Privacy Policy Drafting: Israeli Legal Requirements and Best Practices

Why Proper Privacy Policies Are Critical for Technology Companies

Last week, the legal manager at an Israeli fintech company received a demand from the Privacy Protection Authority for clarification regarding the company's handling of customer data. The problem was simple yet costly: the company's privacy policy didn't reflect the activities they actually perform with the data, leaving significant gaps in disclosure to users.

Privacy policies are no longer a technical checkbox that can be copied and pasted from another website. With the entry into force of Amendment 13 to the Privacy Protection Law, 5741-1981, transparency and disclosure requirements have been significantly strengthened, along with the sanctions for non-compliance.

Technology companies that process personal data of Israeli users must draft comprehensive and accurate privacy policies that reflect their actual operations. This is a document that not only legally protects the company, but also builds trust with customers and creates a foundation for responsible business operations.

In this article, we'll review the specific legal requirements under Israeli law, examine the changes introduced by the new amendment, and present best practices for drafting privacy policies that serve both legal obligations and the business needs of technology companies.

Israeli Law Requirements: What Must Be Included in Privacy Policies

Israel's Privacy Protection Law establishes clear requirements for privacy policy content. At the core of these requirements stands the principle of transparency - data subjects are entitled to know what happens to their data at every stage of the process.

Database Controller Identification

The policy must clearly identify who is the database controller - typically the company operating the service. This should include the company's full name, corporate registration number, physical address in Israel, and contact details. If the company operates through subsidiaries or affiliated companies that also process data, this must be specified in detail.

Description of Data Types Collected

The law requires detailed description of the types of data the company collects. It's insufficient to write "personal information" - specifics are required: identification data (name, ID number, passport), contact details (address, phone, email), financial data (credit card details, bank account), service usage data, location data, and more.

Purposes of Data Use

This is one of the most critical sections. The policy must detail exactly why the company uses each type of data: service provision, billing and payment, customer service, product improvement, marketing and advertising, compliance with legal obligations, security protection. It's important that purposes be specific rather than overly general.

• Providing the services requested by the user
• Processing payments and billing
• Providing customer service and support
• Improving and enhancing services
• Preventing fraud and securing systems
• Complying with regulatory requirements
• Marketing activities (with appropriate consent)

Legal Basis for Processing

Although Israeli law doesn't explicitly require stating the legal basis like GDPR does, it's recommended to include this information, especially for companies also operating with European customers. The basis can be consent, contract, legal obligation, or legitimate interest.

Disclosure of Data Sharing and Transfers to Third Parties

One of the most sensitive issues for users and regulators is data sharing with third parties. Israeli law requires full and detailed disclosure of any data transfer outside the company.

Categories of Recipients

The policy must detail the different categories of entities that may receive access to data: technology service providers (cloud storage, analytics, support), business partners, law enforcement and regulatory bodies, professional advisors (lawyers, accountants), companies within the corporate group.

It's important to note that data transfer is only permitted when necessary for the purposes detailed in the policy, and only to entities that commit to maintaining a similar level of protection to that provided by the company.

International Transfers

Transferring data outside Israel's borders requires special attention. If the company uses cloud services from foreign companies or transfers data to overseas subsidiaries, this must be explicitly disclosed. It's preferable to specify the particular countries or at least the geographical regions.

Regarding transfers to European Union countries - it should be clarified that Israel enjoys partial recognition as a country with an adequate level of protection, but this status is subject to periodic review.

Sale or Merger

Most technology companies need to prepare for the possibility of sale, merger, or acquisition. The policy must include a section explaining that in such cases the data may transfer to the acquiring company, naturally subject to confidentiality obligations and privacy protection.

Practical tip: Instead of writing "may transfer data to third parties," specify who these parties are and what the purpose of the transfer is. This increases credibility and reduces user concerns.

Data Subject Rights and Procedures for Their Implementation

The Privacy Protection Law grants data subjects extensive rights, and the policy must detail them clearly and explain how they can be exercised. This is not only a legal requirement, but also an opportunity to build trust with customers.

Right of Access

Every person is entitled to know what information the company maintains about them. Details should be provided on how to submit an access request, what identification details are required, and the timeframe for response (typically 30 days from submission of the complete request). It's advisable to establish a simple digital process for access requests.

Right to Rectification

If a data subject notices incorrect or outdated information, they are entitled to request correction. The company must correct inaccurate data or complete missing information within a reasonable time. It's important to note that correction is performed free of charge.

Right to Erasure

This right is more complex than it appears. A data subject can request data deletion, but the company isn't obligated to fulfill the request if it has a legal basis to retain the data (for example, for regulatory compliance or fraud prevention). Details should be provided on when the company will delete data and when it won't.

Objection to Processing

In some cases, data subjects can object to processing of their data, especially regarding direct marketing or profiling. An explanation should be provided on how to object and how the company will handle such objections.

1. Submitting the request - in what manner and including which details
2. Verifying the requester - which documents are required
3. Review and approval - how long the review takes and response criteria
4. Performing the action - how long for implementation and how reporting to the requester will be done
5. Rejecting the request - in which cases rejection is possible and how the requester is notified

It's advisable to create an online form for data subject rights requests, including fields for request type, identification details, and preferred contact method for receiving the response.

Data Retention and Deletion Policy

One of the most critical issues technology companies struggle with is determining appropriate data retention periods. The policy must detail how long the company retains each type of data and when it's deleted.

Principles for Determining Retention Periods

The retention period must be justified according to the purpose for which the data was collected. If the purpose has been achieved or the data is no longer relevant, there's no justification for retaining it. However, companies may have legal obligations to retain data for certain periods.

• Active customer data - as long as the account is active plus additional period for legal obligations
• Cancelled customer data - minimum period for support purposes plus additional period for legal obligations
• Payment data - according to financial regulatory requirements (typically 7 years)
• System logs - short period for security purposes and troubleshooting
• Marketing data - as long as there's valid consent or until revocation

Deletion Process

It's insufficient to set retention periods - they must also be implemented in practice. The company must create technological and operational processes that ensure data deletion at the end of the retention period. This includes deletion from production databases, backups, and any other location where the data is stored.

Exceptions to Deletion

There are cases where the company cannot or should not delete data even after the normal retention period expires:

Regulatory requirements - obligations to maintain financial records, communications with regulators
Legal proceedings - when there's pending litigation or investigation
Security and fraud prevention - retaining information about attack or fraud attempts for a limited time
Archival purposes - retaining statistical data anonymously for research and development

It's important to emphasize in the policy that even when data is retained for one of the above reasons, it's kept in a limited manner under enhanced security conditions.

As of the date of this article, it's recommended to verify retention periods with legal counsel, as they vary according to the type of activity and relevant regulation.

Security Measures and Data Protection

The policy must give users a clear picture of the measures the company takes to protect their data. This is not only a legal requirement, but also an opportunity to build trust and demonstrate professionalism.

Technical Protection Measures

The main technical measures should be detailed: encryption of data in transit and at rest, strong authentication systems, access controls based on permissions, backup and recovery methodologies, monitoring and periodic security testing.

There's no need to go into complex technical details that might expose vulnerabilities, but it's worth mentioning the use of accepted standards like TLS encryption for data transmission and AES encryption for storage.

Organizational Protection Measures

Security isn't just about technology. An explanation should be provided on how the company limits data access only to employees who need it to perform their job, how security training is conducted for employees, and what procedures exist for handling security incidents.

• Training employees on privacy protection and information security issues
• Physical and logical access controls to information systems
• Confidentiality agreements with employees and subcontractors
• Processes for identifying and responding to security incidents
• Periodic testing and audits of security systems

Service Providers and Contractors

Most companies use external service providers - cloud storage companies, CRM systems, analytics tools. An explanation should be provided on how the company selects providers (security criteria), how it supervises them, and what contractual commitments exist for maintaining security levels.

Response to Security Incidents

Amendment 13 to the Privacy Protection Law introduced reporting obligations for security breaches. The policy should explain that in case of a security incident that might affect personal data, the company will act in accordance with procedures established by law - including reporting to the Privacy Protection Authority and relevant data subjects, according to the severity of the incident.

It's important to note that the company cannot commit that "there will never be a breach" - this isn't realistic. Instead, it's worth committing to quick and transparent response in case something does happen.

Best Practices for Drafting Privacy Policies

Drafting an effective privacy policy requires a delicate balance between meeting legal requirements and creating a document that ordinary users can understand and use. Here are best practices that will help you create a quality policy.

Simple and Clear Language

Avoid complex legal language. Instead of "The company may process information for the purpose of realizing legitimate interests," write "We use information to improve the service and prevent fraud." The goal is for an ordinary user to understand their rights and obligations without consulting a legal dictionary.

Use short sentences, bullet points where appropriate, and clear subsection headings. Break complex information into small, easily digestible pieces.

Concrete Examples

Instead of explaining only in generalities, provide specific examples. For instance: "We collect information about your use of the product, such as which features you use most, which pages you visit, and how much time you spend in the application. This information helps us understand which parts of the product are most useful and where improvements are needed."

Regular Updates and Adaptation

A privacy policy is not a static document. It must be updated according to changes in law, technology, and company activities. Establish a periodic review process - at least once a year or with any significant change to the service.

1. Mapping the company's current activities and data processing procedures
2. Identifying gaps between actual activity and existing policy
3. Checking relevant regulatory changes
4. Updating the text according to findings
5. Legal review of the updated text
6. Publishing the new version and notifying users

Product Integration

The policy shouldn't be a disconnected document buried at the bottom of the website. Integrate it into the user interface: add links to the policy at relevant moments (for example, when requesting permission to access location), create short summaries of important sections, and offer easy ways for data subjects to exercise their rights.

Testing with Real Users

Before finalizing the text, test it with real users - employees who didn't work on the text, friends, or even a select group of customers. Check whether they understand their rights, how the data is used, and contact methods for questions.

Remember: A good privacy policy is one that legally protects the company, builds trust with users, and facilitates the routine work of support and legal teams. Investment in quality drafting will quickly pay for itself.

The information contained in this article is general in nature and does not constitute legal advice. For advice tailored to the specific circumstances of your company, we invite you to contact our firm.

Written by

Adv. Or Elyashiv

Founder of Or Elyashiv Law Firm, specializing in technology law, privacy protection, intellectual property, and commercial law. Advising tech companies, startups, and international investors.