Cambodia announces comprehensive data protection law

Cambodia unveiled its complete Draft Legislation on Private Information Safety on July 23, 2025, marking a major step towards establishing complete privateness rights in Southeast Asia. The laws, introduced throughout a consultative workshop at Sokha Phnom Penh Resort, would require a two-year implementation interval following official promulgation.

In response to the Ministry of Put up and Telecommunications, the legislation establishes rules, guidelines and mechanisms for processing private information with accountability, transparency and adherence to moral conduct. The framework goals to guard information topic rights whereas selling funding setting, competitors and growth of nationwide and worldwide commerce within the digital economic system context.

GDPR-inspired framework with native diversifications

The proposed laws adopts acquainted European information safety rules whereas incorporating provisions particular to Cambodia’s regulatory setting. Information processing should adjust to lawfulness, equity and transparency necessities, with private information collected just for particular, express and legit functions.

The legislation establishes six authorized bases for information processing: consent of the information topic, necessity for contract efficiency, compliance with authorized obligations, safety of significant pursuits, efficiency of public curiosity duties, and legit pursuits pursued by controllers or third events. Processing of delicate private information faces prohibition besides below particular extra circumstances together with express consent or substantial public curiosity as decided by legislation.

Information controllers and processors situated exterior Cambodia however focusing on Cambodian information topics should appoint native representatives and supply contact data to the Ministry of Put up and Telecommunications. Cross-border information transfers require ministry permission, acceptable safeguards, or particular circumstances together with written consent, contract necessity, or safety of public pursuits.

Complete particular person rights framework

The laws grants Cambodian residents in depth information topic rights corresponding to European requirements. People can entry copies of their private information, rectify inaccurate data, object to processing based mostly on specific conditions, and request erasure below particular circumstances together with withdrawn consent or illegal processing.

Information topics keep portability rights permitting direct transmission of non-public information between controllers in machine-readable codecs when processing happens by automated means based mostly on consent or contracts. The legislation establishes one-month response durations for information controller responses, extendable by two extra months for complicated requests.

Automated decision-making provisions grant people rights to human involvement when automated choices produce authorized results or equally have an effect on them. Controllers should implement acceptable measures defending rights, freedoms and legit pursuits in such eventualities.

Enforcement and compliance construction

The Ministry of Put up and Telecommunications receives complete authority to handle private information safety together with regulation, audit and monitoring features. The ministry can instruct controllers and processors to supply needed information, entry data required for performing duties, obtain complaints and mediate disputes.

Information controllers should conduct private information influence assessments when processing could pose excessive dangers to particular person rights and freedoms. Evaluation stories submitted to the ministry should describe processing functions and means, danger assessments affecting rights and freedoms, response measures, and safety mechanisms making certain information safety.

Private information safety officers turn out to be obligatory for specified controller and processor classes, with appointment notifications required inside 30 working days. Officers should possess satisfactory {qualifications} and private information safety career certificates as decided by ministerial decrees.

Technical and organizational necessities

Information safety by design and by default turns into obligatory for controllers implementing technical measures integrating needed safety safeguards for particular processing functions. Controllers should guarantee solely private information needed for particular functions undergoes processing.

Safety measures should stop unauthorized entry, assortment, use, disclosure, copying, modification or destruction whereas making certain confidentiality, integrity and availability of processing programs. Controllers should implement pseudonymization and encryption the place needed, guarantee well timed restoration following incidents, and commonly check effectiveness of technical and organizational measures.

Information breach notification necessities mandate controller notification to the ministry inside 72 hours of changing into conscious of breaches posing dangers to information topics. Excessive-risk breaches require speedy information topic notification except controllers implement acceptable technical measures like encryption or take subsequent measures making certain danger mitigation.

Administrative and prison penalties

Administrative fines attain most quantities of 60 million riels (roughly $14,500) for pure individuals and 600 million riels (roughly $145,000) or 10% of annual turnover for authorized entities. High quality determinations think about violation nature, gravity and period, affected information sorts and traits, monetary advantages gained, and well timed mitigation measures applied.

Prison legal responsibility applies to repeat offenders with pure individuals dealing with imprisonment from six days to 2 years plus fines as much as 60 million riels. Authorized entities face fines as much as 100 million riels (roughly $24,200) plus extra penalties below prison process codes.

The laws establishes private information inspection authority with appointed inspectors receiving judicial police standing for offense oversight. Grievance mechanisms embrace ministry-supervised dispute decision with 15-day decision timeframes and binding conciliation stories.

Market implications for digital promoting

Cambodia’s information safety framework introduces important compliance necessities for digital marketing operationsfocusing on the Southeast Asian market. Advertising expertise platforms processing Cambodian person information should implement consent mechanisms, information minimization practices, and cross-border switch safeguards.

The legislation’s worldwide scope impacts international firms providing items or providers to Cambodian information topics or monitoring actions associated to residents. GDPR-style territorial provisions lengthen compliance obligations past firms with bodily presence in Cambodia.

Programmatic promoting platforms face specific challenges implementing consent necessities and information localization measures. The laws’s emphasis on professional curiosity assessments could have an effect on algorithmic focusing on and behavioral promoting practices widespread in contemporary digital marketing.

Advertising automation and buyer information platforms should put together for enhanced transparency necessities about automated decision-making processes. The legislation grants people rights to human overview of automated advertising choices, doubtlessly affecting buyer scoring and suggestion programs.

Regional privateness panorama growth

Cambodia’s complete information safety laws displays broader Southeast Asian developments towards stronger privateness laws. The framework positions Cambodia alongside different regional jurisdictions implementing European-inspired data protection standards whereas addressing native regulatory priorities.

The 2-year implementation interval supplies organizations time to ascertain compliance applications and alter information processing practices. Nevertheless, firms working throughout a number of Southeast Asian markets ought to monitor implementation steerage and enforcement approaches as Cambodia’s regulatory framework develops.

The ministry’s function as main supervisory authority mirrors approaches in different rising privateness jurisdictions, although the extent of enforcement capabilities and worldwide cooperation preparations stays to be decided by subsequent regulatory steerage.

Timeline

July 23, 2025: Ministry of Put up and Telecommunications proclaims Draft Legislation on Private Information Safety throughout a consultative workshop at Sokha Phnom Penh Resort that includes shows and group discussions on processing necessities, safety measures, cross-border transfers, information topic rights, and enforcement mechanisms

Key Phrases Defined

Information Controller Information controllers signify the central entities in Cambodia’s privateness framework, outlined as pure individuals or authorized entities figuring out functions and means of non-public information processing. Beneath the laws, controllers bear main accountability for compliance together with implementing technical safeguards, conducting influence assessments, and making certain lawful processing bases. International controllers focusing on Cambodian information topics should appoint native representatives and notify the Ministry of Put up and Telecommunications inside specified timeframes.

Private Information Processing Processing encompasses any operation carried out on private information whether or not by automated or non-automated means, together with assortment, recording, group, storage, alteration, retrieval, use, disclosure, transmission, dissemination, erasure and destruction. The legislation establishes strict rules governing processing actions requiring lawfulness, equity, transparency, objective limitation, information minimization, accuracy, storage limitation and safety measures with controllers demonstrating compliance.

Cross-border Information Switch Worldwide information transfers require express permission from the Ministry of Put up and Telecommunications, acceptable safeguards evaluation by controllers, or particular circumstances together with written consent, contract necessity, public curiosity safety, very important curiosity safety, professional curiosity safety, or authorized declare institution and protection. These restrictions mirror European GDPR provisions addressing adequacy choices and normal contractual clauses for worldwide information flows.

Information Topic Rights Cambodian residents obtain complete rights together with data entry, rectification of inaccurate information, objection to processing, erasure below particular circumstances, restriction of processing, information portability between controllers, and human involvement in automated decision-making. Controllers should reply inside one month, extendable by two extra months for complicated requests, with particular procedures established for exercising these basic privateness protections.

Ministry of Put up and Telecommunications The ministry serves as Cambodia’s main information safety supervisory authority with complete powers together with regulation growth, audit and monitoring features, instruction authority over controllers and processors, criticism reception and dispute mediation, consciousness promotion, worldwide cooperation, evolution monitoring of knowledge safety works, and cross-border switch administration by monitoring, restriction or permission mechanisms.

Consent Mechanisms Legitimate consent requires express settlement from information topics following clear notification about processing functions, with particular necessities for simply comprehensible kinds, prior notification earlier than processing, specified and acceptable objective data, withdrawal rights notification, and information safety officer contact data provision. Consent for information topics below 16 years requires parental or guardian authorization with controller verification by out there expertise or possible means.

Information Safety Affect Evaluation Controllers should conduct influence assessments when processing could pose excessive dangers to information topic rights and freedoms, contemplating processing kind, scope, context and functions. Evaluation stories submitted to the ministry should embrace processing objective and means descriptions, danger assessments affecting rights and freedoms, response measures for recognized dangers, and safety measures making certain information safety with circumstances, formalities and procedures decided by widespread pointers.

Administrative Fines Penalty buildings set up most fines of 60 million riels for pure individuals and 600 million riels or 10% annual turnover for authorized entities violating processing necessities, controller obligations, information safety officer necessities, or information topic rights provisions. High quality determinations think about violation nature, gravity and period, affected information traits, monetary advantages gained, mitigation measures applied, earlier violations, compliance efforts, proportionality and effectiveness for enforcement, and operational influence assessments.

Safety Measures Technical and organizational safety necessities mandate controllers and processors implement measures stopping unauthorized entry, assortment, use, disclosure, copying, modification or destruction whereas making certain confidentiality, integrity and availability of processing programs. Required measures embrace pseudonymization and encryption the place needed, well timed restoration capabilities following incidents, and common testing and analysis of safety measure effectiveness with implementation contemplating present expertise state and prices.

Information Safety Officer Controllers and processors should appoint certified information safety officers possessing satisfactory {qualifications} {and professional} certificates for working towards private information safety. Officers monitor compliance with processing necessities established by the laws, with appointment notifications required inside 30 working days and modifications notified inside 15 working days. Particular standards for figuring out controller and processor sorts requiring officers can be established by ministerial decrees with qualification and certification procedures detailed in subsequent laws.

Abstract

Who: Cambodia’s Ministry of Put up and Telecommunications introduced complete information safety laws affecting firms processing private information of Cambodian residents, with worldwide scope extending to international entities focusing on the market.

What: Draft Legislation on Private Information Safety establishing GDPR-inspired framework together with information topic rights, controller obligations, cross-border switch restrictions, breach notification necessities, and administrative penalties as much as 600 million riels for authorized entities.

When: Introduced July 23, 2025, throughout consultative workshop, with two-year implementation interval following official promulgation requiring organizations to ascertain compliance applications and alter information processing practices.

The place: Laws applies inside Cambodia and extends internationally to international firms providing items or providers to Cambodian information topics or monitoring actions associated to residents, much like GDPR territorial scope.

Why: Framework goals to guard information topic rights whereas selling funding setting, competitors and nationwide and worldwide commerce growth in digital economic system context, positioning Cambodia inside regional privateness regulation developments.