Amendment 13: Israel’s updated Privacy Protection Law and what businesses must do now

Introduction

Amendment 13 to Israel’s Privacy Protection Law (effective August 14, 2025) introduces stricter definitions, mandatory roles like DPOs, new registration thresholds, and broader enforcement powers for the Privacy Protection Authority (PPA).

For covered businesses, this isn’t just another regulatory update, it’s a set of immediate operational requirements. Whether you operate in Israel or process data from Israeli residents, you now face tighter thresholds, clearer role definitions, and higher financial exposure.

Why Amendment 13 matters for businesses

Amendment 13 introduces obligations that affect how you collect, store, and process personal data. The Privacy Protection Authority PPA now has broader investigative authority and can impose penalties reaching up to 5% of annual turnover.

Key business pain points include:

• Lower registration thresholds as more businesses now qualify for database oversight.
• Mandatory Data Protection Officer (DPO) appointments for certain operations.
• Higher scrutiny for “highly sensitive information” such as biometric, genetic, and precise location data.
• Increased litigation risk with civil remedies available without proof of harm.

Failing to respond quickly can lead to enforcement action, reputational damage, and significant legal costs.

Key changes introduced under Amendment 13

1. Expanded definitions

• “Personal information” now includes digital identifiers
• Introduction of "highly sensitive information" (e.g., genetic, biometric, or geolocation data)
• “Controller” and “Processor” now officially replace outdated terms like “database holder”

2. Lowered registration thresholds

• Required only if processing data of more than 10,000 individuals or managed by a public body.
• Controllers processing highly sensitive data for over 100,000 individuals must notify the PPA and provide key details such as identity and DPO contact.

3. Mandatory DPO appointment

Organizations must appoint a qualified Data Protection Officer if they:

• Are a public body
• Process highly sensitive data at scale
• Conduct ongoing or systematic monitoring of individuals

4. Enhanced transparency

Privacy notices must now:

• State whether providing data is optional or mandatory
• Explain the purpose of collection
• List the consequences of refusal
• Clarify data subject rights

5. Civil remedies without proof of harm

• Courts can grant damages without requiring evidence of harm. Statute of limitations extended from 2 to 7 years.

6. Stronger enforcement tools

• Fines of up to 5% of turnover
• Mandatory audits
• Corrective actions for non-compliance
• Data erasure mandates in serious cases

7. Compliance flexibility

• Businesses can request preliminary opinions from the PPA.
• Reduced administrative burden by removing certain annual reporting requirements.

7 actions businesses must take now

To align with Amendment 13, businesses should:

1. Review your data thresholds
   Confirm whether your organization crosses the new 10,000 or 100,000 individual thresholds.

2. Appoint a DPO if needed
   Ensure they are trained and available to interface with the PPA.

3. Update privacy policies and internal records
   Use the expanded definitions and clarify user rights, purposes, and legal basis.

4. Audit your processing of highly sensitive data
   Especially if you collect geolocation, biometric, or genetic identifiers.

5. Train teams on new obligations
   This includes legal, tech, marketing, and HR—especially for rapid PPA response.

6. Document your compliance steps
   Keep evidence of policies, notices, thresholds, DPO appointments, and requests.

7. Use PPA guidance where clarity is needed
   Preliminary opinions can help reduce ambiguity, though they aren’t binding.

How Clym helps businesses

Clym’s compliance solution has been updated to incorporate the requirements introduced by Amendment 13, helping businesses address these new obligations with less manual effort.

Clym provides tools to:

• Track evolving laws, including Amendment 13, and adapt privacy settings accordingly.
• Manage consent in line with Israeli requirements, with jurisdiction-specific mechanisms and secure audit trails.
• Automate Data Subject Requests (access, correction, deletion) with timestamped workflows.
• Maintain version-controlled policies that reflect updated notice requirements.

Instead of using separate tools for consent, privacy notices, and data requests, Clym brings them all together. Discover more about Clym’s All-in-One compliance widget.

Conclusion

Amendment 13 signals a new phase of regulatory enforcement in Israel, one where clarity and readiness are critical. Businesses now face tighter operational requirements, expanded data rights, and greater penalties for non-compliance.

While the law increases complexity, it also offers an opportunity to streamline governance. By using platforms like Clym, businesses can reduce administrative strain, keep policies aligned, and maintain visibility across their operations without having to manually track every change.