Transferring personal data out of Israel: what the PPA just clarified about Regulation 2(4).

The short version

On 13 April 2026, Israel's Privacy Protection Authority (PPA) published a new position paper on Regulation 2(4) of the Privacy Protection Regulations (Transfer of Data to Databases Abroad), 2001 — the rule most Israeli organizations rely on to legally send personal data overseas.

The headline: the phrase "mutatis mutandis" ("בשינויים המחויבים") is not a loophole. If you transfer data abroad under Regulation 2(4), your contract with the foreign recipient must include specific, substantive obligations — and the PPA has now spelled them out.

Why this matters

Regulation 2(4) is the most common legal basis Israeli companies use to move personal data to SaaS vendors, cloud providers, group companies, and processors outside Israel. Until now, "mutatis mutandis" was ambiguous — some organizations interpreted it as permission to soften the requirements. The PPA has closed that door.

What your cross-border data transfer agreement must include

According to the new guidance, an Israeli database owner transferring data abroad under Regulation 2(4) must sign a contract with the foreign recipient that includes commitments identical to, or substantively similar to, the following obligations under Israeli law:

• Purpose limitation — the data may not be used for any purpose other than the one for which it was transferred (Sections 2(9) and 8(b) of the Privacy Protection Law).
• Right of access — data subjects can review their data (Section 13).
• Right to correction or deletion — data subjects can request amendments or erasure (Section 14).
• Confidentiality — the recipient must keep personal data confidential (Section 16).
• Information security — either meet the substantive obligations of Israel's Protection of Privacy (Data Security) Regulations, 2017, or hold a valid ISO/IEC 27001 certification (including Annex A controls) plus the specific regulations listed in PPA Directive 3/2018.

What is a legitimate "mutatis mutandis" adjustment?

Very little. The PPA was explicit:

• A recipient's organizational or personal circumstances do not justify skipping obligations. The test is objective, not subjective.
• Database registration or notification obligations (Sections 8A(a) and 8A(b)) may be waived under 2(4) if the destination country has no equivalent requirement for that type of database.

EEA data: extra obligations apply

If the Israeli database holds data originally received from the European Economic Area, the foreign recipient must also commit to the substantive obligations in Regulations 3–7 of the Privacy Protection Regulations (Provisions Regarding Data Transferred from the EEA), 2023. Since 1 January 2025, these regulations apply even when EEA data is mixed with Israeli data in the same database.

What this means for Israeli controllers

If you rely on Regulation 2(4) — and most organizations do — now is the time to:

1. Audit your existing Data Transfer Agreements (DTAs) with vendors outside Israel. Do they cover all four substantive obligations plus security?
2. Update templates so every new vendor contract, MSA, or DPA maps cleanly onto the PPA's checklist.
3. Re-check ISO/IEC 27001 reliance — certification alone is not enough. Specific additional Israeli regulations still apply.
4. Map EEA-origin data flows and confirm the extra 2023 obligations are contractually covered.
5. Remember Regulation 3 — onward transfers to a third country are a separate legal step.

Failure to meet these requirements means the transfer is no longer lawful under Regulation 2(4) — exposing the Israeli database owner to enforcement action, even if the foreign recipient is otherwise reputable.

How DPOas can help

At DPOas we help Israeli organizations review, redraft and operationalize their cross-border data transfer framework — from vendor DTAs and ISO 27001 reliance letters to full Article 28 / Regulation 2(4) gap analyses. If your data is moving abroad, your contracts need to move with this guidance.