organizations not legally required to appoint a DPO, particularly quasi-public bodies (those subject to principles of public law despite not being classified as public entities), do so on a voluntary basis, in order to enhance compliance with privacy legislation, strengthen the organization’s accountability framework in personal data management, and foster trust among customers and data subjects.

 

B. Required Knowledge and Qualifications of the DPO

The Law provides, in general terms, that the DPO shall possess the knowledge and qualifications required to properly perform their duties, and that each organization must assess, based on the circumstances, the relevant areas of knowledge and qualifications necessary for the role.

It is appropriate that the DPO’s professional approach recognize the value of protecting the right to privacy, and that the DPO possess teamwork skills, persuasive abilities, and the capacity to lead processes involving senior management.

In addition, the DPO is expected to have the following: (1) In-depth knowledge of privacy and data protection law, usually acquired through substantial practical experience. The DPO is expected to undergo a basic training program for DPOs prior to assuming the role, and their expertise should be demonstrable; (2) Adequate understanding of technology and information security – to a level that enables the DPO to effectively fulfill their responsibilities within the organization. This includes understanding the security risks inherent in the organization’s activities, as well as the suitability of proposed solutions to mitigate those risks; (3) Familiarity with the organization’s field of activity and its objectives – the DPO must understand the organization’s structure, the sector in which it operates, the entities it engages with, and the characteristics of its data subjects. This knowledge is essential in order to identify potential risks, tailor data processing policies to the organization’s specific needs, and implement applicable regulatory requirements into operational processes.

 

C. Purpose and Responsibilities of the DPO

The DPO is required to ensure compliance with the provisions of the Law within the organization, and to act to promote and improve privacy protection and information security, including beyond the minimum standards set by law. Accordingly, a central responsibility of the DPO is to embed a “culture of privacy” throughout all organizational processes involving personal data. The DPO shall serve as the coordinator of compliance efforts with both mandatory requirements and recommended best practices, without bearing personal liability.

The DPO’s responsibilities include, inter alia: Serving as a professional authority and advisor (the DPO’s opinion should be given serious consideration, and any decision to deviate from it should be well-reasoned, even though it is not binding); Training (preparing a training plan and supervising its implementation); Ongoing monitoring of compliance with the Law (including preparing a compliance plan, ensuring its execution, and reporting findings and recommended corrective actions to senior management); Ensuring the preparation of an Information Security Policy and a Database Specification Document )with active participation in drafting and updating these documents being recommended); Handling data subject inquiries and requests in accordance with the Law; Serving as the organization’s point of contact with the PPA (including involvement in reporting serious security incidents to the PPA and in managing the incident itself).

 

D. Status of the DPO, Employment Structure, and Scope of Position

It is recommended that the DPO be an employee of the organization, although the position may also be filled by an external service provider. The employment structure and scope of the position should be assessed based on the specific circumstances of each organization. Only an individual may be appointed as DPO, and while there is no explicit requirement for the DPO to be an Israeli citizen or resident, they must be accessible and available, including physically present at the organization as needed to properly fulfill their responsibilities.

The organization must provide the DPO with the conditions and resources necessary for the proper performance of their duties (including recruitment of professional staff and an appropriate operational budget). It is necessary to ensure that the DPO is involved in all matters relating to data protection law (including maintaining and updating professional knowledge, access to all information required for the performance of the role, and participation in relevant discussions), and to ensure that the DPO is not in a position that gives rise to a concern of a conflict of interest (in order to strengthen the independence of their professional judgment). Each organization may determine the DPO’s position within the organizational structure at its discretion and according to its needs; however, it must ensure that there is no concern of a conflict of interest, and that the DPO reports directly to the CEO or to a person reporting directly to the CEO.

 

E. Can the DPO Also Serve as the Information Security Officer or CISO of the Organization?

While the Law does not explicitly prohibit the same individual from holding both roles, the knowledge and qualification requirements prescribed by the Law for the DPO do not align with the typical qualifications associated with the role of an Information Security Officer. In practice, assigning both roles to the same individual may give rise to legal and operational complexities. The reasons for this include: The Information Security Officer may not necessarily possess in-depth knowledge of data protection law; The differences between the roles may lead to conflicts of interest, particularly if they cannot be properly balanced in practice; Additionally, the Law requires that the DPO report directly to the CEO, or to an employee who reports directly to the CEO, whereas the Information Security Officer may not necessarily meet this seniority and reporting requirement.

 

The PPA emphasizes its intention to exercise its powers to ensure that the appointment of DPO within organizations is carried out in accordance with the provisions of the Law, and that the appointed DPO possesses in-depth knowledge of the legal and regulatory aspects of data protection law.

 

Comments on the draft position paper may be submitted until September 23, 2025, at 12:00 PM.

To view the full text of the draft position paper – click here.

 

Please do not hesitate to contact us with any questions or requests for clarification on this matter.

 Sincerely,

 Regulatory Team – Commercial Department

Herzog Fox & Neeman

Related Practice Areas

Related Lawyers

More news

Operation “Am Kalvi” – Compensation Scheme for Indirect Damages to Businesses
Draft Order: Purchase Tax Reduction on Vehicles Imported by Indirect Importers
AI Training and Fair Use: US Federal Court Delivers a Landmark Ruling in Bartz v. Anthropic
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.