Cambodia announces comprehensive data protection law

Cambodia unveiled its comprehensive Draft Law on Personal Data Protection on July 23, 2025, marking a significant step toward establishing comprehensive privacy rights in Southeast Asia. The legislation, announced during a consultative workshop at Sokha Phnom Penh Hotel, will require a two-year implementation period following official promulgation.

According to the Ministry of Post and Telecommunications, the law establishes principles, rules and mechanisms for processing personal data with responsibility, transparency and adherence to ethical conduct. The framework aims to protect data subject rights while promoting investment environment, competition and development of national and international trade in the digital economy context.

GDPR-inspired framework with local adaptations

The proposed legislation adopts familiar European data protection principles while incorporating provisions specific to Cambodia's regulatory environment. Data processing must comply with lawfulness, fairness and transparency requirements, with personal data collected only for specific, explicit and legitimate purposes.

The law establishes six legal bases for data processing: consent of the data subject, necessity for contract performance, compliance with legal obligations, protection of vital interests, performance of public interest tasks, and legitimate interests pursued by controllers or third parties. Processing of sensitive personal data faces prohibition except under specific additional conditions including explicit consent or substantial public interest as determined by law.

Data controllers and processors located outside Cambodia but targeting Cambodian data subjects must appoint local representatives and provide contact information to the Ministry of Post and Telecommunications. Cross-border data transfers require ministry permission, appropriate safeguards, or specific circumstances including written consent, contract necessity, or protection of public interests.

Comprehensive individual rights framework

The legislation grants Cambodian residents extensive data subject rights comparable to European standards. Individuals can access copies of their personal data, rectify inaccurate information, object to processing based on particular situations, and request erasure under specific circumstances including withdrawn consent or unlawful processing.

Data subjects maintain portability rights allowing direct transmission of personal data between controllers in machine-readable formats when processing occurs through automated means based on consent or contracts. The law establishes one-month response periods for data controller responses, extendable by two additional months for complex requests.

Automated decision-making provisions grant individuals rights to human involvement when automated decisions produce legal effects or similarly affect them. Controllers must implement appropriate measures protecting rights, freedoms and legitimate interests in such scenarios.

Enforcement and compliance structure

The Ministry of Post and Telecommunications receives comprehensive authority to manage personal data protection including regulation, audit and monitoring functions. The ministry can instruct controllers and processors to provide necessary data, access information required for performing duties, receive complaints and mediate disputes.

Data controllers must conduct personal data impact assessments when processing may pose high risks to individual rights and freedoms. Assessment reports submitted to the ministry must describe processing purposes and means, risk assessments affecting rights and freedoms, response measures, and security mechanisms ensuring data protection.

Personal data protection officers become mandatory for specified controller and processor categories, with appointment notifications required within 30 working days. Officers must possess adequate qualifications and personal data protection profession certificates as determined by ministerial decrees.

Technical and organizational requirements

Data protection by design and by default becomes mandatory for controllers implementing technical measures integrating necessary security safeguards for specific processing purposes. Controllers must ensure only personal data necessary for specific purposes undergoes processing.

Security measures must prevent unauthorized access, collection, use, disclosure, copying, modification or destruction while ensuring confidentiality, integrity and availability of processing systems. Controllers must implement pseudonymization and encryption where necessary, ensure timely restoration following incidents, and regularly test effectiveness of technical and organizational measures.

Data breach notification requirements mandate controller notification to the ministry within 72 hours of becoming aware of breaches posing risks to data subjects. High-risk breaches require immediate data subject notification unless controllers implement appropriate technical measures like encryption or take subsequent measures ensuring risk mitigation.

Administrative and criminal penalties

Administrative fines reach maximum amounts of 60 million riels (approximately $14,500) for natural persons and 600 million riels (approximately $145,000) or 10% of annual turnover for legal entities. Fine determinations consider violation nature, gravity and duration, affected data types and characteristics, financial benefits gained, and timely mitigation measures implemented.

Criminal liability applies to repeat offenders with natural persons facing imprisonment from six days to two years plus fines up to 60 million riels. Legal entities face fines up to 100 million riels (approximately $24,200) plus additional penalties under criminal procedure codes.

The legislation establishes personal data inspection authority with appointed inspectors receiving judicial police status for offense oversight. Complaint mechanisms include ministry-supervised dispute resolution with 15-day resolution timeframes and binding conciliation reports.

Market implications for digital advertising

Cambodia's data protection framework introduces significant compliance requirements for digital marketing operationstargeting the Southeast Asian market. Marketing technology platforms processing Cambodian user data must implement consent mechanisms, data minimization practices, and cross-border transfer safeguards.

The law's international scope affects foreign companies offering goods or services to Cambodian data subjects or monitoring activities related to residents. GDPR-style territorial provisions extend compliance obligations beyond companies with physical presence in Cambodia.

Programmatic advertising platforms face particular challenges implementing consent requirements and data localization measures. The legislation's emphasis on legitimate interest assessments may affect algorithmic targeting and behavioral advertising practices common in contemporary digital marketing.

Marketing automation and customer data platforms must prepare for enhanced transparency requirements about automated decision-making processes. The law grants individuals rights to human review of automated marketing decisions, potentially affecting customer scoring and recommendation systems.

Regional privacy landscape development

Cambodia's comprehensive data protection legislation reflects broader Southeast Asian trends toward stronger privacy regulations. The framework positions Cambodia alongside other regional jurisdictions implementing European-inspired data protection standards while addressing local regulatory priorities.

The two-year implementation period provides organizations time to establish compliance programs and adjust data processing practices. However, companies operating across multiple Southeast Asian markets should monitor implementation guidance and enforcement approaches as Cambodia's regulatory framework develops.

The ministry's role as primary supervisory authority mirrors approaches in other emerging privacy jurisdictions, though the extent of enforcement capabilities and international cooperation arrangements remains to be determined through subsequent regulatory guidance.

Timeline

July 23, 2025: Ministry of Post and Telecommunications announces Draft Law on Personal Data Protection during a consultative workshop at Sokha Phnom Penh Hotel featuring presentations and group discussions on processing requirements, security measures, cross-border transfers, data subject rights, and enforcement mechanisms

Related Stories

• GDPR enforcement shows €4.2B in fines across 6,680 actions demonstrating European regulatory precedent
• German court awards €5,000 for Meta Business Tools GDPR violations highlighting international enforcement trends
• UK introduces mandatory complaint reporting requirements showing global regulatory evolution

Key Terms Explained

Data Controller Data controllers represent the central entities in Cambodia's privacy framework, defined as natural persons or legal entities determining purposes and means of personal data processing. Under the legislation, controllers bear primary responsibility for compliance including implementing technical safeguards, conducting impact assessments, and ensuring lawful processing bases. Foreign controllers targeting Cambodian data subjects must appoint local representatives and notify the Ministry of Post and Telecommunications within specified timeframes.

Personal Data Processing Processing encompasses any operation performed on personal data whether through automated or non-automated means, including collection, recording, organization, storage, alteration, retrieval, use, disclosure, transmission, dissemination, erasure and destruction. The law establishes strict principles governing processing activities requiring lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation and security measures with controllers demonstrating compliance.

Cross-border Data Transfer International data transfers require explicit permission from the Ministry of Post and Telecommunications, appropriate safeguards assessment by controllers, or specific circumstances including written consent, contract necessity, public interest protection, vital interest protection, legitimate interest protection, or legal claim establishment and defense. These restrictions mirror European GDPR provisions addressing adequacy decisions and standard contractual clauses for international data flows.

Data Subject Rights Cambodian residents receive comprehensive rights including information access, rectification of inaccurate data, objection to processing, erasure under specific circumstances, restriction of processing, data portability between controllers, and human involvement in automated decision-making. Controllers must respond within one month, extendable by two additional months for complex requests, with specific procedures established for exercising these fundamental privacy protections.

Ministry of Post and Telecommunications The ministry serves as Cambodia's primary data protection supervisory authority with comprehensive powers including regulation development, audit and monitoring functions, instruction authority over controllers and processors, complaint reception and dispute mediation, awareness promotion, international cooperation, evolution monitoring of data protection works, and cross-border transfer management through monitoring, restriction or permission mechanisms.

Consent Mechanisms Valid consent requires explicit agreement from data subjects following clear notification about processing purposes, with specific requirements for easily understandable forms, prior notification before processing, specified and appropriate purpose information, withdrawal rights notification, and data protection officer contact information provision. Consent for data subjects under 16 years requires parental or guardian authorization with controller verification through available technology or feasible means.

Data Protection Impact Assessment Controllers must conduct impact assessments when processing may pose high risks to data subject rights and freedoms, considering processing type, scope, context and purposes. Assessment reports submitted to the ministry must include processing purpose and means descriptions, risk assessments affecting rights and freedoms, response measures for identified risks, and security measures ensuring data protection with conditions, formalities and procedures determined through common guidelines.

Administrative Fines Penalty structures establish maximum fines of 60 million riels for natural persons and 600 million riels or 10% annual turnover for legal entities violating processing requirements, controller obligations, data protection officer requirements, or data subject rights provisions. Fine determinations consider violation nature, gravity and duration, affected data characteristics, financial benefits gained, mitigation measures implemented, previous violations, compliance efforts, proportionality and effectiveness for enforcement, and operational impact assessments.

Security Measures Technical and organizational security requirements mandate controllers and processors implement measures preventing unauthorized access, collection, use, disclosure, copying, modification or destruction while ensuring confidentiality, integrity and availability of processing systems. Required measures include pseudonymization and encryption where necessary, timely restoration capabilities following incidents, and regular testing and evaluation of security measure effectiveness with implementation considering current technology state and costs.

Data Protection Officer Controllers and processors must appoint qualified data protection officers possessing adequate qualifications and professional certificates for practicing personal data protection. Officers monitor compliance with processing requirements established by the legislation, with appointment notifications required within 30 working days and changes notified within 15 working days. Specific criteria for determining controller and processor types requiring officers will be established through ministerial decrees with qualification and certification procedures detailed in subsequent regulations.

Summary

Who: Cambodia's Ministry of Post and Telecommunications announced comprehensive data protection legislation affecting companies processing personal data of Cambodian residents, with international scope extending to foreign entities targeting the market.

What: Draft Law on Personal Data Protection establishing GDPR-inspired framework including data subject rights, controller obligations, cross-border transfer restrictions, breach notification requirements, and administrative penalties up to 600 million riels for legal entities.

When: Announced July 23, 2025, during consultative workshop, with two-year implementation period following official promulgation requiring organizations to establish compliance programs and adjust data processing practices.

Where: Legislation applies within Cambodia and extends internationally to foreign companies offering goods or services to Cambodian data subjects or monitoring activities related to residents, similar to GDPR territorial scope.

Why: Framework aims to protect data subject rights while promoting investment environment, competition and national and international trade development in digital economy context, positioning Cambodia within regional privacy regulation trends.