What the Authority's DPO Disclosure Opinion actually says.

Amendment 13 introduced the DPO appointment requirement as a statutory obligation, but the law itself sets out only the framework — who must appoint a DPO, the duties, and the qualifications. The Privacy Protection Authority filled in the practical detail in a dedicated Disclosure Opinion (גילוי דעת) published alongside the Amendment. If you are scoping a DPO appointment, this is the document that tells you how the regulator will actually evaluate your choice.

External vs. internal — what the Authority prefers

Section 17B3(b) explicitly permits an external DPO. The Disclosure Opinion confirms this — but adds that an internal employee is preferable where feasible, particularly for organisations with intensive ongoing processing. The test is whether the appointment model lets the DPO be "properly involved in all matters relating to data protection law." For most Seed–Series B companies, an embedded fractional DPO meets this test more reliably than a junior internal hire.

The CISO question: can the same person do both?

The Authority's answer is essentially: legally permitted, practically discouraged, and structurally problematic in larger organisations. The two roles call for different knowledge — the DPO needs deep legal grounding in privacy law, while the CISO needs technical depth in security controls. The Authority also flags that conflict-of-interest situations arise: under the Information Security Regulations, the CISO carries personal liability for the organisation's security posture, which can pull against the DPO's duty to objectively assess that posture. In organisations required to appoint both roles under Section 17B(a) (5+ databases, banks, insurers, public bodies, etc.), the Authority strongly suggests they be separate people.

Roles that are explicit conflicts of interest

The Authority lists specific senior roles that cannot be combined with the DPO appointment because the conflict is structural, not contextual:

• Marketing manager
• Customer manager / Head of Customer Success
• CFO
• CIO
• CTO

The common thread: each of these roles has a stake in maximising the use of personal data for commercial outcomes, which directly conflicts with the DPO's duty to constrain that use to what is lawful and necessary.

Direct CEO reporting line

Section 17B2(c) requires the DPO to report directly to the CEO, or to a person who reports directly to the CEO. The Disclosure Opinion makes clear this is not a formality — it is part of the substantive independence requirement. A DPO buried under the CFO or General Counsel will not satisfy the Authority on inspection.

Resources the organisation must provide

The controller must provide the DPO with the conditions and resources needed to do the job properly. The Disclosure Opinion is explicit that this includes meaningful budget, access to technical systems, and standing invitations to product, security, and legal forums. A DPO without access to the product roadmap is, in the Authority's view, not actually a DPO.

How DPOas approaches this

Our service is built around the Disclosure Opinion's requirements: a licensed Israeli commercial attorney with formal DPO certification (the legal-knowledge requirement), embedded in your Slack and product reviews (the involvement requirement), and reporting on a structured cadence to your CEO (the reporting-line requirement). We work alongside your CISO, not as your CISO. If you want help scoping the appointment, the conflicts assessment, or the appointment letter — that is what the free consultation is for.