
Life Sciences Law Update
On July 23, 2025, Cambodia released a draft of its first ever comprehensive personal data protection law, the Law on Personal Data Protection (“LPDP”).
Once passed, Cambodia will join the ranks of seven other countries in the Association of Southeast Asian Nations (ASEAN) to have enacted a comprehensive data privacy law.
The LPDP is expected to come into effect after a two-year implementation period starting from its promulgation. It has been tentatively indicated that this promulgation will be sometime this or early next year.
The LPDP borrows much of its architecture from the European Union’s General Data Protection Regulation (“GDPR”), and aims to establish principles, rules and mechanisms of processing personal data transparently, responsibly, and ethically. It aims to achieve this by introducing rules, empowering guidelines and supporting various mechanisms for processing private information in Cambodia.
The LPDP targets both domestic and foreign entities involved in the processing of personal data. Specifically, it covers data controllers and data processors located within the Kingdom of Cambodia, as well as foreign entities based outside Cambodia if they offer goods or services to individuals residing in Cambodia.
The law also specifically exempts “natural persons” acting in a personal capacity, and “public authorities” performing functions within their jurisdiction.
The LPDP defines personal data as “information relating to a natural person who identifies or can be identified by that natural person”.
Within this broad umbrella, the LPDP also defines “sensitive personal data” to include biometric data, genetic data, health status, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning a person's sex life or sexual orientation.
Whilst similar definitions are also found in the GDPR, the LPDP is not as specific in its definitions. For instance, the definition of “genetic data” in the GDPR spells out specific ways in which the data can be obtained, and particularly relates to one’s health and physiology.1In contrast, the Cambodian LPDP covers all genetic data, so long as it relates to one’s identity or characteristics.
The LPDP establishes substantially the same rights for data subjects as the GDPR, including:
The LPDP closely mirrors the GDPR with regards to the distinction between and obligations imposed on data controllers and processors respectively.
These include requirements to:
However, the LPDP appears to adopt a more stringent stance compared to the GDPR, in mandating the appointment of a certified2 data protection officer for all controllers and processors, regardless of the scale of personal data processing or risk.3 Such data protection officer’s name and information must also be reported to the Ministry of Post and Telecommunications within thirty working days from his or her appointment. Where there is a change in such appointment the update must be notified to the Ministry within fifteen working days. This is unlike the GDPR, which only applies the requirements in certain specified high-risk contexts.4
Foreign entities that are data controllers or involved in data processing are also subject to Cambodia’s LPDP, if their activities are related to the offering of goods or services to individuals living in Cambodia, or monitor the behaviour of individuals within the country. These entities will then be required to appoint a representative and provide their details with the Cambodian authorities. The guidelines on the appointment of such a representative are currently to be determined.
Any non-compliance with the LPDP could trigger both administrative and criminal sanctions. Administrative fines can reach up to approximately 150,000 USD (600,000,000 Riels) and 10% of annual turnover for businesses and legal persons, and up to 15,000 USD (60,000,000 Riels) for each natural person involved. Criminal liabilities set forth by the LPDP (imprisonment and fines) also distinguishes it from the GDPR’s purely regulatory nature.
The draft LPDP represents a significant step in aligning Cambodia with international data privacy standards, and is another example of the “Brussels effect” insofar as its provisions are so closely aligned with that in the GDPR.
With that said, there are certain local nuances and requirements that entities operating in or targeting Cambodia should be aware of, particularly as this new law imposes criminal liabilities.
To this end, early compliance planning is recommended, and one should keep a keen eye out for any clarifications, guidelines and other refinements that may be in the pipeline.
Should you need support in coming into compliance with this new law, or to understand how it might impact your business, feel free to reach out to the authors or your usual Hogan Lovells contact.
Authored by Charmian Aw and Ciara O’Leary.
References