← Back to Legal Insights

Processing Health Data in Cambodia: Navigating Sensitive Data Protections Under the Upcoming Personal Data Protection Law

Published: 17th November 2025
Category: Legal Insights - Health Data Protection
Author: Legal Consultant Team
Focus: Cambodia's Draft Law on Personal Data Protection - Sensitive Health Data

Cambodia's upcoming Personal Data Protection Law (PDPL) will introduce comprehensive obligations for processing health data. Healthcare providers, pharmaceutical companies, medical technology firms, and health insurers must navigate stringent requirements for handling what the PDPL classifies as "Sensitive Personal Data". The PDPL aligns substantially with European Union of General Data Protection Regulation (GDPR) while establishing Cambodia-specific compliance pathways, creating both opportunities for standardization and challenges for organizations processing health data.

I. Classification of Health Data as Sensitive Personal Data

The PDPL defines health data as "information related to the physical or mental health of an individual, including health status information from which an individual can be identified. This classification extends beyond traditional medical records to encompass wellness app data, fitness tracking information, genetic data, and biometric health indicators. Article 14 of PDPL establishes a prohibition on processing sensitive personal data as the default position, requiring organizations to demonstrate compliance with both standard legal bases under Article 7 and at least one additional condition specified for sensitive data processing.

The glossary distinguishes health data from genetic data and biometric data, though all three categories receive equivalent protection under the sensitive data. Healthcare organizations must recognize that the definition captures not only clinical information generated during treatment but also health-related personal data collected through digital health platforms, tele-medicine services, and health insurance administration.

II. Legal Bases for Processing Health Data

Organizations processing health data must establish dual compliance: satisfying one of six legal bases enumerated in Article 7 of PDPL (consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests) and meeting at least one additional condition under Article 14 of PDPL. The most commonly applicable conditions for healthcare contexts includes:

  • Explicit consent of the data subject: This represents a heightened standard beyond the informed consent required for non-sensitive data under Article 8. Data controllers must demonstrate that consent is freely given, specific, informed, and unambiguous, with clear documentation of the consent mechanism.
  • Vital interests protection: Processing becomes permissible when necessary to protect the vital interests of the data subject or another natural person, particularly where the data subject or another natural person, particularly where the data subject is physically or legally incapable of providing consent. This ground accommodates emergency medical situations.
  • Preventive or occupational medicine and public health: The PDPL authorizes processing for preventive medicine, occupational health assessments, and public health purposes as determined by law, subject to suitable safeguards for fundamental rights and freedoms.
  • Scientific and historical research: Research institutions may process health data for archiving purposes in the public interest, scientific or historical research, or statistical purposes, provided processing is proportionate, respects data subject rights, and implements appropriate safeguards.

Healthcare providers must carefully assess which legal bases apply to their specific processing activities, documenting the rationale and ensuring processing remains limited to what is necessary for the stated purpose.

III. Regulatory Requirements and Compliance Obligations

The PDPL imposes several heightened obligations specifically affecting health data controllers, including but not limited to:

  • Records of Processing Activities: Healthcare organizations must prepare and maintain comprehensive records of all personal data processing activities under their responsibility or control. These records serve as evidence of compliance and facilitate regulatory oversight.
  • Personal Data Impact Assessments: Where processing health data poses high risk to data subject rights and freedoms, data controllers must conduct comprehensive impact assessments addressing the purposes and means of processing, risk assessment, responsive measures, and security mechanisms. The Ministry of Post and Telecommunications (MPTC) will receive submission of these assessment reports.
  • Personal Data Protection Officers (PDPO): Healthcare organizations meeting criteria established by ministerial prakas must appoint qualified PDPO holding personal data protection profession certificates. These officers monitor compliance with PDPL requirements and serve as contact points for data subjects and regulators.
  • Breach Notification: Healthcare organizations must notify the Ministry of Post and Telecommunications within 72 hours of becoming aware of data breaches. Where breaches pose high risk to data subject rights and freedoms, direct notification to affected individuals is mandatory unless the controller implemented encryption or other protective measures rendering the data unintelligible.
  • Cross-Border Transfer Restrictions: Transferring health data outside Cambodia requires either MPTC permission, adequate safeguards assessment, or reliance on specific circumstances including written consent, contractual necessity, or protection of vital interests. Healthcare organizations participating in international research collaborations or utilizing overseas data processors must establish compliant transfer mechanisms.

IV. Intersection with Health Sector Regulations

Cambodia's health regulatory framework, including the Law on Management of Private Medical, Paramedical and Medical Aid Profession (2000) and the Sub-Decree on Physician's Code of Ethics (2003), establishes professional confidentiality obligations complementing PDPL requirements. Article 43 of the Code of Ethics mandates physicians maintain medical records as confidential documents, creating parallel legal duties enforceable through both professional discipline and data protection sanctions.

Healthcare organizations must integrate PDPL compliance into existing quality management systems, professional standards, and ethical frameworks. The Ministry of Health and MPTC may develop Supplementary Guidelines for Sectoral Personal Data Protection under Article 38, potentially establishing enhanced standards for health data beyond the Common Guidelines' minimum requirements.

Conclusion

The upcoming PDPL will establish a comprehensive framework for health data protection requiring healthcare organizations to implement enhanced safeguards, document legal bases rigorously, and prepare for regulatory oversight by the MPTC. Organizations should begin compliance preparations immediately, leveraging the two-year implementation period to develop robust data protection programs. As Cambodia's digital health ecosystem expands, the intersection of medical confidentiality principles with modern data protection standards positions compliant organizations to build patient trust while participating in regional health information exchange initiatives.

Disclaimer: This legal insight is provided for general information purposes only and should not be construed as legal or professional advice on any particular matter, nor create a Privacy Iuris-client relationship. Before you take any action that may have legal implications, please inquire with your contact at Privacy Iuris.

Contact Us: info@privacyiuris.com