/92/

data, and thus Israel has appeared on the European Union “white list” for data exports

originating in Europe. This places Israel within a selective number of jurisdictions

recognized as such and permits data transfers from European Union countries to Israel

on the same terms as intra-EU transfers, without the need for additional data transfer

agreements or other procedural requirements.

Data Subject Rights:

Data subjects have the right to inspect and correct their personal

information maintained in databases, subject to certain exceptions.

Employee Data:

Employees' personal data is subject to a heightened standard of

protection under Israeli law and may be used only for essential interests or a legitimate

purpose. Collection and use of employees' personal data must meet the proportionality

test. Courts closely scrutinize consent given by employees in the context of their

employment, so if an employer suggests that detrimental changes to an employee’s

conditions of employment will occur if consent is withheld, or the employee subjectively

believes such detrimental changes may occur, an Israeli court may find that the consent

was not freely given and is therefore invalid.

The monitoring of employees’ email or their other use of technology is possible only

under limited circumstances. A precedential decision by Israel's highest labor court in

2011 established the following stringent requirements for monitoring employees’ use

of computers, email, mobile devices and other workplace technologies. These include

legitimate business purpose and proportionality requirements, extensive employee

disclosure requirements, express employee consent, and an absolute ban on accessing

personal emails without employee consent (on a case by case basis) or court order.

While statutory penalties for violations are lower than those under the EuropeanGeneral

Data Protection Regulation, a draft law currently pending before the Knesset would

grant the Registrar additional investigatory, supervisory and enforcement powers,

including the power to impose fines that are substantially higher than those currently

authorized under the Privacy Law.

Historically, ILITA has focused its enforcement activities on illegal data use, data security

breaches or the use of data in a manner not consistent with the purpose limitation.

While most Israeli commercial entities were relatively uninformed regarding local privacy

and data protection requirements during the earlier years of the Privacy Law, there

is currently a substantially higher level of awareness of privacy and data protection

obligations and most sophisticated companies are making greater efforts to comply.

It is anticipated that transferring the data to a Privacy Shield certified entity in

the U.S. will be sufficient to establish legal basis for purposes of data exports

from Israel as well.