Israeli DPO · as a Service

Your appointed DPO in Israel.Already here.

Amendment 13 to Israel's Privacy Protection Law has been in force since 14 August 2025. DPOas serves as your officially appointed Data Protection Officer under Israeli law — and extends the same coverage to GDPR for European customers and users where you need it.

See our services
Compliant & operational under
Amendment 13Privacy Protection Law, 5741-1981Privacy Protection AuthorityIsraeli regulatorGDPR (extended coverage)Israel-EU Adequacy (Jan 2024)BilingualHebrew · English
The challenge

Israeli law now mandates a DPO. A full-time hire is rarely the answer.

Amendment 13 — Israel's biggest privacy overhaul in 40 years — has been in force since 14 August 2025. Section 17B1 mandates a Data Protection Officer for public bodies, data brokers (>10,000 individuals), entities engaged in systematic monitoring at scale, and any organisation processing high-sensitivity data at scale (banks, insurers, hospitals, health funds). Authority sanctions reach millions of NIS per violation, capped at 5% of annual turnover.

For Israeli companies serving European customers, GDPR adds a parallel layer — with its own Article 37 DPO requirement and exposure of up to €20M or 4% of global turnover. Israel's EU Adequacy status was reaffirmed January 2024, so data flows freely between the two regions — provided you meet both regimes in practice. A full-time DPO is expensive, slow to hire, and structurally unnecessary for most companies. There is a better way.

Evidence ledger
01
§17B1
DPO appointment mandatory — in force since Aug 2025
Privacy Protection Law (Amendment No. 13)
02
₪2M
Sanction in a single Authority worked example
PPA Amendment 13 Guide
03
₪10K
Statutory damages per claimant — no proof of harm
Privacy Protection Law, Section 29A
04
€20M
GDPR exposure where you also serve EU customers
GDPR Art. 83(5)
The solution

DPOas: your Data Protection Officer — embedded, not external.

We serve as your officially appointed Data Protection Officer under Section 17B1 of Israel's Privacy Protection Law (as amended) — reporting directly to your CEO as the law requires, and working alongside (not replacing) your CISO. We join your Slack, attend your meetings, maintain your Records of Processing Activities, handle data subject access and correction requests, and act as your liaison to the Privacy Protection Authority. Where you also serve European customers or users, the same appointment extends to GDPR Article 37 — one DPO, both regimes, no seams.

Legal expertise. Regulatory fluency. Always on.
Week 1

We assess

A 1-week review of your current compliance posture, data flows, and gaps — mapped against Amendment 13 and GDPR.

Deliverables
  • Posture report
  • Data-flow map
  • Risk register
Weeks 2–4

We build

We create your compliance framework — policies, RoPA, procedures, and DPAs — tailored to how your business actually operates.

Deliverables
  • Policy stack
  • RoPA
  • DPA templates
Ongoing

We operate

We serve as your appointed DPO on a continuing basis — embedded in your team, on call for the regulator, ready for the next audit.

Deliverables
  • Monthly review
  • Authority liaison
  • DSAR handling
Services

What we do

Why us

Why Israeli companies choose DPOas

01 / 04

Built for Israeli law, fluent in GDPR

Amendment 13 is the legal regime your business actually answers to — and we know it section by section. Israel's Adequacy status with the EU was reaffirmed in January 2024, so when you also serve European customers we extend the same depth into GDPR — including the points where the two regimes diverge that most advisors miss.

02 / 04

A lawyer, not just a consultant

Our DPO is a licensed Israeli commercial attorney with formal DPO certification. Every Data Processing Agreement, privacy policy, and regulatory response is built on solid legal foundations — not just compliance checklists.

03 / 04

Inside your team, not billing by the hour

We work as part of your organisation — attending your meetings, joining your Slack, reviewing your product roadmap. Not as occasional consultants who appear only when something goes wrong.

04 / 04

Built for technology companies

We understand SaaS architecture, cloud data flows, and the compliance triggers that come with growth — Section 17B1 obligations as you scale, Enterprise customers demanding DPAs, VC due diligence, EU market entry. We've seen them all.

FAQ

Frequently asked questions

Who must appoint a Data Protection Officer (DPO) under Amendment 13?

Section 17B1 of Israel's Privacy Protection Law (as amended) requires a DPO for: public bodies; direct-marketing brokers holding personal data on more than 10,000 individuals; entities engaged in systematic and ongoing monitoring of individuals at substantial scale (e.g., mobile telecoms, online search providers); and entities whose primary occupation involves processing high-sensitivity data at substantial scale, including banks, insurers, hospitals, and health funds.

When did Amendment 13 to the Israeli Privacy Protection Law enter into force?

Amendment 13 was published in Sefer HaChukim (Code of Laws) issue 3287 on 14 August 2024 and entered into force exactly one year later, on 14 August 2025, per Section 74(a).

Can the same person be both the DPO and the CISO?

The Privacy Protection Authority's Disclosure Opinion treats this as legally permitted but practically discouraged, and structurally problematic in larger organisations. The CISO carries personal liability for the security posture under the Information Security Regulations, which can pull against the DPO's duty to assess that posture objectively. In organisations required to appoint both roles under Section 17B(a), the Authority strongly suggests they be separate people.

What's the maximum monetary sanction under Amendment 13?

Sanctions reach the millions of NIS per violation. The headline ₪150,000 base (doubled for 1M+ databases) is rarely the actual ceiling — per-record formulas (₪2–8 per individual) drive the figure higher in published Authority worked examples (e.g., ₪400K for a public body without a DPO holding 100K sensitive records; ₪2M for outreach to 500K individuals without notice). The aggregate cap is 5% of annual turnover.

How does Amendment 13 differ from GDPR?

Amendment 13 is the Israeli regime your business directly answers to and applies to processing of personal data by Israeli organisations. GDPR applies to processing of EU/EEA personal data and to organisations targeting customers or users in the EU. The two regimes overlap heavily (consent, transparency, data subject rights) but diverge on specific obligations — for example, breach notification: Israeli law requires immediate notification of a serious security event to the Authority, while GDPR Article 33 requires notification within 72 hours. Israel's EU Adequacy status was reaffirmed in January 2024, simplifying data flows between the two regions.

Can the DPO be an external service provider rather than an employee?

Yes. Section 17B3(b) explicitly permits an external DPO. The Authority's Disclosure Opinion notes that an internal employee is preferable where feasible, but the test is whether the DPO is "properly involved in all matters relating to data protection law." For most companies, an embedded fractional DPO meets that test more reliably than a junior internal hire.
Amendment 13 is already in force

Amendment 13 is in force. Is your DPO?

Most companies discover their compliance gaps when a regulator comes knocking — or when an Enterprise customer demands a Data Processing Agreement they can't produce. Let's map where you stand before either happens.

Or email us directly