Quick Answer: Israel's primary data protection law is the Privacy Protection Law 1981 . Any business — Israeli or foreign — that holds a database containing personal information about Israeli residents may be required to register it with the Privacy Protection Authority and comply with mandatory data security standards. Israel holds EU adequacy status, meaning data can flow freely from the EU to Israel without additional safeguards, making Israeli law an important compliance consideration for European businesses with Israeli operations.

For businesses expanding into Israel or handling data about Israeli customers, the question "what is Israel's version of the GDPR?" comes up quickly. The answer is more nuanced than a simple comparison: Israel has its own data protection framework, built around the Privacy Protection Law 1981, supported by binding security regulations issued in 2017, and overseen by a dedicated regulatory authority. While the Israeli framework predates the GDPR by decades, it has been substantially updated and is taken seriously by enforcement authorities.

This guide covers the Israeli data protection law as it applies to businesses — whether you are a foreign company with Israeli customers, a startup incorporating in Israel, or a multinational transferring employee data to an Israeli subsidiary. Understanding the registration obligation, the security standards, and when cross-border transfers are lawful is essential before you process a single record.

1. Israel's Privacy Protection Framework

Israeli data protection law is built on three main pillars:

  • Privacy Protection Law 1981 ( , "-1981) — the primary legislation, establishing the right to privacy, defining what constitutes a database of personal information, and setting out the conditions under which personal data may be collected, held, and used
  • Privacy Protection Regulations (Data Security) 2017 — binding regulations that impose specific technical and organisational security obligations on database owners, tiered by the sensitivity of the data held
  • Privacy Protection Authority (PPA) — the regulatory body responsible for supervision, registration of databases, enforcement, and guidance

Israel is also subject to ongoing legislative development. Proposed reforms to the Privacy Protection Law have been debated in the Knesset for several years, with draft legislation seeking to modernise the framework closer to GDPR principles — including enhanced consent requirements, data subject rights, and higher penalties. As of the time of writing, the 1981 Law as amended, together with the 2017 Regulations, remains the operative framework. Businesses should monitor developments, as amendments may increase compliance obligations.

The Privacy Protection Law is enforced both civilly (as a basis for tort claims) and criminally (violations can result in prosecution). This dual enforcement track means that a serious data breach or improper use of personal data can expose a business to both regulatory action and private lawsuits.

2. The Privacy Protection Law 1981: Core Requirements

The Privacy Protection Law defines personal information broadly as data about a person's personality, personal status, intimate affairs, health condition, financial situation, professional qualifications, or opinions — as well as any data that could identify the person. The law applies to anyone who holds a database — defined as a collection of personal data stored for retrieval by computer or another systematic means.

Key prohibitions under the Law:

  • Collecting data on a person's beliefs, political affiliations, or intimate life without their consent
  • Using personal information for a purpose other than the purpose for which it was collected (purpose limitation)
  • Disclosing personal information to a third party without the data subject's consent or a lawful basis
  • Providing inaccurate data from a database when the data subject has requested correction
  • Transmitting personal data outside Israel to a country that does not provide an adequate level of protection (subject to exceptions)

Rights of data subjects :

  • Right to inspect the data held about them in a registered database
  • Right to demand correction of inaccurate data
  • Right to object to the use of their data for direct marketing
  • Right to be informed about the purpose of data collection when providing information

When collecting personal data directly from an individual, businesses must inform the person: (a) whether providing the information is obligatory or voluntary; (b) the purpose for which the data is collected; and (c) to whom the data may be transferred. This is effectively a notice requirement comparable to, though less detailed than, a GDPR privacy notice.

3. Database Registration with the Privacy Protection Authority

One of the most distinctive features of Israeli data protection law — and one that catches many foreign businesses off guard — is the obligation to register certain databases with the Privacy Protection Authority before using them.

When registration is required: A database must be registered if it meets any of the following conditions:

  • It contains information about more than 10,000 people
  • It contains sensitive information (health, financial, criminal history, or beliefs) about any number of people
  • The database is used for direct mail or marketing services — i.e., the data is sold or provided to others for that purpose
  • The database is held by a public body (government institution or publicly funded organisation)

What the registration requires: The database owner must file an application with the PPA, disclosing: the purpose of the database; the types of data held; who has access to it; whether data is transferred abroad; and the identity of the database owner and manager. Registration creates a public record — the PPA maintains a register of databases that can be searched.

Who bears the obligation: The obligation falls on the owner of the database , defined as the entity that determines the purpose and manner of data processing. A foreign company that owns or controls a database containing information about Israeli residents is subject to this obligation even if it has no physical presence in Israel — a point the PPA has confirmed in guidance. If the foreign company uses an Israeli data processor or cloud provider to store the data, the foreign company remains the database owner responsible for registration.

Operating a registrable database without registering it is a criminal offence under the Law. The PPA has shown increasing willingness to investigate and prosecute non-compliant entities, including foreign ones with Israeli market-facing operations.

4. Data Security Regulations: What Your Business Must Do

The Privacy Protection Regulations (Data Security) 2017 are the most practically demanding element of the Israeli data protection framework for businesses. They impose a tiered set of security obligations based on the level of security classification assigned to the database.

Three security levels:

  • Basic level — applies to databases containing routine personal information (names, contact details, non-sensitive records)
  • Medium level — applies to databases containing more sensitive data or databases held by entities providing services to a large number of people
  • High level — applies to databases containing sensitive categories of information (health, financial, biometric, criminal) or those held by major financial institutions, healthcare providers, and similar entities

Obligations common to all levels include:

  • Appointing a database security officer responsible for data security within the organisation
  • Preparing and maintaining a data security procedure document covering how data is accessed, stored, backed up, and protected
  • Implementing access controls so that only authorised personnel can access personal data
  • Logging access to the database and retaining access logs
  • Conducting periodic risk assessments and updating the security procedure accordingly
  • Ensuring that third-party service providers who access the database are contractually bound to comply with the same security standards (equivalent to data processing agreements)

Additional obligations at medium and high levels include penetration testing, encryption of data in transit and at rest, restrictions on portable media, and enhanced access control measures. High-level databases face the most stringent requirements and must engage an external expert to audit compliance periodically.

A breach of the Data Security Regulations is not a criminal offence in itself, but it is treated by the PPA as evidence of negligent management of a database and will aggravate any enforcement action or civil claim arising from a data breach.

5. Cross-Border Data Transfers and EU Adequacy

The Privacy Protection Law prohibits transferring personal data outside Israel to a country that does not afford an adequate level of protection for personal information. This mirrors the structure of the EU GDPR's Chapter V restrictions on international transfers.

Israel's EU adequacy status: The European Commission has recognised Israel as providing adequate protection for personal data since 2011 — one of the first and still relatively few non-EEA countries to hold this status. In practice, this means:

  • Personal data can flow from the EU (and EEA) to Israel without the need for additional safeguards such as standard contractual clauses or binding corporate rules
  • Israeli companies receiving data from European entities can rely on the adequacy decision rather than having to negotiate separate data transfer mechanisms
  • EU-based businesses with Israeli subsidiaries or service providers benefit from streamlined data transfers in both directions

Transferring data from Israel to other countries: When an Israeli database owner (or a foreign company subject to Israeli law) wants to transfer personal data to a country outside Israel, the recipient country must provide a comparable level of protection. Countries that have been officially recognised by the PPA as adequate, or that are subject to the GDPR, generally qualify. Transfers to the United States — depending on the receiving entity's certification status — may require additional contractual or technical safeguards.

Practical implications for foreign companies: A foreign company that collects data from Israeli residents and transfers it back to its home-country servers should assess whether the transfer is lawful under Israeli law. If the home country does not offer adequate protection (and the company cannot rely on an exception), a transfer prohibition may apply. The most common exceptions include the data subject's informed consent and transfers necessary for the performance of a contract with the data subject.

6. The Privacy Protection Authority: Powers and Enforcement

The Privacy Protection Authority ( — formerly known as the Registrar of Databases) operates under the Ministry of Justice. Its powers include:

  • Maintaining the database register — receiving registration applications and maintaining the publicly searchable register of databases
  • Issuing guidance — publishing opinions, guidelines, and frameworks on data protection compliance (the PPA publishes detailed guidance on topics ranging from employee monitoring to biometric data)
  • Conducting investigations — investigating complaints from data subjects and initiating own-motion investigations into organisations suspected of violations
  • Ordering corrective measures — directing organisations to take specific remedial steps, including deleting data, enhancing security, or amending internal procedures
  • Referring criminal cases — referring serious violations to the State Attorney's Office for criminal prosecution
  • Publishing enforcement actions — the PPA has increased transparency around its enforcement activity, publicising investigations and findings

The PPA has taken enforcement action against healthcare providers, financial institutions, and technology companies for failures including unregistered databases, inadequate data security leading to breaches, unlawful direct marketing, and improper use of biometric data. Foreign companies operating in Israel have also been subject to investigations.

A key recent development is the PPA's increased focus on data breach notification. While Israel does not yet have a statutory mandatory breach notification requirement equivalent to the GDPR's 72-hour rule, the PPA has issued guidance strongly encouraging organisations to notify both the PPA and affected individuals promptly following a significant data breach. Proposed legislation would make breach notification mandatory; businesses should treat timely notification as best practice regardless of the current legal position.

A Dutch e-commerce company serving Israeli customers discovered that its cloud vendor had misconfigured access controls, exposing a database of approximately 45,000 Israeli customer records — full names, email addresses, and purchase histories — for an estimated three weeks in late 2023. Under guidance from the Privacy Protection Authority (Reshut HaHagana Al HaPratiyut), the company voluntarily self-reported the breach within two weeks of discovery, submitted a detailed incident report in Hebrew prepared by local Israeli counsel, and notified approximately 45,000 affected Israeli individuals by email. The PPA opened a formal inquiry under the Privacy Protection Law 5741-1981 and the 2017 Data Security Regulations, but ultimately closed the case without a financial sanction, citing the company's proactive disclosure, cooperation, and immediate corrective measures — which included registering its Israeli-customer database that had previously been unregistered. The lesson: voluntary self-reporting paired with rapid remediation consistently results in significantly lighter PPA enforcement outcomes than breaches discovered through third-party complaints.

7. Practical Compliance Checklist for Foreign Companies

If your business collects, holds, or processes personal data about Israeli residents — whether as a foreign company with an Israeli operation, a SaaS provider serving Israeli customers, or an employer with Israeli staff — work through the following steps:

  • Map your data. Identify every category of personal data you hold about Israeli residents and where it is stored. Determine whether any database meets the registration threshold (sensitive data of any size, or general data about more than 10,000 people).
  • Register qualifying databases. File registration applications with the PPA for any database that requires registration. Registration must be in place before the database is used or expanded beyond the threshold. Applications are submitted through the PPA's online portal.
  • Classify your databases by security level. Apply the 2017 Regulations' tiered framework to each database and implement the required technical and organisational measures for the applicable level.
  • Appoint a database security officer. This is a formal role under the 2017 Regulations. The officer must have the relevant authority and knowledge to manage data security across the organisation's Israeli-facing operations.
  • Draft data security procedures. Prepare the mandatory security procedure document covering access controls, logging, backup, incident response, and third-party processor obligations.
  • Review your privacy notices. Ensure that when collecting data from Israeli residents, your notices disclose the purpose of collection, whether provision is voluntary, and the categories of recipients.
  • Audit cross-border transfers. Map every data flow from Israel to other countries and confirm that each recipient jurisdiction provides adequate protection or that a recognised exception applies.
  • Establish a data subject request process. Implement a procedure for handling inspection requests and correction requests from Israeli data subjects within the timeframes required by the Law.
  • Monitor legislative developments. The Knesset has been debating a comprehensive update to the Privacy Protection Law. Assign responsibility for tracking developments and updating your compliance posture when new requirements come into force.
In Practice: Foreign SaaS companies that process Israeli user data often assume they are mere "data processors" exempt from the registration obligation — because they are acting on instructions from their Israeli business customers. The Privacy Protection Authority's published guidance states that a platform which determines how data is processed, regardless of contractual labels, is the database "owner" under Israeli law. If you decide the purpose or manner of processing, you are the owner — and you must register any qualifying database before using it, even if based outside Israel.
In Practice: PPA enforcement typically follows a data breach or a data subject complaint — not a random audit. When a foreign company receives a PPA inquiry, the scope is frequently much wider than the triggering incident: the PPA uses the inquiry to assess overall compliance across your entire Israeli data processing operation. Responding without Israeli legal representation is a serious mistake. Prepare your data security procedure documentation, database registration evidence, and breach-response records before any incident occurs — not in response to a PPA letter.