Written by: Haim Ravia, Dotan Hammer
Israel’s Privacy Protection Authority (PPA) has published draft guidelines providing Data Protection Officers (DPOs) with a detailed framework for managing personal information throughout its entire lifecycle within organizations.
The guidance document outlines obligations and best practices across five key stages of data management: pre-planning, collection, storage, processing, and end-of-life disposal.
The Authority emphasizes that DPOs must be meaningfully involved from the earliest planning stages of any new technology implementation or process involving personal data, as required under Amendment 13 to Israel’s Privacy Protection Law.
Pre-planning phase. Organizations are strongly encouraged to conduct Privacy Impact Assessments (PIAs) to identify and mitigate risks before deploying new systems. The guide recommends considering privacy-enhancing technologies such as data obfuscation and minimization techniques.
Data collection processes. Organizations must ensure they have a lawful basis – either statutory authority or valid consent—and must comply with notification requirements under Section 11 of the Privacy Protection Law. The Authority warns that providing false information to obtain personal data carries a penalty of up to three years’ imprisonment.
Storage and Processing Obligations. Organizations must register databases with the Authority when required, implement security measures per the 2017 Data Security Regulations, and immediately report serious security incidents. Annual reviews for excess data retention are mandatory.
The guide stresses that personal data may only be processed for its originally stated purpose. Unauthorized processing, disclosure of confidential information, and data transfers to third parties without consent carry criminal penalties.
Data Disposal. When personal data reaches end-of-life—whether because collection purposes are fulfilled, retention periods expire, or deletion requests are received—organizations must properly delete or anonymize the information, including from backup systems and decommissioned equipment.
The document includes practical examples, such as implementing biometric attendance systems, managing fitness app data collection, and properly disposing of medical imaging equipment containing patient records.
Click here to read the Israeli Privacy Protection Authority’s Draft Guidelines for DPOs.
