Data protection & privacy laws in Cambodia (2026)

Cambodia's Ministry of Post and Telecommunications published a final English-language draft of the Law on Personal Data Protection on 23 June/July 2025. The draft adopts GDPR-style principles — lawful basis, data-subject rights, data-breach notification, and cross-border transfer controls — but had not been promulgated into law as of May 2026.

Sub-Decree No. 252 of 22 December 2021 on the Management, Use, and Security Protection of Personal Identification Data applies only to personal identification data held by the Ministry of Interior (national ID system); it does not extend to private-sector data processing.

Outside Sub-Decree 252, privacy is protected in broad terms under the Constitution, Civil Code (2007), Criminal Code (2009), and specific sectoral laws such as the E-Commerce Law (limited to virtual/digital consumer-data contexts) and the Banking Law. No single comprehensive statute governs private-sector data controllers.

The draft LPDP designates the Ministry of Post and Telecommunications (MPTC) as the primary data-protection supervisory authority, with powers to issue regulations (Prakas), conduct audits, receive complaints, mediate disputes, and manage cross-border transfer approvals. Critics note the draft delegates substantial rule-making to ministerial Prakas, limiting legal certainty.

The LPDP draft targets both Cambodian-based and foreign entities that offer goods or services to individuals residing in Cambodia, mirroring GDPR's territorial reach. Sensitive categories (biometrics, health, race/ethnicity, political opinion, religion, sexual orientation) attract heightened protection.

Once promulgated, the LPDP is expected to enter force after a two-year transitional/implementation period, giving organisations time to comply. As of May 2026 the law had not yet been signed or tabled before the National Assembly, and no official promulgation date had been announced.