2. Analysis of the Privacy Law
Although the Registrar did not publish an official communication on this case, he is quoted as follows: “Use of an illegal database, even if ‘leaked’ and posted online, is a violation of the Privacy Law.  The imposition of economic penalties on a party which makes an illegal use of information, especially for commercial gain, is an efficient way to protect privacy.”
Based on that quote--the only statement in this matter--this IT Update attempts to analyze the violation of the Privacy Law, and what actions users of data and databases in Israel should take to avoid ending up with a same fate as Marketing Point.
It appears, based on the Registrar’s brief comments on the case, that Marketing Point violated two provisions of the Privacy Law:

2.1. Purpose restrictions on database use: The Privacy Law provides that data may only be used for the purpose which it was given. This is embodied in the general principle in Section 2(9) of the Privacy Law that "using, or passing onto another, information on a person's private affairs, otherwise than for the purpose for which it was given" is an infringement of privacy.
This is reinforced with respect to databases containing personal data. These databases must under certain circumstances be registered, and it is a violation of Section 8(b) of the Privacy Law if a person uses information in a database required to be registered "except for the purposes for which the database was established". 
Marketing Point used information from a database to solicit individuals for offers, which was a purpose clearly different from the original purpose of the Population Registry.

2.2. Possession restrictions on unregistered databases: The Privacy Law prohibits possessing or managing a database which is required to be registered, and has not been registered (and for which an application for registration hasn’t been filed.) If the personal information in this database was obtained for a different purpose, then the Database Registrar may refuse to register it.  In such a case, Marketing Point is possessing and using an impermissible database, which is apparently the situation here.

3. Summary and Recommendations
In light of this enforcement action and the stiff fine imposed by the Database Registrar, we remind clients of some of their obligations under the Privacy Law:

3.1. Companies owning, possessing or managing a database must register the database in certain specified situations, such as if the database includes sensitive information, or information about more than 10,000 people.

3.2. If personal information is provided by an individual for a particular purpose, companies may not use or transfer that information for a different purpose without such individual’s consent.

3.3. Companies may not operate, hold or use a database for direct mail purposes, unless it is registered. The company should indicate that “direct mail approaches and services” are two of the specified purposes for which the database is being registered.

3.4. When making direct mail approach, the approach needs to clearly include:

• a statement that it is a direct mail approach and the registration number of the database used;
• notice that the recipient has the right to be deleted from the database and whom to address for that purpose; and
• the identity and address of the data base and its sources.

If you have any questions, feel free to contact us.