Cambodia Consults Stakeholders on Draft Personal Data Protection Law
MPTC held a broad consultative workshop on Cambodia's proposed personal-data-protection legislation, involving government, private-sector, academic, civil-society and development-partner representatives.
Development
The 2025 consultation on a stand-alone personal data protection law for Cambodia forms part of the wider effort to modernise the legal framework for the digital economy. Complementing the amendments to existing rules, the proposal for a dedicated law seeks to bring together data protection principles, rights of individuals, obligations of controllers and processors, and supervisory arrangements into a single, coherent instrument.
The consultation is relevant to organisations that process personal data of Cambodian individuals, whether located in Cambodia or abroad, and to the individuals whose data is processed. Given the breadth of the topic, the consultation attracted interest from telecommunications operators, financial institutions, digital service providers, healthcare providers, employers and public sector bodies.
Rationale for a stand-alone law
A stand-alone law can provide a clearer legal basis for data protection, can enable more consistent supervision and can facilitate international recognition of the Cambodian framework. It can also address in a more structured way the concepts that have become central to modern data protection, including data protection by design, data protection impact assessments, the role of data protection officers and cooperation with independent supervisory authorities.
The consultation acknowledges that sector-specific rules will continue to play a role but seeks to provide a general foundation on which sectoral requirements can build.
Core principles
The proposal is built on core principles that are widely recognised in comparable frameworks, including lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. Organisations are expected to translate these principles into policies, procedures and practical measures that shape day-to-day handling of personal data.
Accountability is a particularly important principle. Organisations are expected not only to comply with the rules but to be able to demonstrate that they comply, through documentation, audit trails and internal governance.
Rights of individuals
The proposal strengthens the rights of individuals in relation to their data, including access, correction, deletion in appropriate circumstances, restriction of processing, portability where technically feasible and objection to certain uses. Rules on automated decision-making that produce significant effects on individuals may include additional safeguards, such as the right to obtain human review of the decision.
Organisations should design their internal processes to receive, verify and respond to requests within defined timeframes. Where a request cannot be granted, the reason should be explained clearly, and the individual should be informed of the mechanisms available to challenge the decision.
Obligations of controllers and processors
Controllers, which determine the purposes and means of processing, and processors, which act on behalf of controllers, are subject to defined obligations. Controllers are expected to identify a lawful basis for each processing activity, to inform individuals appropriately, to conclude contracts with processors that reflect the obligations of both parties and to implement appropriate security measures. Processors are expected to act only on documented instructions and to support controllers in demonstrating compliance.
The proposal expands on these general obligations for higher-risk activities, including large-scale processing of sensitive data, systematic monitoring of individuals and processing that involves innovative technologies. In such cases, additional measures such as impact assessments and consultation with the authority may be required.
Cross-border transfers and international cooperation
The proposal addresses cross-border transfers in a structured way, distinguishing between transfers to jurisdictions with adequate protection and transfers that require additional safeguards. Organisations that operate internationally will need to map data flows carefully and to implement appropriate mechanisms for each category of transfer.
The proposal also anticipates cooperation with authorities in other jurisdictions, both to support cross-border investigations and to align approaches to global data protection issues. Constructive international engagement may support recognition of Cambodian standards and reduce friction for Cambodian organisations that operate abroad.
Supervision and enforcement
The proposal contemplates the establishment or reinforcement of a supervisory authority with defined powers, including the ability to receive complaints, to conduct investigations, to issue orders and to impose sanctions. Sanctions may include administrative fines, restrictions on processing and, in serious cases, further consequences.
Individuals may also have the ability to seek redress through the courts, either directly or with the support of the authority. Effective enforcement is expected to combine dissuasive action against significant breaches with support for organisations that engage constructively with the framework.
Implications for the telecommunications sector
Telecommunications operators are among the most significant processors of personal data in Cambodia. They handle subscriber identification data, communications metadata, location information and, in the context of value-added services, additional categories of information. The proposal is likely to raise expectations on the transparency of data handling, on the management of consent, on the security of stored data and on cooperation with individuals and authorities.
Operators should therefore integrate their responses to the consultation with their broader compliance planning, including sector-specific obligations under telecommunications law, SIM registration, cybersecurity and lawful cooperation.
Practical implications and next steps
For all organisations that process personal data of Cambodian individuals, the consultation is an opportunity to review current practice, to assess readiness for the proposed regime and to identify areas where remediation will be required. Data mapping, gap assessments, review of consent and information materials, updates to contracts with processors and re-examination of cross-border arrangements are all appropriate steps in the current period.
Organisations are also encouraged to participate in the consultation, either directly or through industry associations, to contribute to a law that is effective, proportionate and workable in the Cambodian context. Constructive engagement with the authorities during the legislative process is likely to produce a better outcome than reactive engagement after adoption.
Lex Civora advises telecommunications operators, digital service providers, financial institutions and other organisations on the interpretation of the current framework, on the implications of the proposed stand-alone law and on the design of compliance programmes appropriate to the Cambodian environment.
This article is provided for general information only and does not constitute legal advice. Regulatory positions may change; readers should verify obligations against the current official publication or seek professional advice before acting.
