Tilleke & Gibbins
What law(s) specifically govern personal data / information?
Cambodia has not yet enacted any comprehensive data protection legislation, although several Press Releases suggested that the Ministry of Post and Telecommunication (“MPTC”) has already made draft versions of a new Personal Data Protection Law available to certain companies for comment and has held several consultation workshops, with the latest one being held in July 2025. However, as of September 2025, the law has not yet been enacted.
Under current practices, matters pertaining to data protection and privacy fall broadly under the right to privacy as addressed in Cambodia’s Constitution, and certain provisions under the Civil Code, the Criminal Code, and other specific laws such as the Law on E-Commerce (“E-Commerce Law”) and the Law on Banking and Financial Institutions (“Banking Law”). Those laws generally protect the right to privacy, which could possibly cover personal data.
What are the key data protection principles in this jurisdiction?:
There is no regulation that specifically outlines data protection principles in Cambodia.
What is the supervisory authority / regulator in charge of data protection?
There are no key authorities although the following authorities may have substantial powers over data protection matters in Cambodia since they are the authorities drafting the Personal Data Protection Law and Cybercrime Law or relate to the drafted laws to some extent:
- Ministry of Post and Telecommunication
- Ministry of Interior
- Ministry of Commerce.
Is there a requirement to register with a supervisory authority / regulator?
N/A
Is there a requirement to notify the supervisory authority / regulator?
This is generally not applicable. However, specialised guidelines exist for banking and financial institutions during the process of transferring data internationally. Under the Risk Management Guidelines, banking and financial Institutions must report to the regulator if outsourcing involves significant functions, extensive cross-border data sharing, or the storage/processing of Cambodian operational data abroad. This clause implies a restriction on the transfer of personal data across borders, requiring regulatory reporting and oversight when such data is stored or processed outside Cambodia.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A
What are the key data subject rights under the data protection laws of this jurisdiction?
There is no regulation that specifically outlines data subject rights under data protection laws in Cambodia.
Is there a requirement to appoint a data protection officer (or equivalent)?
N/A
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
N/A
Does this jurisdiction have any specific data breach notification requirements?
N/A
What restrictions apply to the international transfer of personal data / information?
There are no regulations or provisions on restrictions on the international transfer of data, except for personal data to be processed by licensed banks and financial institutions that are required to follow Technology Risk Management Guidelines.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws or regulations that specifically discuss the extra-territorial effect of data protection laws.
What rules specifically deal with marketing?
There are no specific laws specifically dealing with marketing in Cambodia, and the below (non-exhaustive) list of laws address marketing issues:
The Consumer Law prohibits "unfair practices" in relation to consumer transactions. Unfair practices include:
- unfair sales;
- bait advertising;
- unfair solicitation sales;
- demanding or accepting payments without intention to supply goods or services per the purchase order;
- making a false claim or representation of some business activity;
- coercion by force and mental threats;
- pyramid schemes;
- selling goods bearing a false trade description; and any other unfair practices.
The Trademark Law is relevant to comparative advertising. The following acts are considered acts of unfair competition:
- all acts that create confusion with the establishment, the goods, or the industrial, commercial or service activities of a competitor;
- false allegations in the course of trade of such a nature as to discredit the establishment, the goods, or the industrial, commercial or service activities of a competitor; and
- indications or allegations of the use of marks which, in the course of trade, misleads the public as to the nature, manufacturing process, characteristics, suitability for their purpose, or quantity of the goods.
The Telecom Law prohibits all activities against the principles of fair, free, equal, and effective competition. The Telecom Law authorises the Telecommunications Regulator of Cambodia (the “TRC”) to monitor, oversee and evaluate lawful and fair competition in the telecommunications market.
Prakas 170 is applicable to website publications and any kind of social media networks on the internet in Cambodia. Prakas 170 prohibits all publications or news content sharing or written messages, audio, photos, videos, and/or other means intended to create turmoil leading to undermine national defence, national security, relation with other countries, national economy, public order, discrimination and national culture and tradition.
Under Prakas 340, advertisements on mass media (radio, TV, cable TV, MMDS, newspaper, magazine, bulletin, poster, billboard, calendar, business sign posted in public place or on vehicle, broadcasting on mobile or fixed bullhorn) is allowed in Cambodia only when there is permission from the Ministry of Information.
Letter 276 requires all mobile service operators to obtain approval from the TRC prior to carrying out any mobile phone advertisements.
If an organisation wishes to send unsolicited marketing communications to an individual via any electronic media, intermediary or telecommunications service provider, the organisation is obligated under the E-Commerce Law to provide clear and straightforward opt-out instructions.
Do different rules apply to business-to-business and business-to-consumer marketing?
N/A
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Under the E-Commerce Law, all marketing communications must contain opt-out instructions.
What rules specifically deal with cookies?
N/A
What are the consequences of non compliance with data protections laws (including marketing laws)?
As provided, there are no data protection laws in Cambodia and there are no rules specifically deal with marketing..
However, failure to provide clear and straightforward opt-out instructions for unsolicited marketing communications as required under the E-Commerce Law will subject the organisation to:
(1) a written warning; (2) suspension or revocation of business licenses and permits, and/or(3) disabling the means of marketing and communication to individuals.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Currently, there are no regulations that explicitly address consent requirements for processing and transferring of personal data. In practice, we observe that most multinational organisations already need to be compliant with the GDPR when processing personal data and we opine that if the process is GDPR compliant, it would also satisfy any Cambodian data privacy standards (to the extent that they exist in laws of general application that broadly protect the right to privacy, which could possibly cover personal data).
What upcoming data protection developments should multinational organisations be aware of?
The Cambodian government has been preparing a draft personal data protection law, and anti-cyber crime law, . If these laws are enacted, they would implicate data privacy and data protection issues.