Do you still need to register your database? What Amendment 13 really changed

For 40 years, almost every Israeli company that held a customer list was supposed to register it with the government. On 14 August 2025, that quietly ended for most businesses — and a lot of startups are now getting the new rules exactly backwards.

If your reaction to Amendment 13 was "great, one less form to file" — you're half right. The old, sweeping database-registration regime is gone. But it didn't disappear into thin air: it was replaced by a narrower registration duty plus a brand-new notification obligation, and the paperwork most companies still keep behind the scenes hasn't gone anywhere.

The old rule: register almost everything

Under the pre-Amendment 13 Privacy Protection Law, the duty to register a database with the Database Registrar was broad. A database could be caught simply because it held information on a few thousand people, contained "sensitive information", held data not collected directly from the individuals, or was used for direct-mail services. In practice that swept in a huge share of ordinary businesses — SaaS companies, online stores, clinics, HR departments — and produced a mountain of filings that protected almost no one.

What changed on 14 August 2025

Amendment 13 — enacted on 5 August 2024 and in force since 14 August 2025 — rebuilt registration around risk instead of volume. As the Privacy Protection Authority puts it, the registration duty on the private sector was "almost entirely abolished" (PPA professional guide; IAPP). Registration is now mandatory, under section 8(a) of the Law, only if your database meets one of these conditions:

1. You are effectively a data broker — the database's main purpose is collecting personal data to deliver it to someone else, as an occupation or for consideration (including direct-mail services), and it holds data on more than 10,000 people; or
2. You are a public body (other than a database holding data on that body's own employees only).

The takeaway for most startups and SMBs: if you collect customer or user data to run your own product or service — not to sell, broker, or mail it onward — you almost certainly no longer need to register your database. One caveat: a database that is already on the register stays listed until you actively ask the Authority to remove it.

The new trap: the notification duty

This is the part companies miss. Amendment 13 didn't just shrink registration — it added a separate notification obligation that has nothing to do with being a data broker. If you control a database that is not required to register, but it contains especially sensitive data on more than 100,000 people, you must notify the Privacy Protection Authority within 30 days of meeting those conditions (section 8A(b)) (PPA — notification obligation). The notification must include:

• the identity of the controller and how to contact them;
• the identity of the Data Protection Officer (where the controller is required to appoint one); and
• a copy of the database definitions document (Regulation 2 of the Data Security Regulations, 2017).

"Especially sensitive data" is now a broad statutory category — it covers health and mental-health data, genetic and biometric data, a person's intimate life, criminal record, ethnic origin, political opinions and religious beliefs, and financial data, among others. If you run health-tech, fintech, insurance, or a large consumer platform, this 30-day clock can start without you noticing.

"Deregistered" does not mean "off the hook"

The biggest misconception we hear: "We don't have to register anymore, so we're done with privacy." Not close. Removing registration changes a filing — not your underlying duties. Even with no registration and no notification required, you still must:

• process lawfully and transparently, with a proper legal basis and clear notice;
• honour data-subject rights — access, correction, and the rights Amendment 13 strengthens;
• meet the Data Security Regulations, 2017;
• maintain a database definitions document — the very document you'd hand over in a notification or inspection;
• appoint a DPO where required, and handle breach response and reporting.

And the stakes are higher than before: Amendment 13 gave the Authority sharper enforcement powers and significant administrative fines — so a quiet documentation gap is no longer a quiet problem. See our breakdown of how big Amendment 13 sanctions really are.

A 5-minute self-check

1. Data broker with 10,000+ people on file? → you must register.
2. Public body? → you must register.
3. Especially sensitive data on 100,000+ people? → notify within 30 days, with your database definitions document and DPO details.
4. None of the above? → no registration or notification — but confirm your definitions document, security measures, and data-subject processes are current.
5. Unsure about your DPO obligation? → see external DPO vs. full-time hire and what the Authority's DPO Disclosure Opinion actually says.

The bottom line

Amendment 13 didn't make privacy compliance smaller — it made it smarter. Fewer companies register, the notification clock catches fast-growing data-heavy businesses, and the obligations underneath registration are now backed by real fines. The form you no longer file was never the point; the governance behind it always was.

This article is general information, not legal advice. For advice on your specific database, talk to a qualified privacy professional.

Sources

• Protection of Privacy Law (Amendment No. 13), 5784–2024 — official text in the Book of Laws
• Privacy Protection Authority — Amendment 13 professional guide (May 2025)
• Privacy Protection Authority — notification obligation
• IAPP — Israel marks a new era in privacy law