Data ProtectionOctober 2025Public consultation

Consultation on Draft Amendments to the Personal Data Protection Framework

A consultation examined draft amendments to the personal data protection framework, addressing definitions, controller and processor duties, sensitive data categories and enforcement.

Development

In 2025 the Cambodian authorities opened a consultation on proposed amendments to the framework for personal data protection. The consultation follows continued development of the data economy in Cambodia, the increasing volume of personal data collected by telecommunications operators, financial institutions, digital platforms and public bodies, and the growing expectations of international counterparts that meaningful data protection rules apply to data originating from or transferred through Cambodia.

The consultation is relevant to a wide range of organisations, including telecommunications operators that hold subscriber data, digital service providers, financial institutions, employers, healthcare providers and public sector bodies. It is also relevant to individuals whose data is processed by these organisations and to advisers who support them.

Objectives of the amendments

The proposed amendments aim to strengthen the legal basis for data protection in Cambodia, to clarify the obligations of organisations that process personal data, to improve the rights of individuals in relation to their data and to establish arrangements for supervision and enforcement. They also seek to address specific matters that have become more prominent since the original framework was adopted, including cross-border transfers, the use of artificial intelligence and the treatment of sensitive categories of data.

The amendments are intended to build on existing rules and practice rather than to replace them wholesale. Organisations that already comply with reasonable international standards are unlikely to face fundamentally new expectations, but they should expect that the framework will become more precise and more clearly enforceable.

Key concepts and definitions

The consultation addresses definitions that are central to any modern data protection regime, including personal data, sensitive data, processing, controller, processor and consent. Clarification of these concepts helps organisations understand their obligations and helps individuals understand the rights available to them.

The amendments may also address concepts specific to particular technologies or business models, including automated decision-making, profiling and the use of biometric data. Organisations should review the definitions carefully to understand which of their activities are affected and how the obligations apply.

Rights of individuals

The amendments strengthen the rights of individuals in relation to their data, including rights of access, correction, deletion where appropriate and objection to certain uses. Organisations are expected to provide clear information about these rights, to respond to requests within defined timeframes and to keep records demonstrating that requests have been handled appropriately.

Consent, where required, is expected to be informed, specific and freely given. Reliance on generic terms of service to authorise a wide range of uses is likely to be treated as insufficient, particularly for sensitive processing or uses that go beyond the individual's reasonable expectations.

Obligations on organisations

Organisations are expected to identify a lawful basis for each processing activity, to limit the collection and use of data to what is necessary for the identified purpose, to keep data accurate and up to date, to retain data only for as long as necessary and to implement appropriate security measures. Documentation of processing activities and of decisions about lawful basis, purpose and retention is important both for internal governance and for demonstrating compliance to the authority.

Where personal data is shared with processors, contracts should reflect the obligations imposed on both parties. Where processing involves higher-risk activities, additional measures such as impact assessments, consultation with the authority and enhanced safeguards may be required.

Cross-border transfers

The amendments address cross-border transfers of personal data more explicitly than earlier rules. Transfers to countries with adequate data protection may be treated more permissively, while transfers to other destinations may require additional safeguards, including contractual protections, technical measures and, in some cases, explicit consent from the individuals concerned.

Organisations that operate across borders should map the flows of personal data associated with their Cambodian operations, identify the destinations of those flows and assess the safeguards that apply. Where existing arrangements do not meet the expectations of the amendments, remediation should be planned and prioritised.

Supervision, enforcement and remedies

The amendments strengthen the arrangements for supervision and enforcement. The competent authority is expected to have powers to receive complaints, to conduct investigations, to issue orders and to impose sanctions in cases of non-compliance. Sanctions may include administrative fines, restrictions on processing and, in serious cases, further consequences.

Individuals may also have the ability to seek redress through the courts, either directly or with the support of the authority. Class-action or collective mechanisms may develop over time as case law and practice mature.

Interaction with sector-specific rules

Data protection interacts with a range of sector-specific rules, including telecommunications, financial services, health and public administration. The amendments recognise that sectoral rules may provide additional or more specific requirements and are not typically intended to override such rules. Organisations subject to multiple regimes should map the interaction carefully and align their compliance programmes accordingly.

For telecommunications operators, this means that data protection obligations sit alongside obligations relating to SIM registration, lawful cooperation, cybersecurity and consumer protection. A coordinated approach is more effective than treating each obligation in isolation.

Practical implications and next steps

For all organisations that process personal data of Cambodian individuals, the consultation is an opportunity to review current practice and to prepare for the strengthened framework. Data mapping exercises, review of consent and information notices, updates to contracts with processors and re-examination of cross-border arrangements are all appropriate steps in the current period.

Organisations are also encouraged to participate in the consultation, either directly or through industry associations, to help shape amendments that are effective, proportionate and workable. Constructive engagement with the authority contributes to a framework that supports both individual rights and the responsible development of the data economy in Cambodia.

Lex Civora advises telecommunications operators, digital service providers and other organisations on the interpretation of the current framework, on the preparation for the proposed amendments and on engagement with the consultation process and with the authority.

Last verified: 14 July 2026

This article is provided for general information only and does not constitute legal advice. Regulatory positions may change; readers should verify obligations against the current official publication or seek professional advice before acting.

Related insights