October 31, 2025
Thailand Advances Binding Corporate Rules Certification Framework

On September 29, 2025, Thailand’s Office of the Personal Data Protection Committee (PDPC Office) published its Regulations on the Review and Certification of Binding Corporate Rules B.E. 2568 (2025) (the Regulations). The Regulations provide clarity on the PDPC Office’s approach to reviewing and certifying binding corporate rules (BCRs) under Section 29 of the Personal Data Protection Act B.E. 2562 (2019) (PDPA), and aim to facilitate international data transfers within a group of undertakings or enterprises (a “corporate group”).

In conjunction with this development, the PDPC Office also approved BCRs for two companies operating in Thailand on September 30, 2025. This milestone represents the first concrete progress since the PDPC’s Notification on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 29 of the PDPA B.E. 2566 (2023) came into effect in March 2024.

Some key features of the Regulations are set out below.

Categorization of BCRs

BCRs are classified into two types: (1) BCRs for Controllers (BCR-C) and (2) BCRs for Processors (BCR-P). The category must be clearly specified when submitting the BCRs to the PDPC Office.

Documentation Requirement

The applicant must prepare and submit the application (a standard template may be provided by the PDPC Office in the future) along with supporting documents for review and certification in the Thai language. If the supporting documents are in a foreign language, a certified Thai translation should be provided. The translation must be notarized by a notary public or qualified person. Supporting documents may include, among others, a binding instrument such as an intra-group agreement, or a list of entities subject to the BCRs.

Expedited Process Requirement

Organizations with existing BCR approvals under the EU or UK GDPR, or from countries announced by the PDPC under Section 28, may apply through an expedited process, provided they submit required documents, including the proof of approval of the BCRs by the relevant supervisory authority and a Thai BCRs addendum, which must include at least the following information:

  • A list of Liable BCR Members—designated Thai entities within the corporate group expressly designated in the BCRs to be liable and responsible for providing remedies for any damages arising from violations of the BCRs by other members outside of Thailand.
  • Confirmation that the BCRs grant data subjects in Thailand the third-party beneficiary rights to file complaints and seek enforcement of the BCRs.
  • Acceptance of the supervisory authority of the PDPC Office and jurisdiction of the courts of Thailand.
  • Clarification or inclusion of any additional provision required to comply with the PDPA and related regulations.

Key criteria coverage

For the certification of the BCRs, the PDPC Office will consider the following key matters:

  • Legal binding: The BCRs must demonstrate an appropriate mechanism that establishes legal enforceability both within and outside the corporate group.
  • Enforceability: The BCRs must demonstrate an appropriate and verifiable mechanism to ensure that they are actually implemented and complied with.
  • Cooperation: Members must cooperate with the PDPC Office and comply with legal requirements. For BCR-P, an additional provision on the data processor’s obligation to cooperate with and assist the data controller in complying with applicable laws should be included.
  • Data subject rights: The BCRs must ensure data subjects can exercise their rights and lodge complaints.
  • Personal data protection measures: The BCRs must appropriately demonstrate the personal data protection principles under the applicable law which must at least consist of the fundamental principles of personal data protection and appropriate security measures.
  • Accountability: The BCRs must demonstrate accountability mechanisms (e.g., record of processing activities, risk assessment guidelines, etc.)

Timeframe and Government Fee

The timeframe for application consideration is up to 180 days from the date of receiving correct and complete documents, though this may vary depending on the complexity of the organizational structure, the nature of the data, and the completeness of the submitted documents. There is no government fee for the BCR certification under the Regulations.

Duration of Validity

Certified BCRs do not carry a fixed expiry date and will remain effective unless and until they are amended, suspended, or revoked by the PDPC Office.

Transitional Provisions

The Regulations address transitional scenarios:

  • Pre-issuance review: If the PDPC Office had completed its review of submitted BCRs before the Regulations were announced, the BCRs will be certified, and the applicant does not need to resubmit the documents, except where there is a reasonable ground to request additional documentation. BCRs that are still under review will continue to be processed by the PDPC Office in accordance with the requirements under the Regulations.
  • Previously approved BCRs: For submitted BCRs already reviewed and approved by the PDPC Office prior to the effective date of the Regulations, such BCRs remain valid and are deemed certified, with the Liable BCR Member subject to the new compliance obligations.

Outlook

With the PDPC Office now granting approvals and issuing formal guidance through the new Regulations, BCRs are becoming a viable and strategic option for cross-border personal data transfers within corporate groups. Entities considering relying on BCRs as a cross-border transfer mechanism should begin internal reviews to ensure alignment with the newly established requirements.

Related Professionals
Gvavalin Mahakunkitchareon
+66 2056 5648
Natthakit Hongchoo
+66 2056 5710
Nopparat Lalitkomon
+66 2056 5646
Sirirat Rinsiri
+66 2056 5652
Wilin Somya
+66 2056 5708