PDPC Rules on Personal Data Cross-Border Transfer from Thailand to Affiliates Abroad

On 12th December 2023, the Personal Data Protection Committee (PDPC) issued the Notification on Criteria for Protecting Personal Data Sent or Transferred Abroad under Section 29 of the Personal Data Protection Act B.E. 2562.  This notification was published in the Royal Gazette on 25th December 2023 and it will become effective on and from 24th March 2024.  It sets out implementation rules on personal data cross-border transfers (PDCBT) from Thailand to affiliates abroad.  We summarized its key provisions below.

Binding Corporate Rules (BCR)

A data controller (DC) and a data processor (DP) in Thailand can transfer personal data to their affiliated entities of the same business group located abroad if they have established their BCR as a mutual agreement within their business group for protecting the personal data which are transferred abroad between their affiliated entities and if their BCR has been reviewed and certified by the OPDPC.  The OPDPC reviews and certifies the BCR based on its effectiveness, legal enforceability, compliance with the personal data protection laws of Thailand, and security measures.

Data Transfer Agreement

If there is no established BCR, the data sender and the data recipient must sign a data transfer agreement (DTA).  The DTA must include the model contractual clauses for PDCBT approved and published by the PDPC and the followings:

(1)   The collection, use, and disclosure of personal data in compliance with the Personal Data Protection Act.

(2)   The security measures that meet the minimum legal standards.

(3)   If the data recipient is a DP, it must only use the data as instructed by the data sender.

(4)   Any personal data breach must be reported within 72 hours.

(5)   Other terms, such as the notification to the data subjects about the transfer of their personal data, the limitation of the data transfer, the security measures, etc.

The DTA may also contain the terms and conditions of internationally recognized DTA models, such as the ASEAN Model Contractual Clauses for Cross Border Data Flows.

In case the internationally recognized DTA models are used, the amendment of such DTA models is allowed provided that it does not conflict with the established basic terms and conditions of the PDPC and does not violate the rights and freedoms of data subjects.

Certification of Compliance with Safeguards of Data Processing

The DC or DP who is involved with the PDCBT may also request certification from the PDPC which confirms the compliance with the appropriate safeguards in the collection, use, and disclosure of personal data during PDCBT when there is no established BCR or DTA.



To see the archive of our past newsletters and articles please click here.


The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.