Back to blog
Blog4 min read

How big are Amendment 13 sanctions, really? Worked examples from the Authority's guide.

The Privacy Protection Authority published its own worked examples of monetary sanctions under Amendment 13. The numbers are bigger than most companies expect — here is how they compute, with the formulas and three real scenarios.

Amendment 13SanctionsIsrael

Amendment 13 introduced a tiered monetary-sanction regime that the Privacy Protection Authority can impose directly, without going through a court. The headline figure (₪150,000 base; ₪320,000 for failure to notify a serious security event in a high-security database) is what people remember — but it is rarely the actual ceiling. The Law uses three multipliers that compound quickly: doubling for databases of 1,000,000+ individuals, per-person formulas for entire categories of violation, and an aggregate cap of 5% of annual turnover.

How the formulas actually work

There are three sanction "shapes" you need to understand:

  • Fixed sanctions — e.g., ₪150,000 for failing to register a database that requires registration; ₪15,000 for refusing access requests. Doubled for 1M+ records.
  • Per-person sanctions — e.g., ₪50/person (₪100 if special-sensitivity) for outreach without notice under Section 11. Floor: ₪30,000.
  • Per-record-in-database sanctions — e.g., ₪2/person (₪4 if special-sensitivity) for failure to appoint a DPO under Section 17B1(a)(1)–(2). Floor: ₪20,000 (₪40,000 with sensitive data).

Three worked examples from the Authority

Example 1. A public body that did not appoint a DPO, holding personal data on 100,000 people including special-sensitivity information. Per-record formula: 100,000 × ₪4 = ₪400,000 sanction.

Example 2. Unauthorised processing in a database holding 200,000 records with special-sensitivity data. Per-record formula: 200,000 × ₪8 = ₪1.6 million sanction.

Example 3. An outreach to an unspecified group (e.g., a public website link) collecting personal data on 500,000 people without the notice required by Section 11, where the data is special-sensitivity. Per-person formula: 500,000 × ₪4 = ₪2 million sanction.

The 5% turnover cap

No aggregate sanction can exceed 5% of the violator's annual turnover. For a company at ₪40M revenue, that is ₪2M of sanctions exposure per enforcement action — independent of which violations triggered it.

Reductions that actually move the number

The Fifth Schedule lets the Authority reduce sanctions by up to 70% in aggregate. The biggest individual reductions: 30% if you self-report and stop the violation, 20% for clean compliance history (5 years), 20% for remediation, 10% for actually having appointed a DPO before the violation. Appointing a DPO is, in this sense, the cheapest insurance policy in the law.

What this means for you

Two practical takeaways. First: the "₪320K maximum" framing widely circulated online is misleading — large databases easily produce seven-figure sanctions. Second: every reduction lever in the Fifth Schedule starts with two preconditions — having a DPO already in place, and having a working incident response that lets you self-report quickly. Both are operational decisions, not legal ones, and both need to be made before the violation, not after.