Data Protected - Israel

Contributed by Meitar

Last updated February 2024

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The right to privacy is a constitutional right under Article 7 of Basic Law: Human Dignity and Liberty.

In addition, there is specific legislation in Israel through the Privacy Protection Law (“PPL”).

Entry into force

The PPL was enacted in 1981.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Privacy Protection Authority (“PPA”)
125 Begin Road
P.O. Box 7360
Tel Aviv 61072

www.gov.il/he/Departments/the_privacy_protection_authority

Notification or registration scheme and timing

A database that includes personal data must be registered if one of the following conditions is met: (i) the database contains personal data on more than 10,000 individuals; (ii) the database contains sensitive personal data; (iii) the database includes personal data on individuals, and this data was not collected from individuals, on their behalf or with their consent; (iv) the database belongs to a public body (as defined in the PPL); or (v) the database is used for direct-mailing services.

While there is no specific timeline for registering such a database, according to the PPL it is forbidden to manage or possess a database (that is subject to registration obligation) without registering it or submitting such a request.

Exemptions to notification

A database is exempt from registration when the database only includes personal data that was made publicly available pursuant to lawful authority or was made available for public inspection pursuant to lawful authority.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PPL does not explicitly address its territorial scope.

The PPA's unofficial approach, influenced by GDPR concepts, is that Israeli data subjects deserve to be protected by the PPL when international companies collect extensive personal data on them or target them. Therefore, and in accordance with general principles regarding the choice of law, the PPL is likely to apply to: (i) entities established or located in Israel; (ii) processing activity targeted to Israeli data subjects; or (iii) data processing operations in Israel.

In order to maintain Israel's adequacy decision, the Minister of Justice enacted the Privacy Protection Regulations (instructions regarding information transferred to Israel from the European Economic Area), 2023 ("EEA Transfer Regulations"). According to the EEA Transfer Regulations, in certain cases, a database that includes personal data that was received from the EEA, will entitle the data subjects included in such database (including data subjects that are not located in the EEA) to enhanced rights. 

Is there a concept of a controller and a processor?

The PPL does not define the terms "controller" and "processor", but rather uses the terms "database owner" and “database holder".

While the phrase "database owner," is not defined in the PPA, it is considered to be the equivalent of a "controller".

A "holder" is defined in the PPL as someone who "permanently has a database in its possession and is permitted to use it." It is considered to be the equivalent of a "processor".

Are both manual and electronic records subject to data protection legislation?

Chapter B of the PPL which relates to the protection of privacy in databases applies only to electronic records.

Chapter A of the PPL, which applies to the protection of privacy in general, applies to both manual and electronic records.

Are there any national derogations?

The PPL includes exemptions from liability when an individual is empowered to perform a specific act by law, and processing by national security authorities (as detailed in the PPL) when performing an act that is reasonable and required for the purpose of fulfilling their duties.

In addition, the PPL includes specific cases that can serve as the basis for a defence against criminal or civil claims. Such cases include cases where the infringer committed the infringement in good faith and (i) did not know and need not have known that an infringement of privacy might occur; (ii) the infringement was committed in circumstances in which the infringer was under a legal, moral, social or professional obligation to commit it; (iii) the infringement was committed in defence of a legitimate personal interest of the infringer; (iv) the infringement was committed in the infringer's ordinary course of business, provided that it was not committed by way of publication; (v) the infringement was committed by way of taking a photograph, or of publishing a photograph taken, in the public domain, and the injured party appears in it incidentally; (vi) the infringement was committed by way of a publication protected under the Defamation (Prohibition) Law, 5725 - 1965; or (vii) the infringement involved a public interest justifying it in the circumstances of the case, provided that, if the infringement was committed by way of publication, the publication was not untruthful.

_____________________________________________________________________ Top

Personal Data

What is personal data?

Personal data is defined in the PPL as: "data on the personality, personal status, intimate affairs, state of health, economic position, vocational, qualifications, opinions and beliefs of a person".

Over the years, the Israeli Supreme Court, as well as the PPA, have interpreted the term "personal data" broadly, to include any data that relates to identified or identifiable individuals. Such interpretation was also adopted by the PPA, which stated in an official opinion from December 2022, that personal data means " data on the personality, personal status, intimate affairs, state of health, economic position, vocational, qualifications, opinions and beliefs of a person, regarding an identified or identifiable person by reasonable means, as well as information from which someone can conclude such data".

Is information about legal entities personal data?

No, the PPL only applies to natural individuals.

What are the rules for processing personal data?

In order to collect and process personal data, the database owner must obtain consent from the individual. While the consent must be informed, it can be either explicit or implied. To get informed consent upon collection of personal data, a privacy notice must be displayed to the data subject (see below under Privacy Notices).

Alternatively, the database owner may process personal data if that processing is obligatory by law.

Are there any formalities to obtain consent to process personal data?

No. The consent must be informed, although it may be explicit or implied.

Are there any special rules when processing personal data about children?

Although various bills addressing this issue have been considered over the past few years, none of them have matured to a formal amendment of the PPL. Therefore, there is currently no special rule regarding processing personal data about children.

However, the Legal Capacity and Guardianship Law, 5722-1962, provides that any legal act of a minor (under 18) is subject to obtaining the consent of the minor's legal guardian (except for legal actions that minors at the same age routinely engage in). Therefore there may be cases where the consent of the legal guardian is required in order to process the personal data of minors.

Are there any special rules when processing personal data about employees?

Israeli courts have ruled that due to the power gap between employees and employers, it is difficult to determine if an employee's consent was given with his or her "free will". As a result, collecting such personal data should be done only if the employer has a legitimate interest in processing the personal data, while using appropriate measures to ensure a minimal and proportional injury to the employees' right to privacy. 

The PPA has issued several documents regarding the issue of processing employee's personal data, including: (i) guidelines issued in 2017 on the use of CCTV in the workplace; (ii) guidelines on employee screening and recruitment agency activity, which also set out the rights of candidates with respect to the data collected during the recruitment process and (iii) a statement published in July 2023 setting out the PPA’s position/opinion on an employer’s tracking and monitoring of its employees’ location data through applications and vehicle tracking systems.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data is defined very broadly to include: "Data on the personality, intimate affairs, state of health, economic position, opinions, and beliefs of a person".

In addition, the First Schedule to the Security Regulations states the following categories of data will be subject to the medium or high level tiers of security - data about an individual’s intimate affairs; medical data or data regarding the individual’s mental condition; genetic data; data about an individual’s political opinions or religious beliefs; data about an individual’s criminal records; location and communication data; biometric data; data about an individual’s assets and financial situation; and data relating to consumption habits that may reveal any of the categories specified above.

Are there additional rules for processing sensitive personal data?

As mentioned above, a database that contains any of the special categories of data pursuant to the Security Regulations, may be subject to a medium or high level security classification. The Security Regulations require additional measures to be implemented with respect to such databases, such as conducting penetration testing, risk assessments, and implementing physical means to allow access to the database. In addition, in the event of a severe security incident (i.e., a data breach) in a medium/high level security database, such breach would need to be reported to the PPA.

Databases that contain any of the sensitive data must also be registered (see above).

Are there additional rules for processing information about criminal offences?

Personal data about criminal offences mentioned in the Security Regulations is considered sensitive, as described above.

Under the Criminal Records and Rehabilitation Act, 2019, it is prohibited (except for specific and limited exceptions) to ask an individual about his or her criminal record or to request such a document.

Are there any formalities to obtain consent to process sensitive personal data?

No.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

The relevant positions under the PPL are "database manager" and "chief information security officer" (“CISO”), which is subordinate to the database manager. While a database manager must be appointed for each database, a CISO must only be appointed when the database owner is one of the following: (i) an owner of five or more databases that require registration; (ii) a public body; or (iii) a bank, an insurance company, or a company involved in rating or evaluating credit.

Accordingly, the PPL does not include an obligation to appoint a data protection officer ("DPO") as such. However, the PPA issued a position paper in January 2022 recommending the appointment of a DPO in data-driven organisations or in organisations whose activity is likely to impose a higher risk to privacy (for example, databases that are classified as medium or high level security databases). In addition, the PPA recommends appointing a DPO if appointment was required under the GDPR. While the DPO could be an internal or external appointment, in a large organisation the PPA recommends that it be a senior employee.

What are the duties of a data protection officer?

The database manager is primarily responsible (together with the database owner and holder) for the security of the database (as further regulated under the Security Regulations).

The CISO is responsible for preparing a data security procedure and a plan to monitor compliance with the Security Regulations, implementing such a plan, and notifying the database owner and the database manager of any findings.

The PPA position paper recommends the DPO should have the following responsibilities: (i) organising the data management in the organisation; (ii) supervising and examining the privacy practices in the organisation; and (iii) providing privacy-related guidance and instructions within the organisation.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Under the Security Regulations, database owners must take measures such as dataflow mapping, risk analyses, audits and employee training.

In addition, according to the Security Regulations, the database owner should conduct an annual assessment of whether the data maintained in the database exceeds the data required to accomplish the purposes of the database.

Are privacy impact assessments mandatory?

There is no mandatory obligation to perform privacy impact assessments.

However, in August 2021, the PPA published a manual (based on the UK Information Commissioner’s guidance) for organisations that have decided to perform such assessments. In the manual, the PPA recommends evaluating any personal data usage that can impose a risk to the data subject's privacy or a change in their rights, especially when implementing new technology or a large-scale data processing process. In November 2022 an updated version of the manual was published.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

The PPL requires that upon collection of personal data a notice shall be provided to the individual including: (i) whether the individual is under a legal duty to deliver that data or whether its delivery depends on his/her free will and consent; (ii) the purpose for which the data is requested; and (iii) to whom the data is to be provided and for what purposes.

The EEA Transfer Regulations requires that, within no later than a month from the receipt of personal data, a database owner will notify the data subject of: (i) the identity of the database owner and the database manager, their addresses and contact information; (ii) the purpose of the transfer of the data; (iii) the type of the data that was transferred; and (iv) the rights of the data subject. The EEA Transfer Regulations provides certain exemptions from such notification obligations

Rights to access information

Under the PPL, individuals have the right to request access to the personal data maintained about them in the database.

Rights to data portability

Israeli law does not include a right to data portability.

Right to be forgotten

Israeli law does not include the right to be forgotten. However, the EEA Transfer Regulations provides a data subject the right to request deletion of his/her personal data when: (i) the data was created, obtained, accrued or collected in contravention of the provisions of any law, or that the further use of the data is in violation of the law; or (ii) the data is no longer necessary for the purposes for which it was created, obtained, accrued or collected. The EEA Transfer Regulations provides certain exemptions from such deletion obligation. 

Objection to direct marketing and profiling

Israeli law does not include the right to object to profiling.

As to direct marketing, a data subject has the right to request to be deleted from a database used for direct mailing. It should be noted though that not every communication with a data subject would be considered to be "direct mailing" but rather only a communication that is made based on the profiling of such data subject.

In addition, the "Spam Law" contains unsubscribe obligations (described in further detail below).

Other rights

Pursuant to the PPA, if, following access and review of the data, the data subject finds his/her personal data to be inaccurate, incomplete, or out of date, the data subject has the right to request the amendment or deletion of such data.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The Privacy Protection Regulations (Data Security) 2017 ("Security Regulations") set forth specific security-related requirements that will apply to the processing of personal data. Such requirements vary, based on the security level classification of such a database.

In this respect, there are four possible classifications: (i) a database owned by an individual; (ii) basic security level database; (iii) medium security level database; and (iv) high-level security database. The classification derives from the type of personal data processed, the number of data subjects, the number of authorised users of the database, and the processing purposes.

In general, the obligations in the Security Regulations refer to the following elements: (a) documentation requirements: preparing certain required documents such as a "database definition document", a security procedure, and a data breach policy; (b) security technical requirements such as including appropriate security measures (physical, logs, environmental), management of access rights and means of documentation and authentication, recovery and backups; and (c) additional requirements such as periodic audits and updates, as well as ensuring proper contractual obligations are included in the agreements with sub-processors.

Specific rules governing processing by third party agents (processors)

The Security Regulations (and the Guidelines issued by the PPA regarding Outsourcing Services ("Outsourcing Guidelines")) govern processing by third-party agents (processors).

The Outsourcing Guidelines require the database owner, before engaging with a service provider, perform a preliminary review of the service provider. This review must examine the data security risks associated with such engagement while taking into account the sensitivity of the data, the reputation of the service provider (in connection with privacy aspects), and the risk of potential misuse of the data by the service provider.

Additionally, the Security Regulations state that the agreement with the service provider must include specific mandatory clauses such as: (i) the type of data provided to the service provider, the permitted processing activity by the service provider, and the systems which the service provider may access; (ii) the manner in which the service provider implements the applicable security obligations; (iii) specific confidentiality obligations by the service provider and its personnel; (iv) periodic reporting obligations; (v) obligations relating to appointing of a sub-processor; and (vi) an obligation to return/delete the data upon termination of the agreement.

Notice of breach laws

In case of a "severe security incident", the Security Regulations require immediate notification to the PPA. The responsibility to report applies both to the manager and the holder of the database. However, once a report is made, by either of the parties, the obligation is satisfied.

A "severe security incident" is defined as either of the following: (i) in a database subject to a high security level - an incident involving the use of data from the database without authorisation or in excess of any authorisation, or that results in damage to its data integrity; or (ii) in a database subject to a medium security level - an incident involving the use of a substantial part of the database without authorisation or in excess of any authorisation, or results in damage to its data integrity concerning a substantial part of the database.

In addition, the Security Regulations authorise the PPA to request, after consulting with the Head of the Israel National Cyber Defence Authority, that notification be made to the data subjects that have been affected by the incident.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

Personal data transfers to third countries must comply with the conditions and requirements outlined in the Protection of Privacy Regulations (Transfer of Data to Databases outside the State's Borders), 5761-2001 ("Transfer Regulations").

Under the Transfer Regulations, a database owner should first establish that one of the conditions provided in the Transfer Regulations to allow the cross-border transfer is satisfied, such as: (i) obtaining the data subjects' consent; (ii) the transfer being to the EU/EEA/UK or any country that has been declared "adequate"; or (iii) transferring to a party that agrees to comply with the conditions for the ownership and use of the data applying to a database in Israel.

In addition to meeting one of the conditions described above, the recipient of the data is also required to undertake in writing to take adequate measures to ensure the continued protection of the privacy of the data subjects and to guarantee that the data shall not be transferred by it to any other individual or entity. This prohibition creates significant practical difficulties if the recipient uses subcontractors and outsourcers. In January 2022, the PPA issued a draft statement stating that the prohibition on onward transfer would not apply if the data subjects were made aware that the data would be transferred to other parties. It should be noted that this is a draft statement that has not been given official status.

Notification and approval of national regulator (including notice of use of Model Contracts)

There is no notification and approval obligation. However, as part of a database registration process, the registration form includes a section relating to transfers to third countries.

Use of binding corporate rules

There is no specific regulation indicating the possibility of using binding corporate rules. Nonetheless, if such rules ensure compliance with the Transfer Regulations (e.g., indicate adequate measures to ensure the privacy of the data subjects), they may be used.

_____________________________________________________________________ Top

Enforcement

Fines

The PPA is authorised to impose administrative fines in case of specific infringements under the PPL. The penalties per violation are equivalent to approximately US$ 2,800 – US$ 8,500.

It is important to note that the Israeli Parliament (the Knesset) is in the process of amending the PPL (Amendment number 14, 2022). Such amendment, if and when finalized, will result, inter alia, in setting gradual administrative fines.

Imprisonment

Violations regarding the registration and management of a database constitute a strict liability criminal offence, and are subject to imprisonment of one year.

In addition, a wilful infringement of individual privacy (e.g., publishing an intimate photo of an individual without his/her approval) could lead to imprisonment of up to five years.

Compensation

An Infringement of Privacy is considered a civil tort.

An individual whose privacy rights are infringed may be entitled to statutory damages in an amount up to 50,000 NIS (approximately US$16,500).

In addition, individuals may initiate class actions based on privacy and data protection infringement in case the causes of action arise in the context of consumer or employment relations.

Other powers

The PPA may cancel a registration of a database and/or decline a registration application if it serves, or is liable to perform, illegal activities or if the personal data included within it is collected in violation of the PPL.

In addition, the PPA publishes different enforcement actions it performs against infringing companies on its website, which, as a practical matter, may lead to potential damage to the company's reputation.

Practice

Sectoral Audits:

The PPA publishes sectoral supervision audits performed in different sectors or industries to verify compliance and raise awareness of the importance of privacy protection. As part of such audits, companies and organisations are required to answer questionnaires and provide various data in order to confirm their compliance with the PPL. For example, the PPL has checked methods of obtaining individuals' consent and the methods of collecting, processing, and securing the personal data the companies obtain.

In April 2021, the PPA published findings from an audit of medical rights assistance companies (companies that assist their customers in contacting and filing medical claims with the Social Security Insurance Authority). The companies obtain sensitive medical personal data of thousands of clients, who are also required to consent to broad usage of their personal data. The PPA found that the industry is characterised by large power gaps between the companies and their clients as well as knowledge gaps regarding how and why the client's personal data is being used. The PPA sent questionnaires to several companies and found various gaps regarding compliance with the Security Regulations and the management of their databases. In addition, the PPA found that some companies do not comply with the PPL's requirements regarding obtaining consent and privacy notices.

In January 2020, the PPA published findings from an audit on educational websites and applications designed for minors. The companies collected various types of personal data regarding minors from elementary school to high school, including sensitive personal data. The PPA sent questionnaires regarding outsourcing services, database management, data security, and internal supervision. The audit findings indicated defects in 23 of the 24 supervised entities.                  

Fines

On 21 January 2021, the PPA fined a software company that operated applications for political parties. A severe security incident in the company's systems led to a data breach of the voters' database, which included the personal data of more than 6 million Israeli citizens. The PPA also found that the company and the parties violated the Security Regulations. As part of the investigation, the PPA also found that the Company violated the PPL by holding unnecessary databases and imposed a fine of 25,000 NIS.

On 3 May 2021, the PPA published a decision to fine a municipality. The PPA concluded a data breach occurred due to malware installed in the municipality's computer systems which included the personal data of the residents, employees, etc. The PPA found the municipality breached the PPL as it did not register the database and had not implemented data security measures. The PPA imposed a fine of 10,000 NIS and instructed the municipality as to how to comply with the PPL.

On 5 August 2021, the PPA published its conclusions from an administrative supervision procedure to examine the circumstances of an information security incident in a large health services provider. As part of the breach, the customers of the provider received messages containing a reference to a questionnaire on health issues. The messages were sent to the wrong recipients due to errors in processing the personal data and included the full name and sensitive medical personal data of other individuals. It was found that the provider breached the PPL and the regulations and was instructed as to how to comply with the PPL.

 In November 2021, the PPA fined LolaTech Ltd 25,000 NIS for failing to report that it serves as a holder of 60 sensitive databases. In November 2022, the PPA determined that Data Online (registered as BMC Lean Group Ltd.) had committed a series of serious violations of the PPL and its regulations, and imposed a fine of 320,000 NIS. The company, which provided information related services to dozens of different companies and entities in the private and public sectors, including health insurance funds, falsely presented itself as having a legal database registered under the PPL and provided its customers with data which it maintained in breach of the PPL and with no lawful basis. In December 2022, the PPA determined that an employee of the Tax Authority had misused his access permission to personal data. The PPA found that the employee had used the access granted to him as an employee of the Tax Authority to share personal data to a Facebook group used to locate relatives. This use was not in line with his duties as an employee or the purposes of the database. For these violations, the PPA imposed a fine of 95,000 NIS on the employee. In April 2023, following an administrative inspection procedure performed by the PPA with respect to the City Council of Yeruham, it was determined that the City Council did not fulfil its data security obligations and did not register its database as required under the PPL. Therefore, the PPA imposed a fine of 10,000 NIS and instructed the City Council to comply with the requirements of the PPL

Civil enforcement

In recent years, several motions to approve class actions were filed with Israeli courts against large companies in various fields claiming infringement of privacy of the companies' clients.

For example, on 5 March 2020, the District Court approved a settlement agreement in a class action between the plaintiff and one of the largest communication companies in Israel. The plaintiff claimed that the company infringed the privacy of the company's customers when selling and transferring the customer's location data to a third party. The plaintiff claimed that the third party profiled the customers and sold the personal data to third parties. The company denied the claims and claimed that only anonymised personal data was transferred to third parties and no infringement had occurred. After a lengthy court process, including a submission from the Attorney General and an expert report on a suggested settlement, the court approved compensation of approximately 22 million NIS and a commitment to comply with the PPL in future activity.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The PPL regulates direct marketing activities.

In addition, Section 30A of the Communications Law (Telecommunications and Broadcasting) 5742-1982 also includes a section known as the "Spam Law".

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific conditions for the use of cookies.

Regulatory guidance on the use of cookies

There is no specific regulatory guidance on the use of cookies. However, in a position paper published by the PPA in April 2021 concerning privacy in payments apps, the authority recommends an opt-in model for obtaining consent for non-essential cookies.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Spam Law mandates an opt-in mechanism when sending advertisements via email.

The Spam Law defines an "Advertisement" as: "a message distributed in a commercial manner that aims to encourage the purchase of a product or service or to encourage spending of money in another way."  

It should be noted that the term "Advertisement" has been interpreted by Israeli courts quite broadly, so in practice, a message that is not purely service-related is likely to be deemed to be an advertisement. For example, an Israeli court has ruled that indirect statements that may praise the advertiser's brand are considered to be advertisements under the Spam Law.

Conditions for direct marketing by e-mail to corporate subscribers

The Spam Law does not in general distinguish between corporate and individual recipients, except that a one-time message to a recipient which is a business requesting consent to deliver advertisements is not a violation of the law.

Exemptions and other issues

The Spam Law provides an "opt-out" mechanism which would allow sending Advertisements to a recipient who did not give their consent, provided that all of the following terms are met: (i) the recipient has given their details to the advertiser during the purchase of a product or service or the duration of negotiations for such purchase, and the advertiser notified the recipient that such information would be used for sending advertisements via the specific communication means set forth above; (ii) the advertiser has allowed the recipient to refuse to receive said advertisement (in general or to a specific type), and the recipient did not do so; and (iii) the advertisement refers to a product or service similar to the product or service mentioned in point (i) above.

The Spam Law exempts one-time messages to a recipient requesting a donation or for political propaganda purposes which includes asking for consent to deliver advertisements. As long as the recipient does not opt-out from such messages, it is not considered to be spam.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The Spam Law does not apply to direct marketing calls. Rather, the PPL's direct marketing section applies, meaning that the individual is allowed to opt out of direct marketing via telephone.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

Direct marketing issues are regulated under the PPL, which only applies individuals.

Exemptions and other issues

On 24 November 2020, an amendment to the Consumer Protection Law 1981 was published, to establish a “Do Not Call Me” database (the “Amendment”) that aims to restrict dealers from performing telephone marketing calls to consumers that have registered to the “Do Not Call Me” database.

The Amendment stipulates a few exceptions where a dealer shall be allowed to call a consumer that has registered on the database, including: (i) where a consumer asks a dealer to return to them by way of a call; (ii) where the dealer and the consumer have entered an on-going transaction and the telephone marketing call relates to the transaction, except for the extension of the on-going transaction (unless the consumer has asked the dealer to extend the transaction’s period); (iii) where the consumer has given the dealer an explicit and separate prior written consent to contact them through a telephone marketing call, including by electronic means, provided that: (a) such consent has not been obtained by way of a telephone call with the consumer, (b) it was clarified that nothing in the consent indicates a consent to the execution of any transaction between the consumer and the dealer, and (c) the consent shall be valid for a maximum period of one year (with a possible one-year extension), and may be withdrawn earlier by the consumer; and (iv) where the consumer approached the dealer and gave explicit consent to receive telephone marketing calls from the dealer – such consent will be valid for one year only and may be withdrawn earlier by the consumer. 

_____________________________________________________________________ Top