Employee Monitoring in Israel After Amendment 13: What Employers Must Know in 2025-2026

What Did Amendment 13 Change for Israeli Workplace Monitoring?

Amendment 13 introduced four structural changes to Israel's privacy law that directly affect employers using monitoring software. Each change creates new obligations with specific deadlines, procedural requirements, and penalties for non-compliance. Israeli employers who treated the 1981 law as a light-touch regime before August 2025 now operate under materially stricter rules.

1. Mandatory Data Protection Officers for Systematic Monitoring

Amendment 13 requires organizations whose core activities involve systematic processing of personal data at scale to appoint a Data Protection Officer. The PPA's October 2025 guidance confirms that continuous employee monitoring software qualifies as systematic processing at scale for most employers who deploy it organization-wide. The DPO must have sufficient expertise in data protection law and practice, access to the organization's processing activities, independence from operational decision-making, and a direct reporting line to senior management.

The DPO obligation under Amendment 13 is functionally equivalent to the GDPR Article 37 requirement, with one practical difference: Israel does not yet require registration of the DPO's contact details with the PPA in the same formal manner that GDPR requires registration with national supervisory authorities. However, PPA guidance from 2025 strongly recommends publicizing the DPO's contact information internally and making it available to employees who wish to exercise data subject rights. Employers who have already appointed a GDPR DPO covering EU operations should assess whether that individual's mandate extends to Israeli processing activities.

2. GDPR-Aligned Data Subject Rights for Employees

Amendment 13 expanded the data subject rights framework to include rights that previously existed only partially or not at all under the 1981 law. Israeli employees now have the right to access personal data collected about them through monitoring tools, request correction of inaccurate data, request deletion of data that is no longer necessary, and object to processing in certain circumstances. These rights align substantially with GDPR Articles 15 through 21, though the procedural timelines under Israeli law are set by PPA regulation rather than codified in the statute.

For employers, the practical implication is the need to build a data subject request handling process. When an employee requests access to their monitoring data, the employer must identify all data points collected about that employee, compile them in an accessible format, and respond within the timeframe specified by the PPA. Employers who lack a documented inventory of what monitoring data they collect, where it is stored, and for how long it is retained will find it nearly impossible to respond to these requests accurately.

3. 72-Hour Data Breach Notification Requirement

One of the most operationally demanding changes in Amendment 13 is the 72-hour breach notification window. When a personal data breach occurs that involves employee monitoring data, the employer must notify the Privacy Protection Authority within 72 hours of becoming aware of the breach. If notification is impossible within 72 hours, the employer must provide an explanation for the delay alongside the late notification. This window mirrors GDPR Article 33 precisely.

A data breach in the monitoring context includes unauthorized access to employee activity logs, screenshots, or productivity records; accidental exposure of monitoring data to unauthorized personnel; deletion or corruption of monitoring records in a way that deprives employees of their data subject access rights; and exfiltration of monitoring data by a malicious actor. Employers must have an incident response process that can triage a potential breach and make a notification decision within 72 hours. This is not achievable without a pre-existing incident classification framework and a designated point of contact at the PPA.

4. Maximum Fines of NIS 640,000 per Violation

Amendment 13 raised the ceiling on administrative fines to NIS 640,000 per violation, equivalent to approximately $175,000 USD at 2025 exchange rates. Before the amendment, maximum fines under the Privacy Protection Law were substantially lower, providing limited deterrent effect for larger organizations. The new fine level is calculated per violation, not as a single aggregate maximum, meaning an employer that monitors employees without proper notice, fails to appoint a DPO, and ignores a data subject access request could face three separate fines totaling NIS 1.92 million.

The PPA can also refer cases involving willful or systematic non-compliance to the Attorney General's office for criminal prosecution. Under the amended law, individuals responsible for compliance failures, including company officers and HR directors, can face personal criminal liability in addition to organizational fines. This personal liability dimension is a meaningful departure from the pre-amendment enforcement model and mirrors the GDPR exposure faced by data protection officers and controllers in EU jurisdictions.

What Employee Monitoring Practices Are Legal in Israel in 2025-2026?

Israeli employers can conduct a range of monitoring activities lawfully, but each category of monitoring carries specific notice, proportionality, and retention requirements. The distinction between what is clearly permitted, what requires careful handling, and what is effectively prohibited is determined by the combination of the Privacy Protection Law, Amendment 13, PPA guidance, and Supreme Court case law.

Clearly Permitted with Notice

Time tracking is the most clearly permitted form of employee monitoring in Israel. Recording when employees clock in, clock out, and take breaks is expressly contemplated by the Hours of Work and Rest Law (1951), which requires employers to maintain accurate work hour records. Automated time tracking systems that record attendance and work duration without capturing application-level data or content are the least legally complex form of monitoring. Employers should document the time tracking purpose (payroll calculation, overtime compliance) in writing and include it in employment contracts or a standalone monitoring notice.

Application usage monitoring is permitted when employees receive advance written notice that the software tracks which applications and websites are used during work hours. The monitoring must be limited to work devices and work hours. Capturing application categories (productive versus non-productive classification) is less invasive than logging specific URLs, and PPA guidance generally supports category-level monitoring more readily than granular browsing histories. Employers who can achieve their productivity management objective with category-level data should prefer it over URL-level logging from a proportionality perspective.

Email monitoring on company-owned accounts is permitted when the employer's acceptable use policy clearly states that work email accounts may be monitored. The policy must be provided to employees before they begin using the account. Monitoring scope is most defensible when limited to metadata (sender, recipient, timestamp, subject line) rather than message content. Content-level email monitoring requires a stronger documented justification, such as a specific compliance obligation or an active security investigation.

Permitted with Careful Handling

Screenshot monitoring is legally permissible in Israel, but its proportionality is evaluated based on frequency and scope. Capturing screenshots every 5 to 10 minutes during work hours with prior employee notice is generally defensible for roles where visual proof of work serves a documented business purpose, such as remote client services or regulated financial roles. Continuous or near-continuous screenshot capture is harder to justify and requires a more specific business rationale. Screenshot blurring to exclude personal content visible on screen strengthens the proportionality argument and reduces the risk of inadvertently capturing sensitive personal information.

Keystroke intensity monitoring, which measures the volume and rhythm of keyboard and mouse activity without capturing content, is permitted with advance notice. Israeli law does not specifically prohibit this form of monitoring. Content-level keystroke logging, which records the actual characters typed, is substantially more sensitive because it can capture personal communications, passwords, and confidential content. Deploying content-level keyloggers on employee devices requires a documented, compelling business justification and creates meaningful legal exposure if used broadly rather than in specific, targeted investigations.

Remote home office monitoring carries a heightened privacy analysis under Israeli law because the Israeli Supreme Court has recognized that employees retain stronger privacy expectations in their home environments even during work hours. Monitoring scope should be narrower for remote workers than for in-office workers: app usage and time tracking are more defensible than webcam monitoring or environmental audio capture. The PPA's 2025 guidance specifically notes that employers should apply additional data minimization measures for any monitoring that occurs within an employee's private residence.

Video Surveillance: Specific Regulatory Requirements

Video surveillance in Israeli workplaces is subject to specific requirements under the Protection of Privacy Law and PPA regulations on video monitoring published in 2017. Employers must post visible notices informing employees and visitors that video surveillance is in operation. The surveillance must be limited to areas where a business justification exists (reception areas, server rooms, production floors) and must not cover areas where employees have reasonable privacy expectations, including restrooms, changing rooms, and private offices without consent. Video footage retention must be defined in advance and typically should not exceed 30 days for routine security monitoring.

How Does the 72-Hour Breach Notification Rule Work for Monitoring Data?

Amendment 13's breach notification requirement applies to any personal data breach involving monitoring records, whether the breach results from a cyberattack, an internal access control failure, accidental data loss, or unauthorized disclosure. Employers must notify the Privacy Protection Authority within 72 hours of becoming aware of the breach. The 72-hour clock starts when the employer first discovers that a breach may have occurred, not when the investigation concludes.

This timing is operationally demanding. A 72-hour window includes weekends and holidays. Employers need a documented incident response procedure that assigns clear roles for breach identification, initial severity assessment, and notification drafting. Without this infrastructure, a breach detected on a Friday afternoon may result in a missed notification deadline by Monday morning.

What the Notification Must Include

A notification to the PPA under Amendment 13 must contain the nature of the breach (what happened), the categories of personal data involved (what types of monitoring records were affected), the approximate number of individuals affected (how many employees' data was exposed), the likely consequences of the breach (what harm may result), and the measures taken or proposed to address the breach and prevent recurrence. If the employer cannot provide all information within 72 hours, a preliminary notification with available information is acceptable, followed by a supplementary report as the investigation progresses.

Employers must also assess whether to notify affected employees directly. The PPA guidance states that employee notification is required when the breach is likely to result in high risk to the rights of the affected individuals, such as when monitoring records containing sensitive behavioral patterns or communications metadata have been accessed by unauthorized parties. The threshold for direct employee notification is higher than the threshold for PPA notification: not every reportable breach requires employee notification, but high-risk breaches require both.

Building a Breach-Ready Monitoring Program

Monitoring software selection and configuration directly affect breach risk and breach notification feasibility. Employers should ensure their monitoring platform stores data with encryption at rest, restricts access through role-based controls, maintains audit logs of who accessed monitoring data and when, and supports data export in a structured format for incident response purposes. eMonitor stores all monitoring data with encrypted, secure storage and includes role-based access control that limits data visibility to authorized managers. These features reduce both the likelihood of a reportable breach and the time required to assess scope when a potential incident occurs.

Practical Compliance Checklist for Israeli Employers Using Monitoring Software in 2025-2026

This checklist consolidates the requirements from the Privacy Protection Law, Amendment 13, PPA guidance notes through 2025, and Israeli Supreme Court proportionality doctrine. Work through each item before deploying monitoring software and revisit it annually or when your monitoring scope changes materially. For broader context on regulatory direction, see 2026 monitoring law changes worldwide.

Before Deploying Monitoring Software

• Document the monitoring purpose: Write a specific statement of why monitoring is necessary, what data will be collected, and how it will be used. Vague purposes do not satisfy Israeli law.
• Conduct a proportionality review: Assess whether less intrusive alternatives (self-reported time, manager check-ins, output-based metrics) could achieve the same purpose. Document why they are insufficient.
• Prepare a written employee notice: The notice must identify the data categories collected, the purpose, the retention period, who has access, and how employees can exercise their data subject rights under Amendment 13.
• Deliver notice before monitoring begins: PPA guidance requires that employees receive the monitoring notice in writing before the monitoring system activates. Delivery through email with read confirmation provides a clear record.
• Assess the DPO obligation: Determine whether the planned monitoring constitutes systematic processing at scale under Amendment 13. If yes, appoint a DPO and document the appointment.
• Define data retention periods: Specify how long each category of monitoring data will be retained and configure automatic deletion or document a manual deletion schedule.
• Configure role-based access controls: Ensure monitoring data is accessible only to personnel with a documented business need.

During Active Monitoring Operations

• Enforce work-hours-only tracking: Monitoring must not capture data outside scheduled work hours, particularly for remote employees.
• Honor data subject access requests: When employees request access to their monitoring data, respond within the PPA-specified timeframe with complete and accurate information.
• Process deletion and correction requests: Employees have the right to request correction of inaccurate data and deletion of data that is no longer necessary. Both requests must be handled promptly.
• Maintain breach detection capability: Configure your monitoring software's access logs and security alerts to flag potential unauthorized access incidents. Time-to-detection directly determines whether the 72-hour notification window is achievable.
• Log access to monitoring data: Maintain a record of who accessed monitoring records and when. This log is a core piece of evidence in any PPA investigation.
• Apply screenshot blurring where appropriate: Enable blurring for roles where personal content frequently appears on screen.

Ongoing Review and Governance

• Audit data retention compliance quarterly: Verify that automatic deletion is functioning and that data categories are not being retained beyond their documented retention period.
• Update the employee notice when monitoring scope changes: Adding a new data category (such as introducing screenshot monitoring where only time tracking existed before) requires updated notice to employees before the new feature activates.
• Review the DPO mandate annually: Assess whether changes in monitoring scope or workforce size affect the DPO obligation or the DPO's ability to perform their role independently.
• Train managers on lawful use of monitoring data: Managers who use monitoring data to make employment decisions must understand the equal opportunities considerations and the prohibition on using monitoring data for purposes not disclosed in the employee notice.
• Document any employee objections: If an employee objects to monitoring, document the objection, the employer's assessment of whether compelling grounds exist to continue processing, and the outcome.

Frequently Asked Questions About Employee Monitoring Laws in Israel