Introduction to Data Subject Rights in the New Era
A customer service manager at an Israeli SaaS company received a request this week from a client asking to "receive a copy of all the information you have about me, delete my account, and transfer my data to another company." Until a year ago, this would have been an unusual request. Today, following the implementation of Amendment 13, this represents a full legal right that companies must honor.
Amendment 13 to the Privacy Protection Law, 5741-1981, which came into effect in May 2025, brought a real revolution to data subject rights in Israel. For the first time in Israeli legislation, detailed and structured rights similar to those existing in the European GDPR were established, including expanded access rights, the right to erasure, and data portability rights.
The change is not merely technical - it reflects a significant paradigm shift in the approach to personal information ownership. Instead of the traditional approach whereby the company "holds" the collected information, the new regime recognizes that the information "belongs" to the data subject, and the company holds it only for specific purposes and under defined conditions.
For Israeli technology companies, the practical implications are: systems developed in the past need to adapt to support the new rights, new procedures must be written, and support teams require training on legal requirements. Companies that have already implemented GDPR adaptations have an advantage, but they too need to adjust their procedures to the specific requirements of Israeli law.
Right of Access: What Companies Must Disclose and Within What Timeframe
The right of access, as defined in Amendment 13, is much more than the previous right to receive a copy of personal information. The data subject is entitled to receive not only the data itself, but also detailed information about how the company uses their information.
The company must provide the data subject with the following information:
- All personal information being processed - including data collected directly from the customer and data derived or completed by the company
- Source of the information - whether the data was collected directly from the data subject or from a third party, and in the latter case - who that third party is
- Processing purposes - what the company uses the information for, including marketing, analysis, or service improvement purposes
- Categories of recipients - with whom the company shares the information (service providers, business partners, authorities)
- Retention period - how long the company intends to keep the information
- Existence of automated processing - whether processing based on algorithms or artificial intelligence takes place, and what the implications are
The company must respond to an access request within 30 days of receiving the request. In particularly complex cases, the period may be extended by an additional 60 days, but the data subject must be notified of the extension within the first 30 days.
From a technical perspective, the information must be presented in an accessible and understandable format. There is no obligation to provide the information in machine-readable format as part of the access right, but it is advisable to do so to save costs in implementing data portability rights that may follow.
Practical Challenges in the Right of Access
One of the major challenges in the right of access is balancing the obligation to disclose information against protecting others' information. For example, if a customer requests to see information about them from a recorded service call in which a company representative also participated, a response must be provided that protects the employee's privacy while respecting the customer's right.
Another challenge is information created by the company based on customer data. Credit opinions, customer scoring, or personalized recommendations - all are considered personal information that must be disclosed, even if their disclosure might reveal the company's proprietary algorithms.
Right to Erasure: When Deletion is Mandatory and When it Can Be Refused
The right to erasure, also known as the "right to be forgotten," allows a data subject to demand that the data controller delete their personal information. Contrary to common perception, this is not an absolute right - it is subject to defined conditions and exceptions in the law.
The data subject may demand erasure in the following cases:
- The information is no longer necessary - the purpose for which the information was collected has been fulfilled or expired
- Withdrawal of consent - when processing is based on consent and the data subject withdraws it
- Unlawful processing - the information is being processed contrary to the law's provisions
- Legal obligation to delete - there is another legal requirement to delete the information
- Information collected from a minor - who was not legally capable of giving consent
However, the company may refuse erasure in certain cases:
- Protection of freedom of expression and information - especially in journalistic or academic contexts
- Compliance with legal obligation - when the law requires keeping the information (such as tax authority or banking supervision requirements)
- Public interest - for public health, scientific research, or historical archive purposes
- Protection of legal rights - when the information is necessary to protect the company's or others' rights
Technical Deletion vs. Logical Deletion
The most important practical question in the right to erasure is: what constitutes "deletion" under the law? The law does not require immediate physical deletion from all backup and archive systems, but it does require that the information not be accessible for routine processing.
In practice, the company can implement "logical deletion" - mark the information as deleted and stop its routine processing, while maintaining it in backups for a reasonable period required by technical or legal needs. However, deleted information may not be used for decision-making or further processing.
Many companies develop a "data oxidation" system - a process where old data gradually becomes less accessible and is eventually completely deleted. This approach allows compliance with the right to erasure while maintaining technological system stability.
Data Portability Rights: What is the Obligation and How to Implement it Correctly
Data portability rights are perhaps the most revolutionary innovation in Amendment 13. They grant the data subject the right to receive their personal information "in a structured, commonly used and machine-readable format," and to transfer it to another data controller without hindrance.
The right applies to information collected with consent or in the context of contract performance, and includes two components:
- Receiving the information - the company must provide the data subject with all their personal information in a technical format that enables transfer
- Direct transfer - in cases where technically feasible, the company should enable direct transfer of information to another company
Technical requirements for data portability include:
- Structured format - JSON, XML, CSV or similar formats that enable automated processing
- Accessibility - the format must be "commonly used" and not proprietary to the transferring company
- Completeness - all relevant information must be included, including important metadata
- Security - information transfer must be conducted securely
Boundaries of Portability Rights
It's important to understand that portability rights do not apply to all information in the system. They are limited to information that the data subject "provided" to the company, either directly or indirectly through service use. Information created by the company without being based on the data subject's activity - such as internal assessments or analyses - is not necessarily subject to portability rights.
Practical example: A fitness app customer is entitled to receive all data they entered (height, weight, goals), data the app collected (step count, heart rate), and recorded workout history. However, the app's proprietary algorithm for calculating personalized workout plans need not be included.
In practice, most companies choose to implement portability rights through a dedicated API or user interface that enables data export. Large companies have developed automated tools that allow customers to download their data with a few clicks, while smaller companies may handle requests manually.
How to Handle Data Subject Requests: Procedures, Deadlines and Identification Requirements
Handling data subject requests requires establishing clear procedures that balance the data subject's legal right against the need to protect information from unauthorized access. The law sets a rigid timeframe, but allows flexibility in identification and authentication requirements.
The legal deadlines for handling requests are:
- 30 days - the basic deadline for all data subject requests
- 60-day extension - in complex cases, provided the data subject received advance notice
- Additional time for identity verification - in cases where there is doubt about the requester's identity
The handling process should include the following stages:
- Receiving and documenting the request - document the request and send acknowledgment of receipt
- Identity verification - ensure the requester is indeed the data subject or their authorized representative
- Clarifying the request scope - clarify what information is requested and in what format
- Checking exceptions - verify whether legal exceptions exist that prevent providing the response
- Information gathering - collect relevant information from all company systems
- Preparing the response - organize the information in the appropriate format
- Sending the response - send the information securely and document the transmission
Identification and Authentication Requirements
One of the central challenges in handling data subject requests is ensuring the requester is indeed entitled to receive the information. Overly strict identification requirements could make exercising the right impractical, but overly lenient requirements could lead to unauthorized information disclosure.
Principles companies should adopt:
- Proportional identification - identification requirements must match the information sensitivity and risks
- Using existing tools - authentication methods already used by the company can be employed (system login, two-factor authentication)
- Process documentation - document the authentication process in case of appeal or inquiry
In cases where the data subject acts through a representative (attorney, family member, or service company), clear authorization must be required and the identity of both parties verified - both the grantor and recipient of the power of attorney.
When Data Subjects May Be Charged Fees and in What Amounts
The basic principle in Amendment 13 is that companies may not charge data subjects for exercising their rights. However, the law allows charging in certain circumstances, subject to strict conditions and amount limitations.
The company may charge a fee only in the following cases:
- Repeated and unnecessary requests - when the same person submits identical requests at unreasonable frequency
- Excessive requests - requests requiring disproportionate effort from the company
- Additional copies - beyond the first copy of the information
Fee amounts are limited to actual costs incurred by the company in handling the request. The company must justify the fee amount and provide a cost breakdown. As of the date of this article, the Privacy Protection Authority has not published specific guidelines regarding permitted fee amounts, but it is recommended to base charges on actual costs only - labor, technical costs, and shipping.
Examples of Permitted and Prohibited Charging
Permitted charging:
- Customer requests the same information for the third time within two months without change in circumstances
- Request for 10-year history from database requiring offline archive recovery
- Request for registered mail delivery instead of email
Prohibited charging:
- Charging for first access request, even if involving large amounts of data
- Fixed "handling fee" not based on actual costs
- Charging for salaried employee work time (which is not an additional cost to the company)
Practical recommendation: Technology companies should invest in developing automated tools for implementing data subject rights. One-time investment in developing APIs or user interfaces for data export will save significant operational costs in the long term and reduce the need to charge customers fees.
Practical Implementation: Systems, Processes and Preparing for the Near Future
The transition from the old to new privacy protection regime requires technology companies not only legal adaptation but also significant technological and procedural upgrades. Successful companies are those that view data subject rights as an opportunity to improve customer relations, not just an additional cost.
Initial practical steps include:
- Mapping data repositories - identify all locations where the company holds personal information (databases, backups, logs, CRM systems)
- Developing data interfaces - create APIs or internal tools enabling search, export and deletion of information by data subject
- Establishing work processes - write clear procedures for handling each type of request and train relevant teams
- Building tracking system - implement a system enabling tracking of each request status and ensuring deadline compliance
From an architectural perspective, consider:
- "Privacy by Design" - incorporating privacy considerations at the design stage of new products
- Unified identifiers - using a single identifier for data subjects across all company systems
- Data versioning - maintaining change tracking to be able to provide accurate history
- Hierarchical deletion - system enabling gradual deletion by data type and sensitivity
Preparing for Privacy Protection Authority Audits
The Privacy Protection Authority received new and significant powers in Amendment 13, including the ability to impose administrative fines of millions of shekels. Smart companies are already preparing for future audits.
Preparation should include:
- Detailed documentation - document all procedures, decisions and actions in privacy protection
- Performance metrics - track response times, deadline compliance rates, and complaint numbers
- Employee training - ensure anyone handling personal information knows the new rights and implementation methods
- Internal audits - conduct simulations of data subject requests to identify process issues
Finally, it's important to remember that implementing data subject rights is not only a legal obligation but also a business opportunity. Customers who feel they have control over their information tend to be more loyal and share additional information. Companies that build a reputation for respectful and efficient handling of data subject requests can turn legal obligation into competitive advantage.
The information contained in this article is general in nature and does not constitute legal advice. For advice tailored to the specific circumstances of your company, we invite you to contact our firm.
