You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

October 31, 2025

Thailand Advances Binding Corporate Rules Certification Framework

Subscribe to Updates

On September 29, 2025, Thailand’s Office of the Personal Data Protection Committee (PDPC Office) published its Regulations on the Review and Certification of Binding Corporate Rules B.E. 2568 (2025) (the Regulations). The Regulations provide clarity on the PDPC Office’s approach to reviewing and certifying binding corporate rules (BCRs) under Section 29 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA), and aim to facilitate international data transfers within a group of undertakings or enterprises (a “corporate group”).

In conjunction with this development, the PDPC Office also approved BCRs for two companies operating in Thailand on September 30, 2025. This milestone represents the first concrete progress since the PDPC’s Notification on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 29 of the PDPA B.E. 2566 (2023) came into effect in March 2024.

Some key features of the Regulations are set out below.

Categorization of BCRs

BCRs are classified into two types: (1) BCRs for Controllers (BCR-C) and (2) BCRs for Processors (BCR-P). The category must be clearly specified when submitting the BCRs to the PDPC Office.

Documentation Requirement

The applicant must prepare and submit the application (a standard template may be provided by the PDPC Office in the future) along with supporting documents for review and certification in the Thai language. If the supporting documents are in a foreign language, a certified Thai translation should be provided. The translation must be notarized by a notary public or qualified person. Supporting documents may include, among others, a binding instrument such as an intra-group agreement, or a list of entities subject to the BCRs.

Expedited Process Requirement

Organizations with existing BCR approvals under the EU or UK GDPR, or from countries announced by the PDPC under Section 28, may apply through an expedited process, provided they submit required documents, including the proof of approval of the BCRs by the relevant supervisory authority and a Thai BCRs addendum, which must include at least the following information:

  • A list of Liable BCR Members—designated Thai entities within the corporate group expressly designated in the BCRs to be liable and responsible for providing remedies for any damages arising from violations of the BCRs by other members outside of Thailand.
  • Confirmation that the BCRs grant data subjects in Thailand the third-party beneficiary rights to file complaints and seek enforcement of the BCRs.
  • Acceptance of the supervisory authority of the PDPC Office and jurisdiction of the courts of Thailand.
  • Clarification or inclusion of any additional provision required to comply with the PDPA and related regulations.

Key criteria coverage

For the certification of the BCRs, the PDPC Office will consider the following key matters:

  • Legal binding: The BCRs must demonstrate an appropriate mechanism that establishes legal enforceability both within and outside the corporate group.
  • Enforceability: The BCRs must demonstrate an appropriate and verifiable mechanism to ensure that they are actually implemented and complied with.
  • Cooperation: Members must cooperate with the PDPC Office and comply with legal requirements. For BCR-P, an additional provision on the data processor’s obligation to cooperate with and assist the data controller in complying with applicable laws should be included.
  • Data subject rights: The BCRs must ensure data subjects can exercise their rights and lodge complaints.
  • Personal data protection measures: The BCRs must appropriately demonstrate the personal data protection principles under the applicable law which must at least consist of the fundamental principles of personal data protection and appropriate security measures.
  • Accountability: The BCRs must demonstrate accountability mechanisms (e.g., record of processing activities, risk assessment guidelines, etc.)

Timeframe and Government Fee

The timeframe for application consideration is up to 180 days from the date of receiving correct and complete documents, though this may vary depending on the complexity of the organizational structure, the nature of the data, and the completeness of the submitted documents. There is no government fee for the BCR certification under the Regulations.

Duration of Validity

Certified BCRs do not carry a fixed expiry date and will remain effective unless and until they are amended, suspended, or revoked by the PDPC Office.

Transitional Provisions

The Regulations address transitional scenarios:

  • Pre-issuance review: If the PDPC Office had completed its review of submitted BCRs before the Regulations were announced, the BCRs will be certified, and the applicant does not need to resubmit the documents, except where there is a reasonable ground to request additional documentation. BCRs that are still under review will continue to be processed by the PDPC Office in accordance with the requirements under the Regulations.
  • Previously approved BCRs: For submitted BCRs already reviewed and approved by the PDPC Office prior to the effective date of the Regulations, such BCRs remain valid and are deemed certified, with the Liable BCR Member subject to the new compliance obligations.

Outlook

With the PDPC Office now granting approvals and issuing formal guidance through the new Regulations, BCRs are becoming a viable and strategic option for cross-border personal data transfers within corporate groups. Entities considering relying on BCRs as a cross-border transfer mechanism should begin internal reviews to ensure alignment with the newly established requirements.

Related Professionals

Industries

Technology

Practices

Corporate/M&A

Location

RELATED INSIGHTS​

October 26, 2025
AI-generated songs are now making waves in Vietnam on platforms like TikTok, with tracks such as “Say mot doi vi em” quickly gaining popularity and sparking widespread attention. This phenomenon raises a host of legal and ethical questions: Who is the author of these songs? Can they be protected by copyright? Who is responsible if there is an infringement? These questions are becoming increasingly urgent as AI music becomes more mainstream in Vietnam. Copyright Protection for AI-Generated Music in Vietnam Under current Vietnamese law, copyright protection is reserved for works that bear the mark of human creativity. The 2022 amendments to Vietnam’s Intellectual Property Law reaffirm that only works created by humans are eligible for copyright. In practice, if a human meaningfully contributes to the creative process—by providing prompts, making selections, editing, or arranging—their contribution may be protected. However, if a song is generated entirely by AI without significant human input, it is unlikely to qualify for copyright protection. When an AI-generated song does not qualify for copyright protection, the question arises as to whether the person who writes the prompts, edits, or compiles the work can still be considered the owner of an asset under the Vietnamese Civil Code. According to Article 105 of the Civil Code 2015, assets include objects, money, valuable papers, and property rights. While AI-generated music that is not protected by copyright is not considered money or valuable papers, it may be regarded as an object (in the form of a digital file or recording) or as a property right if it can be possessed, used, transferred, or exploited for value. Use of AI-Generated Works Without Copyright Protection If a song is not protected by copyright, does that mean anyone can use it freely? Not necessarily. The absence of copyright does not mean the
Read More
October 3, 2025
On September 26, 2025, the Contract Committee under Thailand’s Consumer Protection Board issued a regulation that aims to standardize contracts and enhance consumer protection within the beauty and wellness industry. The Notification on Prescribing the Beauty Service Business as a Contract-Controlled Business B.E. 2568 (2025), which takes effect on January 24, 2026, requires business operators to use a prescribed standard contract in Thai and adhere to strict mandatory provisions and prohibitions. These regulations apply to operators across all in-person and online service channels, including via digital platforms. “Beauty services business” is defined as the provision of services under an agreement allowing consumers to receive a series of treatments, either over a set number of sessions or within a set period. This includes massage, spa, other methods for cleanliness, beauty, or care of facial or body skin, and weight control and body shaping—including services offered electronically. The law excludes surgery, liposuction, and medical treatments performed by licensed practitioners. The notification establishes the following key requirements: Mandatory contract and formatting. All contracts with consumers must use the standard contract form, in Thai, with clear, readable text (minimum font size of 2 millimeters, no more than 11 characters per inch), and include all essential terms from the annexed form. Contract execution. Contracts must be made in duplicate, with one copy given to the consumer at signing. For agreements concluded through electronic channels, the process must comply with the Electronic Transactions Act and use the same required terms. Digital platforms. Business operators who provide services facilitated through a digital platform as an intermediary are ultimately responsible for ensuring the consumer receives a compliant contract. Prohibited clauses. The law prohibits clauses that limit or exclude liability for damages to life, body, health, mind, or property resulting from breach of contract or a wrongful act;
Read More
September 26, 2025
As Vietnam accelerates its digital transformation, data centers have emerged as critical infrastructure supporting the shift toward a digital government, digital economy, and digital society. For businesses targeting Vietnam’s rapidly growing data center market, a clear understanding of the evolving regulatory landscape, compliance obligations, and government incentives is key to successful market entry and operation. This article provides a strategic overview of investment opportunities and key compliance requirements in Vietnam’s dynamic data center sector. Investment Incentives to Boost Data Center Growth Since July 1, 2024, organizations and individuals across all economic sectors have been encouraged to invest in and contribute to the development of data centers. By law, there are no restrictions on shareholding ratios, capital contributions, or foreign investor participation in data center and cloud computing services under business cooperation contracts. Currently, investment in AI data centers is classified as a specially incentivized industry, qualifying for preferential treatments and incentives in terms of investment, taxation, land use, and other related areas. Large-scale data centers, together with AI and cloud computing, are currently considered as strategic technologies and products for which Vietnam offers significant fiscal, tax, and land incentives to promote investment. Additionally, these large-scale projects may receive direct financial support from local development budgets for facility construction, technical infrastructure, and equipment procurement, subject to state budget provisions and applicable laws. AI data center construction projects also enjoy preferential treatment under customs regulations. Regulatory Approvals for Providing Data Center Services The 2023 Telecom Law and its guiding documents marked a significant milestone by classifying data center services as value-added telecom services. Under the law, a data center service is defined as a telecom service that enables users to process, store, and retrieve information via a telecom network through the leasing of part or all of a data center. A
Read More
September 24, 2025
On September 12, 2025, the Bank of Thailand (BOT) officially released its AI Risk Management Guidelines for Financial Service Providers, building upon the draft guidelines issued in June 2025. The guidelines reflect a balanced approach, encouraging innovation while safeguarding financial stability and consumer protection. The guidelines are targeted at all financial service providers, including financial institutions and special financial institutions under the Financial Institution Business Act, as well as payment providers under the Payment Systems Act. The guidelines apply to both AI systems developed in-house and those developed by third parties that are adopted for use by financial service providers. AI Risk Management Guidelines The two main pillars in managing AI risk are (1) governance of AI system implementation and (2) AI system development and security controls, consisting of the following key elements: 1. Governance Stakeholder roles and responsibilities. Boards and senior management assume accountability for decisions and operations involving AI systems, and are responsible for defining roles and responsibilities for AI oversight. This includes establishing an AI system usage policy, designating personnel responsible for AI risk management, and building awareness of AI-related risk within the organization. Organizations are expected to foster internal capabilities to use AI securely and avoid overreliance that could compromise business continuity or customer service. AI system usage policy. Policies governing AI usage should align with organizational goals, regulatory obligations, and recognized responsible AI frameworks—such as the FEAT principles (fairness, ethics, accountability, and transparency). These policies should be reviewed regularly to respond to technological advancements and evolving risk profiles. Risk management throughout the AI lifecycle. Risk management should encompass the entire AI lifecycle, from establishing risk appetite to implementing continuous risk assessment and control measures tailored to specific use cases. Financial service providers should assess risks and impacts of AI usage on operations and customer services.
Read More