Transfer of Data to Israel from the European Economic Area
10 May 2023
Further to our previous clients update on December 7, 2022, we wish to update you that on May 7, 2023, the Protection of Privacy Regulations (Instructions Regarding Data Transferred to Israel from the European Economic Area), 2023 (the “Regulations“), were officially published.
The background for the Regulations is the review process the European Commission currently conducts with respect to Israel in order to renew the adequacy status accorded to Israel by the EU in 2011. The adequacy status is granted to countries that offer a level of data protection equivalent to that of the European Economic Area (the “EEA“), and it currently permits organizations in the EEA to transfer personal data to organizations in Israel without the need for additional regulatory obligations by either the transferring party or the receiving party, which is of significant economic importance for the Israeli economy.
The Regulations impose four requirements on database controllers in Israel regarding (a) personal data transferred from the EEA to Israel, excluding data transferred directly by the data subject; and (b) any additional personal data stored in an Israeli database that contains data received from the EEA as stated in paragraph (a) above (i.e. including personal data of Israeli data subjects in the same database that receives personal data from the EEA):
• Limitation on Retention of Unnecessary Data – Implementation of organizational, technological or another mechanism in order to ensure that the database will not include data which is no longer required for the primary purpose for which it was collected or maintained or for another purpose that legally permits its retention, and if such data was found in the database – it is required to delete it as soon as possible given the circumstances (such requirement would not apply if the data has undergone an anonymization procedure, or if the use of the data is required for specific purposes stipulated in the Regulations).
• Data Accuracy – Implementation of organizational, technological or another mechanism in order to ensure that the data in the database is correct, complete, clear and up-to-date, and if this condition is not met – the controller must implement reasonable measures given the circumstances to rectify or delete the data.
• Data Subjects Notification – The controller will be required to inform the data subject regarding the controller’s and the database’s manager identity, contact information, purposes for which the data was transferred, the type of data transferred, and the data subject’s rights of deletion under the Regulations, access (under section 13 to the protection of privacy law), and correction rights (under section 14 to the protection of privacy law). The Regulations impose similar notification requirements on controllers when they transfer data to third parties, including informing the data subject regarding the third party’s identity or the types of the third parties involved. However, the Regulations provide certain exceptions to the notification requirement (e.g., when there is a reasonable basis to assume that the data subject is already aware of the information, when it would be unreasonably difficult for the controller to disclose the information to the data subject, etc.).
The enactment of the Regulations is an excellent opportunity for database controllers to review their organization’s privacy and database policies in general and more specifically – to prepare for the implementation of the Regulations.
Herzog, Fox & Neeman