DLA Piper Intelligence

Data Protection
Laws of the World

Law

Cambodia
Cambodia

Cambodia has not yet enacted any comprehensive data protection legislation.

The most recent update to the country's data protection landscape has come in the form of the E-Commerce Law, which contains provisions for the protection of consumer data that has been gathered over the course of electronic communications. The E-Commerce Law is thereby restricted in scope to virtual and/or digital data protection.

Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010, the Civil Code of Cambodia 2007, and the Criminal Code of the Kingdom of Cambodia 2009.

Last modified 1 Mar 2021
Law
Cambodia

Cambodia has not yet enacted any comprehensive data protection legislation.

The most recent update to the country's data protection landscape has come in the form of the E-Commerce Law, which contains provisions for the protection of consumer data that has been gathered over the course of electronic communications. The E-Commerce Law is thereby restricted in scope to virtual and/or digital data protection.

Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010, the Civil Code of Cambodia 2007, and the Criminal Code of the Kingdom of Cambodia 2009.

Last modified 1 Mar 2021
Definitions

Definition of Personal Data

Cambodian law does not specifically define the term “personal data,” or discuss what specific information constitutes personal data.

The E-commerce Law defines the term “data” as “a group of numbers, characters, symbols, messages, images, sounds, videos, information or electronic programs that are prepared in a form suitable for use in a database or an electronic system”.

Due to the absence of a definition of “personal data”, it remains plausible that any data of a data subject may be viewed by the regulatory and enforcement authorities as personal data of that data subject. Therefore, conventional data, such as full names, national identification numbers, passport numbers, photographs, video, images, phone numbers, personal email addresses, biometric data, IP addresses, and other network identifiers, etc., may arguably constitute personal data.

Definition of Sensitive Personal Data

There is no express definition of what constitutes sensitive personal data. That said, based on laws applicable to persons and entities in other sectors (such as doctors and banks), the types of data below are generally considered to be of a more sensitive nature, and thus should be handled with more stringent data protection mechanisms:

  • medical data
  • financial data
  • personal data of children, and
  • personal identifiers (e.g., national identification cards and passport details).

As there is no clear limit as to the scope of what may be considered sensitive data, any data of a data subject should be prudently treated as sensitive data to the greatest extent possible.

Last modified 1 Mar 2021
Authority

Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia.

That said, the following governmental bodies may have substantial powers over data protection matters:

  • the Ministry of Commerce (“MOC”)
  • the Ministry of Post and Telecommunications (“MPTC”), and
  • the Ministry of Interior (“MOI”).
Last modified 1 Mar 2021
Registration

Since Cambodia does not have any dedicated laws on data protection, there are no specific registration requirements for data protection. However, “Electronic Commerce Service Providers” and “Intermediaries” (in an e-commerce context), who would likely store, process and transfer the data of the data subjects, must register with the MOC and MPTC.

Under the E-Commerce Law, “Electronic Commerce Service Providers” are defined as persons who use electronic means to supply goods and/or services, except insurance institutions, and an “Intermediary” is broadly defined as a person who provides services of sending, receiving, transmitting or storing, either on a temporary or permanent basis, electronic communications, or other services relating to electronic communications, including persons who represent the originators; persons providing means of seeking any data in an electronic system; persons providing online marketing and online commercial services; and other persons as specified under the E-Commerce Law.

Last modified 1 Mar 2021
Data Protection Officers

Since Cambodia does not have any dedicated laws on data protection, there are no specific requirements in Cambodia to appoint data protection officers who are specifically tasked with handling, overseeing or implementing data protection matters in Cambodia.

Last modified 1 Mar 2021
Collection & Processing

As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws or regulations in Cambodia that explicitly and specifically discuss the concept of collection and processing of data.

Based on Cambodia’s existing legal framework for data privacy, seven data protection obligations are either implied or explicitly imposed. Those obligations are discussed below.

  1. Consent Obligation: Obtain consent from the individual before collecting, using, or disclosing his/her personal data for a purpose. Organizations should allow an individual who previously gave consent to withdraw his/her consent.
  2. Purpose Limitation Obligation: Collect, use, or disclose personal data about an individual only for purposes that are reasonable and that have been disclosed/notified to the individual concerned.
  3. Disclosure/Notification Obligation: Disclose to or notify the individual of the purpose(s) for which the organization intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data. The purposes notified must be reasonable.
  4. Correction Obligation: Correct any incorrect or inaccurate personal data of a data subject that is in the possession or under the control of the organization upon request of the data subject.
  5. Access Obligation: Allow data subjects to access their personal data in the possession or under the control of an organization for correcting the information under the Correction Obligation.
  6. Protection Obligation: Protect personal data in its possession or under its control by taking necessary measures to prevent loss, unauthorized access, use, alteration, leak, disclosure, or otherwise.
  7. Retention Obligation: Retain all personal data that is in its system, and that may give rise to civil and criminal liability.
Last modified 1 Mar 2021
Transfer

While Cambodian law does not explicitly prohibit an organization from transferring data, it implies a disclosure/notification obligation under its existing legal framework for data protection. Personal data can only be collected, used, or disclosed for purposes that the individual understands and has given consent to at the time of giving initial consent or a new consent. Such purposes must be disclosed or notified to data subjects in a reasonable manner based on the circumstances.

Where the use and disclosure of the personal data is for a purpose different from that for which it was initially collected, it is necessary to notify the individual of the new purpose and obtain a new consent unless:

  • the new purpose is within the scope of the original consent, or
  • implied consent can be established.

Implied consent refers to any act that is generally recognized as consent under applicable trade practices. However, it is recommended that a new consent that is express and written be obtained once service providers use or disclose personal data for a purpose different from that for which it was collected.

When a service provider is seeking consent from the data subject, the service provider must disclose or notify the data subjects of the purpose(s) for which it intends to collect, use or disclose the data subjects’ personal data before such collection, use or disclosure of the personal data. Cambodia’s laws related to data protection do not prescribe how an organization should notify individuals. Organizations must determine what would be the most appropriate form of notification. The form of the disclosure/notification to obtain each data subject’s consent should be as close to a formal contract as possible. Moreover, requirements such as clicking on the consent button, typing a full legal name for the signature, and/or scrolling through all terms of the disclosure/notification should be implemented. Furthermore, disclosures/notifications to the individuals regarding the purpose of the collection, use, and disclosure of personal data must not be too vague or broad in scope; an appropriate level of specificity should be provided.

Therefore, where the organization will be disclosing or transferring personal data to third parties, the organization should notify the individuals of such disclosure or transfer. Any consent provided by the individual without first being disclosed or notified of the purposes would not be valid.

Last modified 1 Mar 2021
Security

Service providers that electronically store consumers’ private information must take all reasonable security measures to avoid loss, modification, leakage, and/or unauthorized disclosure of all consumer data. The E-Commerce Law notes, however, that disclosures are allowable with the consent of authorities, or with the consent of the individual whose data is being disclosed.

The E-Commerce Law also prohibits any encryption of data that may be used as evidence for any accusation or offence. This obligation potentially allows governmental authorities to order the decryption of data implicated in an investigation.

The E-Commerce Law also makes a blanket prohibition on certain forms of cybercrime, including interference with any electronic system for the purpose of accessing, downloading, copying, extracting, leaking, deleting, or otherwise modifying any stored data in bad faith or without authorized permission.

Last modified 1 Mar 2021
Breach Notification

There is no breach notification requirement under Cambodian law.

Last modified 1 Mar 2021
Enforcement

Since there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia, the enforcement of the data protection would generally fall under the auspice of authorities across various sectors:

  • the Ministry of Commerce
  • the Ministry of Post and Telecommunications, and
  • the Ministry of Interior.
Last modified 1 Mar 2021
Electronic Marketing

Since Cambodia does not have any dedicated laws on data protection, there are no special requirements when obtaining consent for marketing purposes. The E-commerce Law suggests that it is not necessary to obtain consent from the individual to send marketing communications as long as each marketing communication has clear and straightforward opt-out instructions and the individual has not previously exercised his/her opt-out right .

Last modified 1 Mar 2021
Online Privacy

As mentioned under Transfer, personal data can only be collected, used, or disclosed for purposes that the individual understands and has given consent to at the time of giving initial consent or a new consent. Such purposes must be disclosed or notified to data subjects in a reasonable manner based on the circumstances. That said, any personal data, including location data, can only be collected and shared online through website cookies after the organization obtains consent from the data subject.

For obtaining consent from the data subject, please refer to the Transfer section.

Last modified 1 Mar 2021
Contacts
Jay Cohen
Jay Cohen
Partner and Director of Cambodian Office
Tilleke & Gibbins (Cambodia) Ltd
T (+855) 17 87 57 238
Sochanmalisphoung Vannavuth
Sochanmalisphoung Vannavuth
Advisor
Tilleke & Gibbins (Cambodia) Ltd
T (+855) 10 61 65 91
Last modified 1 Mar 2021