What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended. Under Israel’s Protection of Privacy Law (PPL), 1981 (Sec. 17B), certain entities are required to appoint a Data Protection Officer (DPO):
- entities holding five or more databases requiring registration under the PPL;
- public bodies;
- banks, insurance companies and companies engaging in ranking or evaluating credit ratings.
For employers who are required to register their databases, note that details on the DPO are required as part of the registration process. DPOs are responsible for:
- database security (PPL, Sec. 17B);
- preparing a database security procedure and bringing the procedure to database owners for approval; and, a plan for ongoing auditing of compliance with the requirements of the Protection of Privacy Regulations (Data Security), 2017 (DSR), performing the audit and notifying the database owner and database manager of the results of the audit (DSR, Sec. 3(2)-(3)).
The DSR requires (a) DPOs to be directly subordinate to the database manager or to the manager of the entity that holds or owns the database; (b) DPOs to be prohibited from being in a conflict of interest; and, (c) DPOs to be provided with the resources necessary to fulfill their role.
The Israeli Protection of Privacy Authority guidelines includes the recommendation to appoint a DPO when engaging in outsourcing services which involve the processing of personal data (depending on the sensitivity of that data). It’s also recommended for the outsourcer to appoint a DPO.