< Back to Articles

Report of the findings of the Privacy Protection Authority's broad review of the corporate personal information database storage and processing services sector

13.12.20 | 09:59  

Attached for your perusal is a memorandum on the subject of the "Report of the findings of the Privacy Protection Authority's broad review of the corporate personal information database storage and processing services sector" which we hope you will find to be of interest. You are welcome to contact our firm should you have any question or require any clarification regarding the contents of this circular.  

The Privacy Protection Authority today (2.11.2020) issued a report on the findings of a broad review conducted among entities and companies which provide personal database storage and processing services. The said report constitutes part of a series of reports examining how entities from various sectors are complying with the provisions of the Protection of Privacy Law and the Protection of Privacy (Data Security) Regulations relating to the protection and security of personal information.

The corporate information storage and processing services sector is regarded by the Authority as posing an elevated risk for infringement of privacy since the companies involved usually maintain numerous databases containing a great deal of information, including sensitive information about the public.

According to the Authority's position, the entities that provide information storage and processing services, including through the provision of servers, effectively act as "holders" of the information for "the database owners", even if the content of the information is encrypted and the key is not in in the possession of the entities in question but in the possession of the database owner. Hence, the companies which operate in this sector and provide storage or backup services are bound by all the same obligations under the Law and Regulations as a database "holder". And it should be emphasized, that the Law contains special obligations which apply to companies of this type, including the obligation to appoint a data security officer, the obligation to submit an annual report to the Privacy Protection Authority on the databases in their possession, and the obligation to manage the authorizations for the databases in their possession. 

The said broad review process included an examination of 36 companies that provide software or platform services (including infrastructure and information storage services), development of applications and interfaces for database owners' personal information management, including website hosting, and addressed four main criteria in the area of privacy protection including organizational control and corporate governance, database management, data security and use of outsourcing services.

The main findings of the broad review process are as follows:

  • With regard to data security, most of the entities examined exhibited a high level of compliance with the provisions of the Protection of Privacy Law, but flaws were found in compliance with the provisions of the Protection of Privacy (Data Security) Regulations, some of which also amounted to significant irregularities. The prominent shortcomings found included flaws in conducting risk surveys and penetration tests among companies that have a high-security database, as well as deficiencies regarding the obligations applying to those companies which provide outsourcing services.
  • The primary shortcoming in this sector relates to the processing of personal information in outsourcing, and the report shows that 71% of the entities failed to comply with some/any of the provisions of the Law.
  • Most of the entities (69%) exhibited a high level of compliance with the provisions of the Law regarding organizational control and corporate governance.
  • Within the framework of the broad review process, owners of databases with a high level of security were found which were required to perform data security audits or penetration tests that were not performed as required or were not performed at all.
  • Entities were found which did not maintain documentation for refresher training who have access to the databases and/or their systems.

In light of the danger of leakage of sensitive information belonging to the organization held by companies which provide personal database storage and processing services, it is very important to appropriately address the issue within the framework of the contractual agreements with those service providers, in order to ensure that service providers shall comply with the statutory obligations imposed on them as "holders" of the information for the database owner.

Our firm shall be happy to be at your disposal for the purpose of providing legal advice on this important subject.

Below is a link to the full text of the review process report:

The information contained in the above review is provided for informative purposes in an abridged format and under no circumstances does it constitute a substitute for legal advice.