Israel: General Data Protection Regulation

Last Updated: 10 January 2019
Article by Simon Marks, Natalie Noy and Laura Jelinek

The clock is ticking. The European General Data Protection Regulation (short: "GDPR") will come into force in May 2018 and Israeli companies need to ensure that they comply with the new laws on data protection and privacy. This bulletin outlines the ten most critical steps that should be taken in preparation for the GDPR.

What is the GDPR?

ERM has summarised the changes that the GDPR will bring, and how they will apply to Israeli businesses, in two previous bulletins (January and August 2016). In a nutshell, though, the GDPR aims to strengthen the rights of data subjects residing in the European Union, and to harmonize the data protection laws of the EU member states.

"Personal Data" can be any information which relates to an identified or an identifiable natural person. It can be a person's name, photo, email address, bank details, medical information, or even IP addresses or device identifiers.

One way by which the GDPR intends to ensure strengthened privacy rights of data subjects is by introducing significant fines for non-compliance, which can amount to up to 4% of the global annual turnover, or € 20 million, whichever is greater.

10 Steps to Take Now

1. Check Applicability

Now is the time for an organisation to review its current practices and evaluate whether it is or may be subject to the GDPR. The GDPR will apply even to those data collectors and processors without any establishment in the EU, if they process data of EU residents in connection with offering goods or services. In addition, the GDPR will also apply to a data controller that monitors the behaviour of individuals within the EU. "Monitoring" may include, for example, profiling of EU data subjects to analyse or predict the data subject's personal preferences or behaviours.

2. Revise Structure and Responsibility in the Organisation

The heightened obligations under the GDPR, together with the significant fines for noncompliance, require that data protection not only becomes the management's responsibility, but is also brought to the attention of the entire organisation. Such general awareness can be created through data protection guidelines and a detailed regulation of internal responsibilities. Further, an entity with 250 or more employees, or whose core activities regarding data processing consist of a regular and systematic monitoring of EU data subjects, needs to appoint a data protection officer who has sufficient knowledge of data protection law and practices.

3. Keep an Overview of Processing Activities

Under the GDPR, organisations need to maintain detailed records of their data processing activities (also known as "data mapping"). Such data map should provide an overview of the data flow within an organisation and for example outline the various categories of data held and processed, as well as data transfers between different units and to third parties. An organisation should keep such records of processing activities and, in case of an audit by the supervisory authority, be able to present these records in order to demonstrate compliance with the standards for lawful processing.

4. Prepare for Data Breaches

Controllers must notify a personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Data controllers should therefore establish internal processes that ensure that the organisation can, at first, identify and handle potential data breaches, which also includes ensuring that data breaches are communicated to the relevant management levels. Further, the organisation must implement the necessary processes for being able to submit a detailed notification of a data breach within 72 hours.

5. Implement Privacy by Design and by Default

These concepts are newly codified in the GDPR and require controllers to ensure that individuals' privacy is considered from the outset of each new processing, product, service or application, and that, by default, only minimum amounts of personal data as necessary for specific purposes are collected and processed. Data controllers should ensure implementation of certain measures, such as pseudonymisation or data minimisation that are designed to ensure data protection principles are applied from the outset of any project.

6. Review Agreements with Third Parties

Any agreements with data processors that are entered into from now on must include certain provisions regarding the implementation of security measures, an obligation to notify the data controller of breaches, maintenance of records of processing activities, etc. Such obligations cannot be avoided by a choice-of-law clause. In addition, agreements that are already in place need to be reviewed and, if necessary, amended. This is especially important in light of the fact that under the GDPR, supervisory authorities have the right to audit compliance with these obligations and may request organisations to provide such agreements for their review.

7. Ensure Transparency and Compliance with Information Duties

Affirmative Consent: An organisation that relies on a data subject's consent for the collection and processing of personal data needs to review the existing mechanism under which consent is obtained: The GDPR requires that consent is given expressly and in an informed manner, for example by ticking a box "I agree". Equally, it should be checked whether the data subjects can withdraw their consent as easily as they have given it.

Information of the Data Subject: A data collector has to provide certain information to data subjects, such as the purpose of the data processing, contact details of the data protection officer, or information on the transfer of data to other countries, if relevant. Organisations, therefore, should now review and adapt the texts that provide such information to ensure they are in line with the requirements of the GDPR.

8. Revise Profiling Activities

The GDPR restricts "profiling" activities, i.e. the automated processing of personal data in order to analyse or predict certain aspects concerning a natural person's economic situation, health, personal preferences, interests, behaviour, location or movement. Individuals have a right not to be subject to a decision based solely on automated processing, which means that the data controller must implement suitable measures to either obtain explicit consent from the data subject, or to include an option for the data subject to "opt out" of the automated processing. Only in certain cases may a controller rely on an authorisation by law, for example, for profiling in connection with monitoring of fraud and tax evasion.

9. Establish a Procedure to Respond to Requests to Data Access and to Data Portability

In addition to data subjects' rights that have been existing under the current legislation, the GDPR contains several new rights for the data subject, such as the right to access his or her personal data collected by an organisation, and receive information on the processing activities. Similarly, a data subject can request to receive his or her personal data in a commonly used format and have it transferred to another data controller. It is therefore important to establish internal procedures in order to satisfy such requests for data access or data portability by data subjects.

10. Prepare for Data Protection Impact Assessments

Under the GDPR, controllers will be required to undertake data protection impact assessments ("DPIAs") prior to data processing - in particular processing using new technologies - which is likely to result in a high risk to the rights and freedoms of individuals (for example: automated processing for purposes of profiling). A DPIA assesses the impact of envisaged data processing operations on the protection of personal data, and more specifically the likelihood and severity of risks for the rights and freedoms of individuals resulting from such processing. Such DPIAs will likely play an important role under the GDPR; and controllers should establish guidelines and processes for determining if a data protection impact assessment has to be conducted, and embed DPIAs within the internal operations.

Originally published on 14 November 2017

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Epstein Rosenblum Maoz
Epstein Rosenblum Maoz
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Epstein Rosenblum Maoz
Epstein Rosenblum Maoz
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions