← Blog

Amendment 13: What Every Business Must Do — and the Fines If You Don't

AYIT Cyber Security

Israel's new privacy law is already in force, the Authority is already enforcing it, and this is no longer just an enterprise concern. If your business collects customer details, job applicants, or supplier data — the new obligations apply to you right now.

Amendment 13 is the most significant update to Israel's Privacy Protection Law since it was first enacted in 1981. It took effect on August 14, 2025, and in the words of the head of the Privacy Protection Authority, it "re-priced the right to privacy." A violation that used to cost a business tens of thousands of shekels at worst can now draw administrative fines on the order of millions. Here's what you need to know — without the panic and without the jargon.

What Changed, and Why It Concerns You Too

In business terms, the change isn't only about the size of the fine. Until now the Authority mostly issued guidance and corrections. Amendment 13 turned it into a regulator with teeth — the power to investigate, demand documents, order processing to stop, and impose fines directly. For a business owner that means one thing: privacy protection moved from "nice to have" to a genuine risk-management item — like workplace safety or fire-code compliance.

And an important point: there's no general grace period. The substantive obligations — notifying customers, securing data, managing databases — apply from day one. The only deferral granted concerned the appointment of a privacy protection officer, and it ended on October 31, 2025.

One more clarification that saves a lot of confusion: the law makes no distinction between "storing" data and "processing" it. The text defines "processing" as any action performed on personal data — including the very act of storing it, viewing it, or granting access. In other words, even if you only keep Form 101s and payslips in a cabinet or a network folder and "do nothing with them" — under the law that is already processing, and the obligations apply.

The Fines — The Real Numbers

This is the part CEOs ask about first, so let's talk money:

  • 5% — Cap on the administrative fine, as a percentage of annual turnover. In severe cases it reaches millions of shekels.
  • ₪10,000 — Compensation a customer can claim without proving damages — accumulating per affected person.
  • 3 years — Imprisonment in the case of a criminal offense. The law doesn't distinguish between a company and an individual who processes data.

Now the part that turns all of this from words on paper into reality: the Authority is already enforcing. In 2024 only three violations were recorded, with no fines. In 2025, 33 enforcement actions were already taken — fines were imposed in about half of them, ranging from ₪5,000 to ₪75,000. Most violations related specifically to data security and to failures of the notification duty. In December 2025 the Authority announced it had launched proactive sector-wide audits — local authorities, online commerce companies, popular apps and more — and entities not included in the first wave are expected to be swept up later.

To grasp how much has changed, it's worth looking back. In late 2022 the Authority fined a data-broker company that trafficked in the data of millions of Israelis — and the total fine came to just ₪320,000, because the cap then was ₪25,000 per violation. That is exactly the limit Amendment 13 came to break: today the same case could end in a fine many times larger. The Authority's hands are no longer tied.

First Step: Which "Security Tier" Is Your Business In?

Before rushing to fix things, you need to know what even applies to you. The data-security regulations classify every database into one of four tiers — by who manages it, how many people access it, how sensitive it is, and what its purpose is. The tier determines which documents and controls you're required to hold.

This table answers one question: which documents and security controls the law requires of you.
Security tier Who falls into the category What it means in practice
Individually managed A database run by a single person (or a sole-owner company), with access limited to the owner and at most two additional authorized users. Suits a very small business that holds no sensitive data. The lightest obligations: basic protection and common sense. No complex documentation requirements.
Basic The default for most businesses: any database not individually managed, not containing sensitive data, and not falling into the higher tiers. Database-definitions document, a written data-security procedure, access-permission management, user identification, and security-incident logging.
Medium A database with more than 10 authorized users, or whose purpose is passing data to others (direct mail), or belonging to a public body, or any database containing sensitive data — medical (including sick notes), salary and financial data, biometric, genetic or criminal. Most HR files land here. Everything in Basic, plus: an annual review of security incidents, log retention for 24 months, and immediate reporting to the Authority of a serious incident.
High Large or highly sensitive databases at significant scale. Everything in Medium, plus: a risk survey and penetration tests every 18 months, a quarterly review, and physical access control.

A common misconception online holds that "10,000 customers" pushes you into the Medium tier. That's inaccurate — the 10,000-data-subjects threshold is relevant mainly as an exception that removes a database from the "individually managed" category. The practical trigger for the Medium tier is usually the number of authorized users (more than 10) or the mere presence of sensitive data — not the number of customers as such.

Who's in the sensitive segment — and manufacturers too

Clinics, financial advisers and recruitment firms hold sensitive data as their core business, so they jump automatically to the Medium tier. But an "ordinary" manufacturing plant gets there without noticing — the moment it manages employee files with sick notes, payslips and bank details. The good news: this doesn't turn you into a cyber company. Most of the work is organizational order — a procedure, permissions, notification — not expensive infrastructure.

The First Three Practical Steps

Beyond classifying the tier, there are three things almost every business needs to put in order:

1. The Mandatory Documents

Every "database controller" — any company that collects and manages personal data for its own needs — must hold three documents: a database-definitions document, a data-security procedure, and a systems-mapping document. These aren't empty formalities; they're the map that shows you (and the Authority) what data you have and how it's protected.

2. Transparency Toward the Customer

At every point where you collect data — a form on your site, a sign-up form, a sales call — you must tell the customer who is collecting the data, for what purpose, and what their rights are (to review and to correct their data). Lack of proper notification is one of the common violations the Authority is already fining.

3. Your Suppliers Are Your Exposure

If you pass personal data to an external party — a CRM system, a SaaS service, a call center, a mailing company — you're also responsible for what happens on their end. The law requires a contractual arrangement (Data Processing Agreement) with each such supplier. A point many businesses miss, because it's easy to forget that the data "left the building."

And What About Appointing a Privacy Protection Officer?

Here it's important not to get confused: the duty to appoint a privacy protection officer is not determined by the table above, but by the type of body and the nature of the processing. It applies mainly to public bodies, to those whose business is trading in data, to those who carry out systematic monitoring at significant scale, and to those who process sensitive data at significant scale. Most small businesses processing basic data are not required to appoint one — but if you're in the sensitive segment, it's a question worth examining closely rather than assuming. The temporary non-enforcement period on this clause has already ended.

Where to Start

The first step is always knowing where you stand: which databases you have, what tier they're classified at, and where the gaps are. This isn't a massive project — it's an organized review that gives you peace of mind and a clear picture.

Want to check where your business stands on Amendment 13? Book an intro call (30 min, free, no commitment) →

Sources

Information is current as of the publication date. Interpretation of the law and the Authority's guidance are updated from time to time, and actual fine amounts are determined by the circumstances of each case — verify against the latest publications and consult a qualified professional.

This content is general information and does not constitute legal advice. To assess your specific obligations under Amendment 13, it is advisable to consult a qualified professional.

Frequently Asked Questions

What exactly is "specially sensitive information"?

It's a category the law defines explicitly, and it's broader than most assume. It includes information on health condition, medical or psychological data, genetic data, biometric data, ethnic origin, criminal record, political opinions or religious beliefs, location data — and Amendment 13 added salary and financial activity and professional personality assessments (e.g. placement tests). If your database holds one of these, it's considered sensitive — and that's usually what bumps it up to the Medium security tier.

I collect employees' sick notes in HR — is that a sensitive database?

Yes. A sick note is medical information, which falls under "specially sensitive information." Your employee-files database — which holds sick notes, and usually salary and bank details too — counts as a sensitive database, and therefore generally falls into the Medium security tier. This doesn't mean you should panic; it means you need a written security procedure, clear permission management for who accesses the files, and employee notification. Most manufacturers already hold this data — the work is regulating how it's stored and who accesses it.

I store salary transfer details (amount, bank account) — is that sensitive?

Yes. Amendment 13 explicitly added salary and financial activity to the list of sensitive information. Storing payslips, bank-account details and transfer amounts is holding sensitive data — exactly like sick notes. In practice this means your HR and payroll database sits in the Medium security tier, with documentation and permission requirements to match.

But I only store the data administratively — I don't process it for business. Is there a difference?

This is one of the most common misconceptions, so let's be precise: the law makes no distinction between "storing" and "processing." The text defines "processing" as any action performed on personal data — including storing, copying, viewing and accessing it. That means the very act of keeping a Form 101 or bank-account details is already "processing" under the law, even if you do nothing "active" with the data for business purposes. The administrative-versus-business distinction doesn't reduce the obligations.

I'm a manufacturer — do I have to become a tech company and buy expensive infrastructure?

No. This is exactly the point to understand. Complying with Amendment 13 is mostly organizational order, not a technology budget: a written security procedure, an organized permissions list (who accesses the HR files), employee notification, and an agreement with the payroll provider. These are things you set up once and maintain. And the fact that you hold sensitive data (salary, sick notes) does not make you someone required to appoint a privacy protection officer — the officer duty applies to those whose core business is processing sensitive data (banks, hospitals), not a plant that manages employee files incidentally. You don't need to be a cyber company; you need to be organized.

What's the definition of an "authorized user"?

An authorized user is anyone who has access to the database under your permission as the database owner — in practice, any employee of yours who logs into the system where the data is stored. Note: an external supplier that processes data on your behalf (e.g. external payroll software) is not counted as your "authorized user" for the threshold — it's a separate "holder," with whom you need a Data Processing Agreement. This count matters because more than 10 authorized users is one of the triggers for the Medium security tier.

Who absorbs the fine — the company or an individual?

As a rule, responsibility rests with the "database controller" — the one who determines the purposes of processing, which is usually the company itself (the legal entity), not an individual and not "the registrar." Amendment 13 abolished the "database manager" role and transferred all obligations to the controller. That said — for criminal offenses under the law there is also personal exposure for officeholders, so it's not a responsibility you can fully "hide" behind the company.

Does Amendment 13 apply to a small business too?

Yes. The effective date applies to all businesses and organizations, without exception. The difference is in the level of requirements — a small business with non-sensitive data will fall into the Basic tier with relatively light obligations, but it too must hold baseline documents and notify customers.

Do I have to appoint a privacy protection officer?

Not necessarily. The duty depends on the type of body and the nature of data processing — not on size alone. Public bodies, data brokers, and those whose core business is processing sensitive data at significant scale are required to. A business that processes basic data, or holds sensitive data only incidentally to managing employees, is usually exempt. If you're not sure which side you fall on — that's exactly a question worth clarifying in advance.

What's the maximum fine I'm exposed to?

The administrative fine is capped at 5% of annual turnover, and in severe cases reaches millions of shekels. Separately, a customer can claim up to ₪10,000 without proving damages — and that sum accumulates by the number of affected people.

Want to talk about it? →