To date, Cambodia does not have a specific law or regulation on "data privacy". However, this matter can be broadly governed by the Constitution of the Kingdom of Cambodia (“Constitution”), the Civil Code of Cambodia (“Civil Code”), and through the fragmented collection of sector-specific regulations in the fields of banking and finance, e-commerce, health, and telecommunications. 

Relatedly, the concept of “privacy” was generally understood to be a subset of “personal information”, which is one of the general principles under the Constitution and of “personal rights” under the Civil Code. The Civil Code does not provide a straightforward definition of “personal information” but explains the concept of “personal rights”. Based on article 10 of the Civil Code, “personal rights” include the rights to life, personal safety, health, freedom, identity, dignity, privacy and other personal benefits or interests. In this respect, it is understood that “personal information” includes aspects of the dignity and privacy of a person. Additionally, the Constitution also guarantees the right to privacy for persons who are residents of Cambodia and to the confidentiality of correspondence by mail, telegram, fax, telex and telephone.

Besides the general principles stipulated in both the Constitution and the Civil Code, the modern iteration of “privacy” is also reflected in certain sector-specific regulations and is applicable to certain types of business activities as follows:

1. The Law on Banking and Financial Institutions, effective on 18 November 1999 (“Banking Law”), provides that the obligation of professional secrecy of a person participating in any capacity in the administration, direction, management, internal control, or external audit of a banking or financial institution.
2. The Law on Telecommunications, effective on 17 December 2015 (“Telecommunications Law”), outlines the rights of telecommunications and ICT service users to enjoy privacy, security, and safety while using those services
3. The Law on Electronic Commerce, effective on 02 May 2020 (“E-Commerce Law”), introduces the “protection obligation” and “reporting obligation” in relation to electronically stored data.
4. The Law on Civil Status, Civil Status Statistic, and Identification, effective on 01 July 2024 (“Law on Civil Status”) and Sub-Decree No. 252 on the Management, Use, and Security of Personally Identifiable Data, effective on 22 December 2021 (“Sub-Decree No.252”) provides for definition of “personal identifiable data” but it is strictly applicable in the context of management of population registry.
5. The Law on the Management of Health Professionals, effective on 19 November 2016 (“Law on the Management of Health Professionals”) and Sub-Decree (Government Directive) No. 61 on Physician’s Code of Ethics, effective on 28 August 2003 (“Sub-Decree No.61”) requires all health professionals to practice a relevant health profession and to comply with the code of ethics and professional standard – to keep confidentiality of medical records and information of the patient under his or her medical care or treatment regardless of either the content or benefits of those documents.

The applicability of the legislation described in Question 1 above is determined by the nature of the business activities conducted by the respective entities.

1. General Principles under the Constitution and Civil Law:
   
   All entities are bound by the provisions under these two instruments as stipulated in the earlier question.
   
   
2. Sector-Specific Regulations:

1. 1. Banking Law: All banks and financial institutions licensed and operating in Cambodia shall abide by the obligation of professional secrecy.
   2. Telecommunications Law: applicable to all operators in telecommunications and ICT services in Cambodia, are obligated to ensure that their services uphold the principles of privacy, security, and user safety throughout the use of their services.
   3. E-Commerce Law: applicable to both offshore and onshore intermediaries of electronic commerce, as well as service providers on electronic commerce platforms, are required to comply with security obligations when offering services within Cambodia.
   4. The Law on Civil Status and Sub-Decree No. 252: applicable to government-held data on the management, use, and protection of personal identification data held by the Ministry of Interior, and it does not extend protections to personal data managed by private entities.
   5. The Law on the Management of Health Professionals and Sub-Decree No. 61: applicable to all health professionals, including, among others, physicians, dentists, midwives, nurses, pharmacists, laboratory specialists, physical therapists, dental specialists, radiologists and other health professionals to hold a license to practice a relevant health profession.

The existing legal framework does not clearly define what constitutes personal data, nor does it provide a specific definition or classification for “sensitive data”. 

However, in the context of the population registry (under the Law on Civil Status and Sub-Decree No. 252), the term “personally identifiable data” is defined as any data capable of identifying an individual. Such data encompasses information relating to the name, sex, date of birth, place of birth, place of residence, nationality, ethnicity, as well as biometric data (fingerprints, Iris scan, digital images), or other information relating to the identity of an individual. Note that the Law on Civil Status and Sub-Decree No. 252 are limited in scope as elaborated in the above question.

In light of the above responses, Cambodia’s data protection regime is shaped by general principles, sectoral laws with limited scope. The data are protected under the general principles that are broadly prescribed under the Constitution and the Civil Code – the guarantees to the right to privacy for persons who are residents of Cambodia and the confidentiality of correspondence by mail, telegram, fax, telex, and telephone. Under Articles 11, 12, and 13 of the Civil Code, these personal rights are protected against any actual or imminent violation, which can be interpreted to include any unauthorized collection, use, processing, or transfer of personal data. Besides the above main principle under the Constitution and the Civil Code, the other specific data framework of a specific data will be applied. For instance, the consumer data that is obtained through electronic means by an intermediary must be reasonably safeguarded under the E-Commerce Law. 

In the absence of a comprehensive data protection and privacy law in Cambodia, the terms ‘data controller’ and ‘data processor’ are not legally defined. Under the current regime, both natural and legal persons are subject to the broad applications of the general law principles under the Constitution and the Civil Code.

As for the sector-specific regulations:

1. The Banking Law applies to both the licensed banks and financial institutions, and a person participating in any capacity in the administration, direction, management, internal control, or external audit of a banking or financial institution. 
2. The Law on the Management of Health Professionals applies to both the legal entities and relevant health professionals.  
3. The Telecommunication Law applies to telecommunications and ICT service providers that have obtained relevant approvals from the Ministry of Post and Telecommunications (“MPTC”).
4. The E-Commerce Law applies to licensed legal entities that engage in electronic transactions or handle consumer data, including entities located offshore.

The current Cambodian legal framework does not contain a specific provision defining the term ‘data processing.

The current Cambodian legal framework does not contain a specific provision on the processing of personal data. However, some implied principles can be derived from both general law principles and sector-specific regulations:

1. Consent: Personal data should be collected with the data subject’s consent.
2. Security and Confidentiality: Legal entities shall take reasonable steps to protect collected personal data from unauthorized access or misuse.
3. Retention: The data must not be retained longer than necessary. 

In light of these provisions of the Constitution and the Civil Code relating to personal rights, it is generally understood that any operation related to personal data, including collection, use and processing of personal data, is subject to having obtained “prior consent” from the data subject. Without such consent, any collection, use and/or disclosure inside Cambodia and/or transfer of the personal data to other jurisdictions will be deemed a violation of the personal rights. However, the current data privacy regime does not explicitly specify the requirements under which consent is to be obtained in order for it to be valid. It is mainly a privately-driven sector and ultimately depends on accepted industry standards/practices. Nonetheless, it is generally recommended and prudent for the consent to be explicit (i.e., in writing), as opposed to implied consent.  

The current Cambodian legal framework does not contain a specific provision on data storage, data security, and retention of personal data. However, entities are expected to store personal data securely and responsibly, especially in electronic transactions. In terms of data security, the E-Commerce Law emphasizes that any person who stores private information in an electronic manner shall use all means to ensure that the information is safely protected at all reasonable circumstances in order to avoid any losses, accesses, uses, modifications, leakages, disclosures of the information, unless otherwise authorized by the information owners or other lawfully authorized parties. Furthermore, the entities must retain personal data only as long as necessary for the purpose it was collected.

The current Cambodian legal framework does not contain a specific provision on the data subjects’ rights. However, it can be deduced as follows:

1. General Principles under the Constitution and Civil Law:
   Pursuant to Articles 11, 12, and 13 of the Civil Code, these personal rights are protected against any actual or imminent violation, which may include unauthorized collection, use, processing, or transfer of data. In case of any infringement on personal rights, the affected right holder has the right to demand an injunction to stop the violating act and to eliminate the effects of the violating act. The holder is also entitled to damages for any harm or prejudice caused by the violation of his/her personal rights.
2. Sector-Specific Regulations:
   In the absence of explicit provisions, the rights of the data subject can be implied as to include the following: 
   1. Right to Data Security: derived from obligations placed upon legal entities to implement safeguards to protect personal data from unauthorized access or breaches.
   2. Right to Confidentiality of Information: derived from obligations placed upon legal professionals in maintaining the level of due care in processing the collected personal information.

Under the current data privacy regime, it only broadly requires that consent be obtained from the data subject prior to the collection, use, and disclosure of personal data for specific purpose(s) – and makes no explicit requirements as to formalities that must be followed when the consent is to be obtained. It is mainly a privately-driven sector and ultimately depends on accepted industry standards/practices. Nonetheless, it is generally recommended and prudent for the consent to be explicit (i.e., in writing), as opposed to implied consent. Alternatively, it is generally sufficient for there to be a general notice for the data subjects prior to the collection of their personal data for specific purposes. Consent is deemed to be validly given once the data subject accepts the terms of the general notice and continues to use the services of the data controllers.

Similar to the response to the earlier question, as there are no explicit requirements as to formalities that must be followed when the consent is to be obtained, it is mainly a privately-driven sector and ultimately depends on accepted industry standards/practices.

Under the existing laws and regulations, there are no expressed restrictions for cross-border data transfer, provided that prior consent of the data subject is obtained, except for certain banks under the Banking Law. Subsidiaries of the banks and branches of foreign banks operated in Cambodia shall request approval from the National Bank of Cambodia (“NBC”) prior to the transfer of collected information of the customers to their parent companies abroad. 

The current Cambodian legal framework does not provide for any definition of “incidents” or “breaches”.

Cambodia does not currently have mandatory data breach notification requirements under its existing laws, as there is no centralized data protection authority to receive breach reports, and there is no statutory obligation to notify affected individuals or regulators in the event of a breach. However, banking and financial institutions may be subject to internal reporting and disclosure obligations under regulatory oversight of NBC. Legal entities operated under the application of E-Commerce and Telecommunications Laws are subject to notification requirements to MPTC and other relevant competent authorities on the factual background of the incidents and identity of the suspects. The relevant competent authorities refer to the Ministry of Commerce (“MOC”), the Ministry of Interior (“MOI”), and other authorities specific to the sectors in which the legal entities operate.

Cambodia currently does not have a centralized privacy regulator under its existing legal framework. However, under the current practice, the enforcements are typically carried out by the following authorities:

1. Ministry of Commerce: for e-commerce-related matters;
2. National Bank of Cambodia: for banking and financial institutions related matters;
3. Ministry of Posts and Telecommunications: for telecommunications and ICT-related matters; and
4. Ministry of Interior: for all types of cybercrime-related matters.

The consequences vary depending on the severity of the breach and the applicable law, which include administrative actions, civil charges, and criminal charges, including fines and imprisonment.

Commercial advertisement in Cambodia is heavily regulated and is subject to a separate legal regime. Sub-Decree 232 on the Management of Commercial Advertisements of Goods and Services (“Sub-Decree 232”) was enacted on 04 November 2022. This applies to all forms and channels of commercial advertising for goods and services, including but not limited to audio-visual media, electronic platforms, public LED displays, printed materials, product packaging, and other public venues. Prior to advertising any commercial goods and/or services in Cambodia, an applicant must apply for an applicable advertising license/permit issued by the competent authority. For instance, in the telecommunication sector, all advertisements by telecom operators (i.e., mobile network operators, internet service providers) are subject to prior approval of the Telecommunication Regulator of Cambodia of MPTC.

Yes, Cambodia has sector-specific and industry-specific privacy requirements, even though a comprehensive data protection law is still pending. These requirements are embedded in various existing laws and regulations that apply to specific industries, including but not limited to:

1. The Banking Law provides that the obligation of professional secrecy of a person participating in any capacity in the administration, direction, management, internal control, or external audit of a banking or financial institution.
2. The Telecommunications Law outlines the rights of telecommunications and ICT service users to enjoy privacy, security, and safety while using those services.
3. The E-Commerce Law introduces the “protection obligation” and “reporting obligation” in relation to electronically stored data.
4. The Law on Civil Status and Sub-Decree No. 252 provide for the definition of “personal identifiable data,” but it is strictly applicable in the context of the management of the population registry.
5. The Law on the Management of Health Professionals and Sub-Decree (Government Directive) No. 61 requires all health professionals to practice a relevant health profession and to comply with the code of ethics and professional standard – to keep confidentiality of medical records and information of the patient under his or her medical care or treatment, regardless of either the content or benefits of those documents. 

Cambodia does not currently mandate the appointment of Data Protection Officers (DPOs) under its existing laws and regulations. 

There are no explicit provisions or requirements under the current legal framework regarding the obligation to maintain records or documentation of customers’ personal data. However, all legal entities operating in Cambodia shall adhere to general corporate and tax retention requirements. The tax-registered entities are required to have the accounting records, tax invoices, and records of import and export retained for at least ten (10) years.

Cambodia does not currently mandate any Data Protection Impact Assessments ("DPIAs") under its existing laws and regulations.

To date, there are no specific requirements for third-party vendor management and data sharing. 

Under Cambodia’s existing data privacy laws, which are currently governed by a combination of general principle provisions and sector-specific regulations, the penalties and enforcement mechanisms for non-compliance range from (i) a written warning; and (ii) suspension or revocation of business licenses and permits, (iii) monetary fine, (iv) imprisonment, (v) juridical injunction and/or damage payments.

To date, there are no specific requirements in this aspect. Entities are expected to follow best practices or accepted industry standards in data handling, including transparency, security, lawful processing, and internal audits. 

Yes, on 23 July 2025, the MPTC, entrusted by the Royal Government of Cambodia, released the tentative final version of the Draft Law on Personal Data Protection (“Draft Law”), which represents the country’s first comprehensive legislation dedicated to personal data protection. 

It can be deduced that the Draft Law is modeled by and reflects international best standards and practices, including the European Union’s General Data Protection Regulation ("GDPR”), by introducing key principles and mechanisms for the responsible, transparent, and ethical processing of personal data. It intends to apply to both domestic and foreign entities that process personal data of individuals residing in Cambodia and includes main provisions on legal bases of processing of personal data, data subjects’ rights, data breach notification, cross-border transfer, obligations of data controllers and processors, regulator’s roles and duties, and penalties for non-compliance. 

It is worth noting further that once the Draft Law is finalized by the responsible ministry - MPTC, undergoes the next step of the law-making process, and ultimately promulgated by the King of Cambodia, it would serve as an umbrella framework in personal data protection in Cambodia. It will require subsequent regulations to be adopted to fully implement the rights and obligations of such law. The Draft Law is expected to be promulgated later this year or early next year, followed by a two-year grace period. Until then, Cambodia’s data protection landscape remains governed by existing sectoral laws and general privacy provisions under the Constitution, Civil Code, Criminal Code, and other relevant regulations. 

Given this evolving legal environment, please note that our above responses are based on the current regulatory framework. This is subject to change once the Draft Law is officially enacted. We will continue to monitor developments and provide updates as necessary.