Cambodia's Draft Law on Personal Data Protection

I. Introduction

Cambodia's Draft Law on Personal Data Protection represents a landmark legislative development that positions the Kingdom as a progressive participant in the global data protection landscape. This draft, finalized on 23rd June 2025, establishes foundational principles for personal data processing while creating robust mechanisms for data subject rights protection and institutional oversight. The draft demonstrates Cambodia's commitment to balancing digital innovation with personal data protection, establishing a legal foundation that supports both economic development and fundamental rights safeguarding.

The draft's broad scope encompasses both automated and non-automated personal data processing activities, extending jurisdiction beyond territorial boundaries to include foreign entities serving Cambodian data subjects, thereby creating a comprehensive protective umbrella for citizens' personal data rights.

II. Fundamental Definitions

The draft establishes critical definitional boundaries that shape its entire regulatory scope and application.

1. Personal data refers to any information relating to a natural person who can be identified through various identifiers including names, identification numbers, location data, online identifiers such as IP addresses, email addresses, and account names, as well as physical, physiological, genetic, mental, economic, cultural, or social identity characteristics. This expansive definition ensures comprehensive coverage of modern digital identities while recognizing traditional identification methods and emerging technological capabilities.
2. Processing refers to any operation performed on personal data through automated or non-automated means, including collection, recording, organization, storage, alteration, retrieval, use, disclosure through transmission, dissemination, erasure, and destruction. This comprehensive scope prevents regulatory circumvention through technical distinctions while ensuring all data handling activities receive appropriate oversight and protection mechanisms.
3. Data subject refers to natural person whose information undergoes processing under the law's provisions, establishing clear rights-holder identification for enforcement and remedy purposes.
4. Data controller refers to a natural person or legal entity determining processing purposes and means, excluding public authorities acting within jurisdictional boundaries unless specifically designated through Royal Government decisions or alternative legal provisions.
5. Data processor refers to a natural person or legal entity processes personal data on controller behalf through contractual arrangements.
6. Sensitive personal data refers to information revealing racial origin, political opinions, religious or philosophical beliefs, trade union membership, alongside biometric data, genetic data, health data, and information concerning sexual life or sexual orientation. This categorization reflects heightened privacy risks and social sensitivities while establishing enhanced protection requirements for particularly vulnerable information categories.

III. Regulatory Authority and Institutional Framework

The draft designates the Ministry of Post and Telecommunications (MPTC) as the primary regulatory authority, vesting it with comprehensive oversight powers that include regulation, auditing, monitoring, and enforcement capabilities. MPTC choice reflects Cambodia's recognition of telecommunications infrastructure as central to data processing activities and digital transformation initiatives. The MPTC's extensive authorities encompass complaint resolution, international cooperation, cross-border data transfer oversight, and the potential establishment of a dedicated Personal Data Protection Unit when circumstances warrant specialized institutional support. This centralized approach ensures consistent regulatory interpretation while providing clear institutional accountability for data protection enforcement across various sectors and jurisdictions.

IV. Core Processing Principles

The draft establishes six fundamental processing principles that mirror international best practices while adapting to Cambodia's specific legal and cultural context. These principles mandate:

1. Lawfulness, Fairness, and Transparency: processing must comply with legal standards, be fair, and clearly communicated to data subjects.
2. Purpose Limitation: data must be collected for explicit and legitimate purposes only.
3. Data Minimization: collection must be limited to what is strictly necessary.
4. Accuracy: data must be kept accurate and up to date.
5. Storage Limitation: retention is restricted unless for specified legal, research, or archival purposes.
6. Security and Integrity: technical and organizational measures must protect against unauthorized access, alteration, or loss.

Additionally, the organization must be responsible for and able to demonstrate compliance with all core processing principles.

V. Legal Bases for Processing

The draft establishes six distinct legal bases for personal data processing:

1. Consent: explicit, informed and withdrawable; parental consent required for minors under 16.
2. Contractual Necessity: for fulfilling or entering into contracts.
3. Legal Obligation: to comply with statutory duties.
4. Vital Interests: to protect life or health.
5. Public Interest: to fulfil a duty in the national interest.
6. Legitimate Interest: permitted where balanced against data subject rights and freedoms.

VI. Enhanced Protections for Sensitive Personal Data

The law implements a dual-layer protection system for sensitive personal data, initially prohibiting processing. However, the draft recognizes legitimate societal needs by establishing nine specific exceptions that allow processing under heightened safeguards. These exceptions include explicit (1) consent, (2) employment and social security necessities, (3) vital interest protections, (4) not-for-profit organization activities, (5) publicly disclosed information, (6) legal claim establishment or defense, (7) substantial public interest requirements, (8) preventive medicine and public health purposes, and (9) archival, scientific, or statistical research activities. Each exception requires proportional processing that respects fundamental rights while implementing appropriate safeguards that maintain data subject protections even during authorized sensitive data handling.

VII. Organizational Obligations and Compliance Architecture

Data controller and processor face comprehensive obligations that extend beyond basic processing requirements to encompass:

1. Personal Data Protection by Design and Default: integrating safeguards from the outset.
2. Data Processor Contract: specifying purposes, duration, data categories, data breach notification, and obligations of parties.
3. Record of processing: maintaining documentation to accountability compliance.
4. Personal Data Impact Assessment (PDIA): high-risk processing requires a PDIA covering:
   • Processing purposes and methodology
   • Risks to rights and freedoms of data subject
   • Mitigation measures
   • Security measures
   PDIA must be submitted to MPTC prior to implementation.
5. Security measures: security measures must be proportionate to processing risk and may include:
   • Pseudonymization and encryption
   • Confidentiality, integrity and availability safeguard
   • Incident recovery plans
   • Regular effectiveness testing
6. Data breach notification: notify to MPTC within 72 hours and to affected data subjects without delay where there is high risk.

VIII. Cross-Border Data Transfer

International data transfers must require MPTC's permission, adequate safeguard assessments, or specific circumstance justifications including written consent, contractual necessity, public interest protection, vital interest safeguarding, legitimate interest advancement, or legal claim establishment and defence. The draft balances Cambodia's participation in global digital economy with sovereign data protection priorities, ensuring adequate protection levels accompany data transfers while supporting legitimate international business activities. Organizations must demonstrate compliance through comprehensive evidence submission, creating accountability mechanisms that survive transfer completion and support ongoing regulatory oversight of international data flows.

IX. Professional and Certification Requirements

Personal Data Protection Officer (PDPO) receive comprehensive definitional treatment as natural persons assigned to assist processing compliance according to legal provisions, whether serving as employee or representative mandate. Upon law implementation, PDPO must possess personal data protection profession certificates demonstrating adequate qualifications for personal data protection program oversight and compliance monitoring responsibilities. This professionalization approach creates specialized career pathways while ensuring competent organizational personal data protection leadership through standardized qualification requirements.

X. Data Subject's Rights

The draft establishes comprehensive data subjects rights over their personal data:

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure
5. Right to restriction of processing
6. Right to data portability
7. Right to object
8. Right to object to automated decision-making
9. Right to remedy

XI. Enforcement and Penalties

The draft provides a graduated enforcement, combining administrative and criminal measures to ensure deterrence and proportionality.

1. Administrative: warnings, corrective orders, fines up to 60M Riels for a natural person and 600M Riels or 10% of annual turnover for legal entity
2. Criminal: imprisonment of up to 2 years for severe or persistent breaches

Penalty severity considers factors such as the nature and duration of the data breach, types of data involved, mitigation efforts, cooperation with competent authority and operational impact.

XII. Implementation Timeline and Strategic Implications

A two-year transition period from promulgation allows organisations to:

1. Conduct gap analyses
2. Upgrade systems and policies
3. Train staff
4. Establish monitoring and reporting processes

XIII. Recommended Organizational Response Strategy

Organizations should take actions from now to proactive compliance with the upcoming this Law:

1. Initiate a compliance assessment again the draft law
2. Form a cross-functional data protection task force
3. Update or create policies, procedures and contracts
4. Implement technical and organisational measures
5. Prepare documentation and evidence for regulatory review
6. Monitor for further guidance from the MPTC