Media Centre

Transfer of Data to Israel from the European Economic Area

10 May 2023

Dear clients and colleagues,

Further to our previous clients update on December 7, 2022, we wish to update you that on May 7, 2023, the Protection of Privacy Regulations (Instructions Regarding Data Transferred to Israel from the European Economic Area), 2023 (the “Regulations“), were officially published.

The background for the Regulations is the review process the European Commission currently conducts with respect to Israel in order to renew the adequacy status accorded to Israel by the EU in 2011. The adequacy status is granted to countries that offer a level of data protection equivalent to that of the European Economic Area (the “EEA“), and it currently permits organizations in the EEA to transfer personal data to organizations in Israel without the need for additional regulatory obligations by either the transferring party or the receiving party, which is of significant economic importance for the Israeli economy.

The Regulations impose four requirements on database controllers in Israel regarding (a) personal data transferred from the EEA to Israel, excluding data transferred directly by the data subject; and (b) any additional personal data stored in an Israeli database that contains data received from the EEA as stated in paragraph (a) above (i.e. including personal data of Israeli data subjects in the same database that receives personal data from the EEA):

• Data Deletion – Deletion of data shall be carried out upon receipt of a written request submitted by the data subject, if it was created, received, accumulated, or gathered contrary to the provisions of the law; if continuing the usage of such data violates any law; or if the data is no longer needed for its original purposes, subject to certain exceptions provided under the Regulations.

• Limitation on Retention of Unnecessary Data – Implementation of organizational, technological or another mechanism in order to ensure that the database will not include data which is no longer required for the primary purpose for which it was collected or maintained or for another purpose that legally permits its retention, and if such data was found in the database – it is required to delete it as soon as possible given the circumstances (such requirement would not apply if the data has undergone an anonymization procedure, or if the use of the data is required for specific purposes stipulated in the Regulations).

• Data Accuracy – Implementation of organizational, technological or another mechanism in order to ensure that the data in the database is correct, complete, clear and up-to-date, and if this condition is not met – the controller must implement reasonable measures given the circumstances to rectify or delete the data.

• Data Subjects Notification – The controller will be required to inform the data subject regarding the controller’s and the database’s manager identity, contact information, purposes for which the data was transferred, the type of data transferred, and the data subject’s rights of deletion under the Regulations, access (under section 13 to the protection of privacy law), and correction rights (under section 14 to the protection of privacy law). The Regulations impose similar notification requirements on controllers when they transfer data to third parties, including informing the data subject regarding the third party’s identity or the types of the third parties involved. However, the Regulations provide certain exceptions to the notification requirement (e.g., when there is a reasonable basis to assume that the data subject is already aware of the information, when it would be unreasonably difficult for the controller to disclose the information to the data subject, etc.).

The Regulations will be implemented in three phases, depending on the type of data:
• Three months after the publication of the Regulations, i.e. on August 8, 2023 (“The Effective Date“) – with respect to data received from the EEA in an Israeli database on or after the Effective Date (“new data”).
• A year after the publication of the Regulations, i.e. on May 7, 2024 – with respect to data received from the EEA in an Israeli database before the Effective Date (“old data”).
• January 1, 2025 – with respect to any additional data stored in an Israeli database that contains data received from the EEA on or after The Effective Date (“Israeli data”).

The enactment of the Regulations is an excellent opportunity for database controllers to review their organization’s privacy and database policies in general and more specifically – to prepare for the implementation of the Regulations.

To read the full Regulations (HE)>> click here 
We will be happy to be at your service for any questions or required clarifications.

Herzog, Fox & Neeman

Nurit Dagan | Partner
Tel: 03-6922817
Ohad Elkeslassy |Partner
Tel: 03-6922817
Search by +