/91/

purposes for which the database was created as reflected in the Database Registry. This

“purpose limitation” is the core principle of Israeli data protection law. By implication,

use of data beyond the permitted purpose requires legal justification or the consent of

the data subject (the individual to whom particular personal data relates). The Privacy

Law defines “consent” as informed consent, whether express or implied.

Other key principles of applicable Israeli law include the following:

Notice Obligation:

Solicitations of personal data that will be included in a databasemust

be accompanied by a notice to the data subject which indicates (i) whether the data

subject is legally obligated to provide the information or whether delivery is voluntary;

(ii) the purpose for which the datawill be used; and (iii) towhomthe datawill be delivered

and for what purpose.

Database Registration:

A database owner is required to register a database with the

Registrar of Databases, ("Registrar") if the database:

• contains data about more than 10,000 people;

• contains sensitive data (currently defined as details regarding a person’s personality,

private affairs, state of health, economic situation, opinions and faith);

• contains data about natural persons not provided by them, on their behalf or with

their consent;

• belongs to a public body; or

• is used for direct mail services.

Database registration entails filing an application containing information regarding the

database and payment of an application fee and annual fees. A proposed law currently

pending before the Israeli parliament (Knesset) would eradicate database registration

requirements for most databases, and substitute accountability, internal documentation

and notification requirements.

DataSecurity:

Owners,holders andmanagers of databases are each responsible for data

security. In addition, in certain cases a competent Security Officer must be appointed.

International Data Transfers

With respect of outbound data transfers from Israel, database information may only

be transferred outside the State of Israel if the following two requirements are met:

(1) there is legal basis supporting the transfers and (2) the database owner attains

a written undertaking from the data recipient that such recipient will take sufficient

precautions to protect the privacy of the data subjects and will not transfer the data

any further. In accordance with the Privacy Law's regulations, there is a closed list of

legal bases which may support such data exports. The most common legal bases used

to support data exports are: (i) the transfer to a recipient within the European Union; or

(ii) the data subject consents to the transfer; or (iii) a recipient's undertaking to toward

the owner of the Israeli-based database to uphold the laws regarding data storage and

use applicable to Israeli databases. The recently-introduced Privacy Shield framework

provides a legal means for transferring data from the European Union to the United

States. It is anticipated that transferring the data to a Privacy Shield certified entity

in the U.S. will be sufficient to establish legal basis for purposes of data exports from

Israel as well. However, as of the date of writing, ILITA has not yet issued an opinion on

the matter.

With respect to inbound transfers to Israel, since 2011 Israel has been recognized by

the European Commission as guaranteeing an adequate level of protection for personal