Israeli Database Law and AI — Who Must Register, When, and Under What Framework

When an AI System 'Touches' a Database — Three Practical Examples

Example 1 — Customer service chatbot

An insurance company deploys a GPT-based chatbot that answers customer queries by reading from the CRM system. The chatbot is granted read access to the customer database. Under the law:

• The existing registered database remains registered — its classification does not change.
• OpenAI is added as a 'holder' — a written DPA is required, and the registration may need to be updated to reflect this new processing arrangement.
• Data subjects must be notified that AI is being used to handle their inquiries.
• Access logging is mandatory — which inquiries were routed to the chatbot, and which data was retrieved from the database. See Regulation 13.

Example 2 — Internal model trained on customer data

A fintech company trains a credit-risk model on its customer transaction history. Under the law:

• The training dataset may itself constitute a separate database if identifiable personal information can be extracted from it.
• If the source database is classified as high-security, all processing operations — including model training — are subject to the Information Security Regulations.
• Data subject correction rights extend further: if a customer corrects their information, the organization must assess the impact on the trained model.

Example 3 — Microsoft Copilot in Microsoft 365

An organization purchases Copilot licenses. Employees begin using it across email, Word, Excel, and summarization tools. Under the law:

• Microsoft is a 'holder' in relation to some of the organization's databases.
• An existing Enterprise Agreement typically provides a contractual basis, but organizations should verify that it covers the Copilot-specific terms and data processing activities.
• Data transfers to Azure in the US or Europe are generally permissible under the EU-US Data Privacy Framework.

The Notice Obligation — What to Include in a Privacy Policy When Using AI

Section 11 of the Privacy Protection Law requires the database manager to notify data subjects at the point of collection. The Privacy Protection Authority updated its guidance in 2025 to require additional disclosures in the AI context:

1. A clear statement that AI is used in processing the information
2. The identity of external vendors, at minimum by category — for example, 'a US-based AI services provider'
3. The purpose of the AI use — personalization, analytics, or automated decision-making
4. Whether the information is used to train models (especially where it is)
5. The right to contest an automated decision — how to raise an objection and what the process entails

Cross-Border Data Transfers — Common Scenarios

Scenario: Using the OpenAI API from Israel

OpenAI retains usage logs in the United States by default for 30 days. If a prompt contains personal information, a transfer to OpenAI's US infrastructure takes place. The available legal bases are:

• Contractual safeguards via OpenAI's standard Enterprise DPA
• If the organization has enabled the 'No data retention' option, risk is reduced because logs are not stored
• The transfer must be documented in the organization's internal data processing records

Scenario: An Israeli SaaS vendor that uses a US-based LLM

An Israeli organization uses an Israeli SaaS product. Behind the scenes, that SaaS vendor calls Anthropic's API in the United States. This creates two layers: the organization and the Israeli SaaS vendor (primary holder), and the Israeli SaaS vendor and Anthropic (sub-processor). The organization's obligation: obtain a list of sub-processors from the vendor and approve them in writing.

The Alice GRC portal identifies every AI system processing personal information within the organization, flags vendors requiring legal review, and generates an action list for updating database documentation. Rather than working through 60 pages of legislation and regulations, the questionnaire performs the translation automatically.